Re: Central policy, traffic data action next hop

dijix1990 · ‎04-16-2023

I noticed in central policy -> traffic data has action next hop and I want to know does it works for public IP (because public ip often uses for nat)? or is it only for ip routing?

dijix1990 · ‎04-16-2023

I mean can we use it for vpn0? maybe somebody has an example

Kanan Huseynli · ‎04-17-2023

Hi,

I believe it is just normal PBR within VPN/ VRF.

What do you want to do exactly?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

dijix1990 · ‎04-17-2023

Use it as pbr in a legacy, for example

I have flexvpn hub, and sdwan edges in a dc, I need to match traffic from service vpn which should go to legacy branch and send it via flexvpn hub to legacy branch. Before I used it to send traffic from bgp border via ipsec tunnel on the flexvpn hub

Kanan Huseynli · ‎04-17-2023

Doesn't routing help you? Do interconnection between flexvpn hub and sdwan device within VPN/VRF and advertise respective routes. When traffic matches flexvpn branch subnet, router will (based on normal L3 routing) forward to flexvpn hub.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

dijix1990 · ‎04-17-2023

No, thanks, we need to use pbr. OK, it doesn't matter, one dc we leave without sdwan

Kanan Huseynli · ‎04-18-2023

Did you try set next-hop method? Plus, enhanced PBR is also supported via CLI-template.

If you a bit explain scenario and give topology, I may do lab also and we can continue discuss.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/epbr-cisco-sdwan.html

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

dijix1990 · ‎04-18-2023

No, no yet, but I'll try.

By the way, for what we can use option next-hop?

dijix1990 · ‎04-18-2023

my example (want to move frome legacy scheme to sdwan)

Kanan Huseynli · ‎04-19-2023

Hi,

I've checked this next-hop action works as normal PBR.

In my lab, I have matched source/destination data prefix and simple set next-hop (no need for another action). You have an option to have strict or loose next-hop (fallback to normal routing). But in your case, there is no difference, since you don't want dynamic routing between interconnection. With PBR traffic is routed to next-device and to the destination over there.

Don't forget to do proper routing/ PBR for return traffic (it is on next-hop device not on SD-WAN).

Below is centralized data policy (traffic data):

Respective CLI preview:

data-policy _VPN1_Site1_DataPolicy
  vpn-list VPN1
    sequence 1
     match
      source-data-prefix-list Site1_PC
      destination-data-prefix-list Sie1_CSW_Lo0
     !
     action accept
      set
       next-hop-loose 
       next-hop 10.10.12.2
      !
     !
    !

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

dijix1990 · ‎04-19-2023

it's for service vpn, I Have public IP only in transport vpn

dijix1990 · ‎04-19-2023

I every time is shure that sdwan doesn't fit for us now) we have too difficult topology and rules

Kanan Huseynli · ‎04-19-2023

If you share details, we can find a solution. Is interconnection between SD-WAN and FlexVPN over VPN0? Is tunnel interface configured on SD-WAN etc. Give details.

Right now, I just don't understand why you don't do interconnection over service VPN? Or you have multiple VPNs on SD-WAN that need access flexvpn sites?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

dijix1990 · ‎04-19-2023

yeah, it is. It's old design which was implemented by cisco specialists. We have only 2 asr1001-HX work as EBGP borders and we want to move to sdwan with our existing scheme, but it's unavailable now. Maybe when new devices arrive we can set sdwan edges in parallel in 6 month, but no everywhere, because sdwan isn't flexible for NAT