Routing traffic using a PBR, precedence over static route?

jgiannone · ‎02-17-2012

Hello all,

I have a new MPLS circuit being stood up for my site; it’s going to replace a site to site VPN connection to our "Headquarters." I want to test this without affecting my production networks. Without getting into alot of details, the admin at the remote site is not very cooperative and basically doesn't want to help set this up and I don't have access to his switching/routing. He is prepared to do minimal tasks if necessary. Ultimately, I am looking to test the new Vlan, once successful, route the traffic away from the Site to Site VPN connection to the MPLS circuit. Here is what I plan on doing, I need help to determine if it is going to work.

Here is a bit of background about the topology. LAN in my office uses EIGRP for routing. MPLS (10.1.1.253) uses OSPF (area 0) and BGP. Currently, traffic destined to headquarters (10.10.1.1/24) uses the default route on a CAT3750 pointing to the firewall (ASA5520) (10.1.1.254).

Build out for test:

Create new VLAN/DHCP scope to use as a test Vlan to test the new MPLS circuit. 10.1.199.0/24
Create static routes on 3750 destined for headquarters for L2L VPN traffic pointing to firewall so traffic to headquarters remains on the L2L connection. ip route 10.10.1.1 255.255.255.0 10.1.1.254 (once I share routes with OSPF, routes to Headquarters will be advertised over the MPLS)
Create OSPF instance on the 3750 advertising only the new subnet so that the MPLS network knows to route this traffic over the MPLS for return traffic from headquarters. (this is where it is grey as I don’t know OSPF at all) The switch has a L3 interface which the MPLS router uses as its gateway, so there is direct communication.

router-ospf 0

network 10.1.199.0 0.0.0.255 area 0

4. On 3750 create a PBR for the new subnet so that it is routed over the MPLS, (imagine test PC is 10.1.199.100), the remaining production subnets will use the static routes and ignore the OSPF routes because of the shorter adminstrative distance

access-list 101 permit ip host 10.1.1.1 host 10.10.1.10

route-map Circuit-Test permit 10

match ip address 101 set ip next-hop 10.1.1.253

interface Vlan100

ip policy route-map Circuit-Test

Questions: Will this all work?

Will the PBR route win over the static route for that one subnet?

Is that all I need in the OSPF configuration? I see some configs that have neightbor statements with costs, authentication types etc...

Thanks in advance for your help!

Richard Burts · ‎02-17-2012

John

I do not understand your topology well enough to say whether the static routes, OSPF, EIGRP will all work as you expect. But the part of your question where you ask about PBR and static routes is clear and has an answer. PBR does take precedence over a static route.

HTH

Rick

HTH

Rick

ciscobigcat · ‎02-17-2012

Hi Rick,

I guess PBR and static routes are part of the order of operations, but how about the VPN tunnels? If the router has a L2L tunnel with a remote branch router, what takes precedence: Static route, PBR or crypto ACL?

jgiannone · ‎02-18-2012

thanks for thread jacking bigcat...lets not confuse the situation, my L2L terminates on an ASA not a router.

Thanks for the information about the PBR taking precedence over the static routes. I am going to start with adding PBR to test a specific VLan, since this seems like the best way for source based routing. After testing I am going to add static routes on my switch and redistribute to EIGRP to direct traffic over the MPLS. Eventually I will add an instance of EIGRP on my WAN router and redistribute OSPF routes into EIGRP and remove my static routing.