cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2845
Views
0
Helpful
6
Replies

Dual WAN w/ PBR

ironshoreit
Level 1
Level 1

Hello IT Folks,

I am trying to come up with a design for my company to utilize 2 WAN technologies we have in place.

I want to force the end users at a branch office to utilize a particular WAN link when accessing certain traffic.  So if the end user is accessing the file server they should use the DMVPN and if they are accessing the Application Server they should utilize the MPLS.  These need to failover vice versa in the event of a failure on any give WAN technology.  I have been experimenting with a few different options and wanted to reach out to the IT community to see if they had any suggestions or real life case studies for a similar scenario.

Thinks I have tried. (I need a solution that will scale as we have 20+ branch offices and 2 Data Centers)

1. Manipulating routing updates using offset lists.  This works but the management overhead is a bit too much. Also, metrics can change, especially on the DMVPN as it uses the Internet.

2. Policy-Based Routing.  I tried this solution as well and it works but the failover options is a little difficult to deal with.

I want to utilize both WAN technologies to force priority traffic over the MPLS and the day-to-day traffic over the DMVPN.

Any help would grealty be appreciated.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

ironshoreit wrote:

Hello IT Folks,

I am trying to come up with a design for my company to utilize 2 WAN technologies we have in place.

I want to force the end users at a branch office to utilize a particular WAN link when accessing certain traffic.  So if the end user is accessing the file server they should use the DMVPN and if they are accessing the Application Server they should utilize the MPLS.  These need to failover vice versa in the event of a failure on any give WAN technology.  I have been experimenting with a few different options and wanted to reach out to the IT community to see if they had any suggestions or real life case studies for a similar scenario.

Thinks I have tried. (I need a solution that will scale as we have 20+ branch offices and 2 Data Centers)

1. Manipulating routing updates using offset lists.  This works but the management overhead is a bit too much. Also, metrics can change, especially on the DMVPN as it uses the Internet.

2. Policy-Based Routing.  I tried this solution as well and it works but the failover options is a little difficult to deal with.

I want to utilize both WAN technologies to force priority traffic over the MPLS and the day-to-day traffic over the DMVPN.

Any help would grealty be appreciated.

You say you have tried PBR but the failover options are difficult to deal with. What exactly do you mean ?

When you set the next-hop within the route-map you can use both next-hops, just put them in the order you want to use them.

Or is the problem that your routers do not know if the link has gone down so they continue to try and send packets down a dead link ? if so IP SLA in conjuction with route-maps can be used.

Can you confirm exactly what the issues are with PBR ?

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

ironshoreit wrote:

Hello IT Folks,

I am trying to come up with a design for my company to utilize 2 WAN technologies we have in place.

I want to force the end users at a branch office to utilize a particular WAN link when accessing certain traffic.  So if the end user is accessing the file server they should use the DMVPN and if they are accessing the Application Server they should utilize the MPLS.  These need to failover vice versa in the event of a failure on any give WAN technology.  I have been experimenting with a few different options and wanted to reach out to the IT community to see if they had any suggestions or real life case studies for a similar scenario.

Thinks I have tried. (I need a solution that will scale as we have 20+ branch offices and 2 Data Centers)

1. Manipulating routing updates using offset lists.  This works but the management overhead is a bit too much. Also, metrics can change, especially on the DMVPN as it uses the Internet.

2. Policy-Based Routing.  I tried this solution as well and it works but the failover options is a little difficult to deal with.

I want to utilize both WAN technologies to force priority traffic over the MPLS and the day-to-day traffic over the DMVPN.

Any help would grealty be appreciated.

You say you have tried PBR but the failover options are difficult to deal with. What exactly do you mean ?

When you set the next-hop within the route-map you can use both next-hops, just put them in the order you want to use them.

Or is the problem that your routers do not know if the link has gone down so they continue to try and send packets down a dead link ? if so IP SLA in conjuction with route-maps can be used.

Can you confirm exactly what the issues are with PBR ?

