09-11-2013 11:13 AM - edited 03-04-2019 09:00 PM
Hi All, having some trouble getting this working. We have an MPLS (WAN) between our offices, but we typically route to the Internet locally from each location through a Cable or DSL circuit. The local default route goes to local ASA, which is connected to the Internet. However, I now have the need to route all traffic including Internet from one of those offices to our central office. We use OSPF for routing between offices and I've played with the remote office default route statement, but so far no luck. I'm only having trouble getting Internet traffic to route over the WAN. Anyone done something like this? If so, how did you get the remote office Internet traffic to traverse the WAN and egress via another office Internet connection?
Thanks!
Solved! Go to Solution.
09-11-2013 12:04 PM
Yes, the problem I believe is that you are setting your default route to the provider, but the provider doesn't have a default route pointing to you. The way to get around this would be to advertise the default from your site toward the provider and then the remote site would have a gateway of last resort toward the PE.
You're correct though in that you'd see the change at all of your sites. Depending on how many sites you have, you could advertise it from your central site, and then create a distribute list to deny the default route at all of the other locations.
ip prefix-list Default permit 0.0.0.0/0
route-map Default deny 10
match ip address prefix Default
route-map Default permit 20
router ospf 1
distribute-list route-map Default in
This would block the default route but let all other advertised routes in...
HTH,
John
*** Please rate all useful posts ***
09-12-2013 07:32 AM
It is a bit of an ugly solution but you could create a GRE tunnel between this site and the head office and send a default route down the tunnel. By doing this you are not sending a default route into the cloud so you would not need to worry about the other sites.
09-11-2013 11:27 AM
Currently, you have all of your local internet traffic going toward the ASA. Is the default route being advertised by ospf to the remote location or did you try to statically add it? Since you're now traversing the wan toward your asa now, did you take into account these subnets on the ASA for natting? Is the ASA dropping the traffic or does it simply not get there?
HTH,
John
*** Please rate all useful posts ***
09-11-2013 11:45 AM
Hi John, yeah, thought about the ASA issues you mentioned, but I don't think traffic is ever getting to the central site ASA yet. When I traceroute from a local machine, it stops at our MPLS providers first hop router with a "Destination Net Unreachable". I statically set the default route on our router to point to the central site ASA. So, assuming the internal interface of our central site ASA is 10.10.0.3, I set "IP Route 0.0.0.0 0.0.0.0 10.10.0.3" on the remote office router. If I traceroute to 10.10.0.3, I get responses all the way to the ASA so the plumbing to him seems fine. Appears that I need to let the MPLS router know where to forward Internet traffic such as 8.8.8.8. I'm just not sure how to go about this without affecting any other sites via OSPF. I only want this single remote office to default route all traffic to the central site.
09-11-2013 12:04 PM
Yes, the problem I believe is that you are setting your default route to the provider, but the provider doesn't have a default route pointing to you. The way to get around this would be to advertise the default from your site toward the provider and then the remote site would have a gateway of last resort toward the PE.
You're correct though in that you'd see the change at all of your sites. Depending on how many sites you have, you could advertise it from your central site, and then create a distribute list to deny the default route at all of the other locations.
ip prefix-list Default permit 0.0.0.0/0
route-map Default deny 10
match ip address prefix Default
route-map Default permit 20
router ospf 1
distribute-list route-map Default in
This would block the default route but let all other advertised routes in...
HTH,
John
*** Please rate all useful posts ***
09-12-2013 07:12 AM
Thanks John, If I had all Cisco gear, that would likely be the way to go, but I have some sites that use all Avaya ERS and they were a real bear to get basic OSPF working so the thought of having to mess with them in this scenario makes me cringe.
I'm checking with our managed MPLS provider to see if they may have some magic they can perform on their end to resolve. I'll follow up shortly.
09-12-2013 07:32 AM
It is a bit of an ugly solution but you could create a GRE tunnel between this site and the head office and send a default route down the tunnel. By doing this you are not sending a default route into the cloud so you would not need to worry about the other sites.
09-12-2013 07:57 AM
Actually, that's pretty slick. I labbed it up. The only caveat is that you'd probably want to come up with a different ospf process and run it only on the tunnel interfaces.
I have 4 routers: r1 - 4. I created an ospf process in area 0 for all physical interfaces and then created a gre tunnel between R4 and R2. On R4, I created a separate ospf process and advertised just the two addresses between the tunnel interfaces, and then under that process sent default-information originate. R1 - 3 doesn't get the default route, but R2 did. I created another interface on R4 without advertising it, and tried to ping it from R3 - failed. Then try to ping from R2 and it succeeded.
Rated
HTH,
John
*** Please rate all useful posts ***
09-12-2013 11:30 AM
mfurnival, Awesome idea! the GRE tunnel worked perfectly!! Thank You!!
09-12-2013 12:04 PM
Wow. I'm smarter than I thought I was :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide