We have devices that need data routed out of our firewall and over an IPsec tunnel to a vendor. I am in the process of configuring our DR to be able to route this traffic to our vendor if our main site goes down. Right now our L3 device has BGP routes that point to our firewall as a next hop for this traffic. I need to take one of the devices that typically uses the BGP routes to instead route out of our MPLS interface and to our DR site in order to test that the IPsec tunnel is configured properly.

Current Topology: Packet -----> L3 Device ----> Firewall ------> IPsec Tunnel

Testing Topology: Packet -----> L3 Device ----> MPLS ------> DR L3 Device------> DR Firewall ----->IPsec Tunnel

Hello

I would say BGP backdoor feature is a good feature and suggestion  however it would only be really applicable if there is an igp running between the alternative path which at this time the OP doesn’t state  and then if you have hundreds of routes or subnets to advertise it could be a really quite administrative- other possible options may in include PBR or conditional route advertisement.

Thanks everyone for all of your help.

I don't believe BGP Backdoor would help me, unless I am not understanding something in the BGP Case Study link.

I have multiple devices that need to send traffic over the IPsec tunnel on our local firewall which they are doing now and with no issues. I am trying to test the DR firewall config without changing the route path for all of our devices and possibly interrupting normal business operations. That's why I was hoping I could take one of those devices and route it's traffic towards DR while the rest of the devices continue to route traffic as they normally would out of our local firewall.

Hello

---

@jasongr33nway wrote:

Thanks everyone for all of your help.

 

I don't believe BGP Backdoor would help me, unless I am not understanding something in the BGP Case Study link.

 

I have multiple devices that need to send traffic over the IPsec tunnel on our local firewall which they are doing now and with no issues. I am trying to test the DR firewall config without changing the route path for all of our devices and possibly interrupting normal business operations. That's why I was hoping I could take one of those devices and route it's traffic towards DR while the rest of the devices continue to route traffic as they normally would out of our local firewall.

---

Sounds like PBR would be the answer, post a topology diagram so we can review it - and if applicable configuration your router

@Jaderson Pessoa 

---

@Jaderson Pessoa wrote:
Yes, now we have a clear vision about your doubt.

---

Really?

@jasongr33nway  If you have posted the topology/configuration already - then apologies i may have missed it -

FYI -without knowing your current setup it would be hard to suggest the correct resolution PBR or otherwise

Thanks for it. You has right :)

Because he input it:

Current Topology: Packet -----> L3 Device ----> Firewall ------> IPsec Tunnel

Testing Topology: Packet -----> L3 Device ----> MPLS ------> DR L3 Device------> DR Firewall ----->IPsec Tunnel

Thanks for the update confirming that PBR did work and was the solution for your requirement.

HTH

Rick