04-16-2023 08:59 PM
I noticed in central policy -> traffic data has action next hop and I want to know does it works for public IP (because public ip often uses for nat)? or is it only for ip routing?
04-16-2023 09:02 PM
I mean can we use it for vpn0? maybe somebody has an example
04-17-2023 05:34 AM
Hi,
I believe it is just normal PBR within VPN/ VRF.
What do you want to do exactly?
04-17-2023 07:55 AM - edited 04-17-2023 07:56 AM
Use it as pbr in a legacy, for example
I have flexvpn hub, and sdwan edges in a dc, I need to match traffic from service vpn which should go to legacy branch and send it via flexvpn hub to legacy branch. Before I used it to send traffic from bgp border via ipsec tunnel on the flexvpn hub
04-17-2023 10:25 AM - edited 04-17-2023 10:25 AM
Doesn't routing help you? Do interconnection between flexvpn hub and sdwan device within VPN/VRF and advertise respective routes. When traffic matches flexvpn branch subnet, router will (based on normal L3 routing) forward to flexvpn hub.
04-17-2023 05:12 PM
No, thanks, we need to use pbr. OK, it doesn't matter, one dc we leave without sdwan
04-18-2023 02:09 PM
Did you try set next-hop method? Plus, enhanced PBR is also supported via CLI-template.
If you a bit explain scenario and give topology, I may do lab also and we can continue discuss.
04-18-2023 09:04 PM
No, no yet, but I'll try.
By the way, for what we can use option next-hop?
04-18-2023 09:27 PM
my example (want to move frome legacy scheme to sdwan)
04-19-2023 02:39 PM
Hi,
I've checked this next-hop action works as normal PBR.
In my lab, I have matched source/destination data prefix and simple set next-hop (no need for another action). You have an option to have strict or loose next-hop (fallback to normal routing). But in your case, there is no difference, since you don't want dynamic routing between interconnection. With PBR traffic is routed to next-device and to the destination over there.
Don't forget to do proper routing/ PBR for return traffic (it is on next-hop device not on SD-WAN).
Below is centralized data policy (traffic data):
Respective CLI preview:
data-policy _VPN1_Site1_DataPolicy vpn-list VPN1 sequence 1 match source-data-prefix-list Site1_PC destination-data-prefix-list Sie1_CSW_Lo0 ! action accept set next-hop-loose next-hop 10.10.12.2 ! ! !
04-19-2023 07:49 PM
it's for service vpn, I Have public IP only in transport vpn
04-19-2023 07:52 PM
I every time is shure that sdwan doesn't fit for us now) we have too difficult topology and rules
04-19-2023 09:49 PM - edited 04-19-2023 10:06 PM
If you share details, we can find a solution. Is interconnection between SD-WAN and FlexVPN over VPN0? Is tunnel interface configured on SD-WAN etc. Give details.
Right now, I just don't understand why you don't do interconnection over service VPN? Or you have multiple VPNs on SD-WAN that need access flexvpn sites?
04-19-2023 10:10 PM
yeah, it is. It's old design which was implemented by cisco specialists. We have only 2 asr1001-HX work as EBGP borders and we want to move to sdwan with our existing scheme, but it's unavailable now. Maybe when new devices arrive we can set sdwan edges in parallel in 6 month, but no everywhere, because sdwan isn't flexible for NAT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide