Use of Route Map on GRE tunnel interfaces

ayokunles · ‎11-15-2010

I have a small challenge, can anyone help with this.

I have two links at a remote site, those two links are configured on separate GRE tunnel on the same router back to HQ.

i want to route traffic downloads from the Antivirus server to use the secondary link. i've been exploring PBR but with no luck, maybe i'm not doing something right. please help guys.

Richard Burts · ‎11-15-2010

There is not enough detail here for us to be able to give very exact responses. If you help us to understand the situation better we will be able to provide better responses. You indicate that there is one router at the remote and it has 2 GRE tunnels to HQ. Do both tunnels terminate on the same router at HQ or on different routers? Perhaps posting the configuration of both tunnels would help us understand better what is happening.

From your description I would think that PBR is the feature that you want to use. Are you trying to do PBR at the remote, at HQ, or at both? Perhaps posting what you have tried to do in PBR would help us to understand your problem better.

HTH

Rick

HTH

Rick

ayokunles · ‎11-15-2010

apologies Richard.

well the two GRE tunnels terminate on two different routers.

i hope it works with this scenario.

Richard Burts · ‎11-15-2010

Knowing that it is on 2 different routers at HQ is helpful. But we need to know more about the environment at HQ and the relationship between the 2 HQ routers. How do the HQ routers manage routing to the remote? Is there a routing protocol running over GRE or are there static routes for the remote on the HQ routers? And within the HQ network how do the servers at HQ get to the remote? Would traffic from a HQ server to the remote always go through the same HQ router or would it sometimes go to one and sometimes go to the other?

HTH

Rick

HTH

Rick

ayokunles · ‎11-15-2010

ok..rich.

the two HQ routers run EIGRP between.

sometimes traffic goes through the primary router and sometimes via the secondary router.

also the remote routers run EIGRP.

i hope this helps.

Richard Burts · ‎11-15-2010

It is good to know that the HQ routers run EIGRP for the HQ network and that EIGRP run over the GRE tunnels. The other information that we need to know is about the HQ routers. Are they directly connected (only one hop from one to the other) or are they further apart?

If they are directly connected then implementing PBR should be fairly simple but if further apart it is more difficult.

Assuming that they are directly connected here is a description of what you would do to implement PBR:

- configure PBR on the primary router. (if the anti virus download packet goes to the backup router it will forward to remote as you want it to do without any special configuration)

- configure an access list that will identify the anti virus download packets. Probably this would be an extended access list, but it might be possible to use an standard access list if you just want to identify packets based on the source address of the anti virus server.

- configure a route map which will have a match statement using the access list that you configured and setting the next hop as the address of the backup router.

- configure PBR on the interface of the router on which the anit virus download packet will be received and specify the route map that you configured.

How close is this discription to what you had configured?

HTH

Rick

HTH

Rick

ayokunles · ‎11-15-2010

hi rick,

apologies for the late response,

the design is a bit not okay, in my opinion though.

both primary and secondary core routers are connected to each other via a primary and secondary core switch.

the primary link goes to the remote site via the primary and the secondary link via the secondary core. both primary and secondary links' GRE tunnels terminate on separate devices (i.e. primary and secondary core router). I met this design and i'm not liking it.

and yes both routers run EIGRP between them.

i hope this helps.

thanks

Richard Burts · ‎11-15-2010

I do not understand your comments about the design but do not believe that the design impacts the ability to use PBR to send downloads from the anti virus using the secondary tunnel.

There is one thing that needs to be clarified. On the HQ secondary router when you do show ip route, is the route to the remote subnet pointing to its GRE tunnel or are the metrics set up so that the secondary HQ router sees the path to the remote as being through the primary HQ router? Perhaps if you post the output of show ip route for the remote subnet we could see this more clearly.

As I tried to explain in my previous post I believe that you need PBR only on the primary HQ router. You do not need PBR on the HQ secondary router since if a download packet arrives at the secondary router it will forward down the tunnel (assuming that it has its route to the remote subnet pointing down the tunnel). And I do not see anything in your description that creates a need to have PBR on the remote router.

In configuring PBR on the primary router you need to configure PBR on the interface where the download packets will arrive at the router. You need an access list that will identify the download packets that should be done with PBR, and you need a route map that will use a match statement to the access list and a set statement that sets the next hop address as the connected address of the secondary router. Have you tried to do these things?

HTH

Rick

HTH

Rick