Jon

Thanks jon.marshall

So the issue I have is like you stated, I wont know if the link is down as it could be a carrier issue.  I tried the SLA settings and got that to work.  What I tried is advertising a mock network (loopback) forcing it to only advertise out of the MPLS link.  Than I added a track statement to monitor that route so if and when the link went down I would know and then the PBR would just use the default next hop.  This works fine. but the question I have is when I have multiple sites.  Would I be able to setup a PBR with mutiple statements?

route-map dmvpn_outbound permit 10

match ip address 111

set ip next-hop verify-availability 10.2.100.5 1 track 1

route-map dmvpn_outbound permit 20

match ip address 111

set ip next-hop verify-availability 10.2.100.5 track 2

Since I have multiple sites and can only apply one policy per interface I would need to cover all the possiblities.

Let me know if you understand else I can update the diagram with more detail regarding this setup.

ironshoreit wrote:

Thanks jon.marshall

So the issue I have is like you stated, I wont know if the link is down as it could be a carrier issue.  I tried the SLA settings and got that to work.  What I tried is advertising a mock network (loopback) forcing it to only advertise out of the MPLS link.  Than I added a track statement to monitor that route so if and when the link went down I would know and then the PBR would just use the default next hop.  This works fine. but the question I have is when I have multiple sites.  Would I be able to setup a PBR with mutiple statements?

route-map dmvpn_outbound permit 10

match ip address 111

set ip next-hop verify-availability 10.2.100.5 1 track 1

route-map dmvpn_outbound permit 20

match ip address 111

set ip next-hop verify-availability 10.2.100.5 track 2

Since I have multiple sites and can only apply one policy per interface I would need to cover all the possiblities.

Let me know if you understand else I can update the diagram with more detail regarding this setup.

Yes you can have a route-map with multiple statements as in your above example but you can't use a single access-list as you have simply because it will always match the first entry ie. access-list 111 if i understand you correctly.

I'm assuming that access-list 111 includes all the remote site(s) subnets as source IPs. If access-list 111 was unique to each site then it would work fine but then you may as well use individual route-maps per site.

Jon

Sorry the second access was meant to be different ACL.  The issue with using multiple route-maps is

that they need to be applied to same interface.

Based on the example I would need to apply the route-map to interface vlan 10 but i cna only apply 1 route-map per interface.

I think have multiple statement maybe the way to go.

Another question I have is from the dual-core switches in the DC.  Since each WAN router has a connection to each Core switch how would I need to setup PBR?  The switches have HSRP running in between them with a VIP.  In the case of the advertising a mock network how would that work?  From the branch offices, would I track the VIP?

ironshoreit wrote:

Sorry the second access was meant to be different ACL.  The issue with using multiple route-maps is

that they need to be applied to same interface.

Based on the example I would need to apply the route-map to interface vlan 10 but i cna only apply 1 route-map per interface.

I think have multiple statement maybe the way to go.

Another question I have is from the dual-core switches in the DC.  Since each WAN router has a connection to each Core switch how would I need to setup PBR?  The switches have HSRP running in between them with a VIP.  In the case of the advertising a mock network how would that work?  From the branch offices, would I track the VIP?

An easier solution might be to NAT the branch source IP addresses to outside interface of the router they leave ie. either the MPLS or DMPVN router, that way the return traffic from the DC will go back to the correct router. This may or may not be a solution as you may need to record the IP addresses coming from the sites or less likely NAT may interfere with some of the apps although this doesn't happen very often.

Otherwise you should do the PBR on the vlan interfaces on the Nexus switches for the servers. I'm assuming the Nexus switches support PBR, if not you would need to use the WAN routers but then to stop traffic bouncing back and forwards between the Nexus switches and the WAN routers a dedicated link between the 2 WAN routers would help if you have the spare interfaces.

If you want to advertise a "mock" network, just use a loopback and add that to your routing protocol. Note if you are using OSPF you will need to add this under your loopback interface "ip ospf point-to-point".

Jon

Thanks Jon,

The Nexus switches do support PBR.  We are using EIGRP throughout the network except for the BGP running on the MPLS provider cloud.   The NAT solution would work but we dont have access to the MPLS routers at the moment.  The ISP manages those for us.

I appreciate the help

Review Cisco Networking for a $25 gift card