Re: MPLS and PBR-

Joe Lee · ‎05-19-2013

Hi All-

We have a router connected to MPLS and all the

traffic pass thru the MPLS via the BGP routing.

Recently we installed the local internet and conected

to the router.- location 1. We added the default route "ip route 0.0.0.0 0.0.0.0 x.x.x.x"

route to the local internet on the router, It seems some routes were over writen by this default route-that caused some routing issues.

So we decided not to add the default route to the router and configure Policy Based Route to meet the requirement.

Requirement: In the location 1, we installed the local internet and connected to the router 1. We want the

subnet 1-10.10.1.0/24 can access to the subnet 3-10.10.3.0/24 at the datacente, and all the traffic from

subnet 1 will be re-route to the local internet. Subnet 2-10.10.2.0/24 is not allowed to go thru the local

internet, and its traffic is only permitted to MPLS cloud.

Diagram: See below

Plan to do:

Router1#

G0/0 --> Connect to the internet

ip address 10.10.5.1 255.255.255.0

!

G0/1 ---> Where the subnet1 is coming from

ip address 10.10.2.1 255.255.255.0

ip policy route-map blah

!

access-list 100 permit ip 10.10.1.0 0.0.0.255 any

!

route-map blah permit 10

match ip address 100

set ip default next-hop 10.10.5.1

!

Questions:

1. Can this PBR meet our requirement?

2. Should we use ip default next hop or ip next hop?

Please advise.

Regards,

Joe

Harold Ritter · ‎05-19-2013

Hi Joe,

The issue seems to be that the DC advertises the default route to the remote sites via the MPLS cloud. When you add the static default route in the remote site, all traffic that needs to go the DC is routed to the local Internet connection since the static default route is preferred over the BGP learned default route. To fix the issue, you could simply advertise a more specific route from the DC towards the MPLS cloud.

If you do not want traffic from subnet 2 to use the local Internet connection, you could just apply an ACL on the interface towards the Internet to block this specific source.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Joe Lee · ‎05-19-2013

Hi Harold,

You're correct. We have the default route in the DC. We tried not to addd the ACL's on the interface towords the internet, we may need to allow the subnet2 by pass through this internet because we may need to add the VPN as backup. So besides your recommendation, do you think the PBR is the best practice? if so, is the configur ok to go? Please advise.

Regards,

Joe

Harold Ritter · ‎05-19-2013

Hi Joe,

From my experience, PBR is not a best practice but rather a last resort.

As far as your configuration is concerned, it pushes all traffic from subnet1 towards the Internet connection as you do not have a specific route to the DC. From what you described in your original post, this does not meet the requirements as traffic destined to the DC will be sent towards the Internet rather than over the MPLS cloud.

One more note, "set ip default next-hop 10.10.5.1" uses the local interface address, when it should rather use the next hop ip address.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México