03-29-2012 02:20 PM - edited 03-04-2019 03:51 PM
Hello there,
I have one interesting problem with local PBR on 2921 router. Here is the case,
On HQ site there is 2921 router with two directly connected ISP, and there is Branch which is connected to only one ISP.
The configuration should be to connect HQ router to Branch router with two VTI tunnels, so that each tunnel on HQ site should be
terminated on different ISP, and EIGRP will be monitoring each VTI status.The problem is on HQ site, there is only one way to specify router
with LOCAL PBR configuration, so router should send on ISP1 terminated tunnel traffic to ISP1, and on ISP2 interface terminated tunnel traffic to ISP2.
As I know this configuratino should work, but I could't make it work on c2900-universalk9-mz.SPA.151-4.M4.bin IOS, and on
c2900-universalk9-mz.SPA.152-2.T1.bin.
Here is simple config:
ISP1 ip is 1.1.1.1
ISP2 ip is 2.2.2.2
3.3.3.3 is Branch ip address.
!
ip vrf BRANCH
rd 9:9
!
interface Tunnel1
description TO.BRANCH.ISP1
ip vrf forwarding BRANCH
ip address 192.168.0.1 255.255.255.252
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 3.3.3.3
tunnel protection ipsec profile Encrypt
!
!
interface Tunnel2
description TO.BRANCH.ISP2
ip vrf forwarding BRANCH
ip address 192.168.0.5 255.255.255.252
tunnel source 2.2.2.2
tunnel mode ipsec ipv4
tunnel destination 3.3.3.3
tunnel protection ipsec profile Encrypt
access-list 1 permit host 1.1.1.1
access-list 2 permit host 2.2.2.2
!
route-map PBR permit 10
match ip address 1
set ip next-hop 1.1.1.3(ISP1 next host)
!
route-map PBR permit 20
match ip address 2
set ip next-hop 2.2.2.3(ISP2 next host)
!
ip local policy route-map PBR
when I configure one default static route, it starts workig, but both tunnels go with specified ISP, and also there is no vrf problem,
when there is no any vrf config it also don't work. gre tunnels also dont work.
Do you have any idea how make this think work ?
03-29-2012 03:08 PM
Hi Michael,
If I understand correct, then you have to check the routing for the destination IP of the tunnels.
For instance, when you configure the default route which next hop did you use? If you use as next hop the IP of one ISP then you should expect both tunnels go with specified ISP since both tunnels destination IP will be routed via one ISP link.
You need to have routing (e.g. 2 static routes to send the tunnel destination IP to each one of the 2 ISPs.
So, the router could send on ISP1 terminated tunnel traffic to ISP1, and on ISP2 interface terminated tunnel traffic to ISP2.
I should notice that the PBR will be applied only for packets that match the Access-list 1,2.
Hope that helps,
Vasilis
03-29-2012 11:42 PM
Hello Vasileios,
I don't understand how to configure static routing so that ISP1 tunnel traffic go via ISP1 and ISP2 tunnel traffic go via ISP2. Because branch have one ip address, If I configure two static routes with destination network of branch ip and next hop one with ISP1 next hop address and second with ISP2 ip address there will be juts load balancing ??
03-30-2012 01:35 AM
Hi michael,
the conifg looks not correct
however i would start with basic questions what you trying to achive
for example secure tunneling between HQ and branch ?
why you are using VRF on the tunnel interface ?
have you considered using DMVPN with ipsec ? simple and dynamic
when you pin do you use vrf keyword in the ping ?
i fyou can provide simple diagram with the requirements and how the routing looks like without tunneling will be good to help you
03-30-2012 01:39 AM
this is also a vey good concept that you might use I-VRF and FVRF with the DMVPN tunneling
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide