cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1517
Views
0
Helpful
5
Replies

Policy based routing on SVI

zeeahmed123
Level 1
Level 1

Hi All

I have a situation and need some advice if possible.

I have a 6500 series with SUP720-3B and I need to to do some kind of PBR so that my outbound traffic to the internet goes via ISP1 and my inbound VPN traffic goes via ISP2. The setup is as follows:

I have two vlans configured on my switch, VLAN 10 and VLAN 20 which are layer 2 VLANS with no SVIs. In these VLANS i have the repesctive ISP routers; ISP1 VLAN 10 and ISP2 in VLAN 20. The firewalls being used are the Cisco ASA 5520 models. For our example I will call tem ASA1 for ISP1 and ASA2 for ISP2. Now, ASA1 will be generating a default route into my network using the IP SLA feature and this default route is what will take the the users out to the internet via ISP1. The second ASA will be allowing inbound VPN connections (both remote access VPN and site-to-site VPN traffic.

I want the traffic that comes in via ASA2 to go back out the same way. The question I have is that when the remote access or the site-to-site VPN traffic comes into the network ow will it go back when the default route is pointing to ASA1?

My thoughts were to do PBR on the Catalyst 6500 which is my core switch, but i amnot sure where the PBR needs to be applied. Do I apply it to all SVIs interfaces of my internal VLANS so that returning traffic is PBR to ASA2? The VPN clients and the site-to-site VPN will require access to all the VLANS internally? The Cisco documentation states that the route-map be applied to the SVI of the VLAN from which the traffic is coming into; I am confused and need some advice..

Thanks

2 Accepted Solutions

Accepted Solutions

Zahir,

The simplest way would be to have a dynamic routing protocol - OSPF/EIGRP are fine, I would go with EIGRP as you do not need to think about your OSPF area design.  Have the dynamic routing protocol working over the p2p links.  Also have weighted static routes in the routers pointing to the ASA's for the remote VPN's.  Weight the static routes say with 200 - when the EIGRP/OSPF route is removed from the RIB - the static routes take over.  No need for the ASA's to perform RRI.

HTH>

View solution in original post

Zahir,

no problem - glad to help.

Andrew.

View solution in original post

5 Replies 5

andrew.prince
Level 10
Level 10

Zahir,

The ASA's have a feature called "RRI - Reverse Route Injection" this should answer your questions.

HTH>

Hi Andrew,

Thanks for your reply; I have been looking at this feature but still not sure if it will work- Let me explain..

Our remote sites also have a point-to-point link back to our HQ and the VPN is a back up to the WAN. Currently we are using static routes to route to the remote sites via the WAN which I know is not good. So, how about this:

If i configure OSPF between the  remote sites and the HQ then all remote sites will be known by our core at the HQ via OSPF. If any remote site goes down, then OSPFwill remove those routes those routes from our core network. The remote sites will then failover to the VPN (using HSRP at the remote sites) and initiate a VPN tunnel back to HQ. Now, if i was to use RRI, then when the VPN tunnel is UP to HQ the ASA will advertise those routes again and the return traffic will now go via the ASA that is advertising those routes.

This means that I will nor need policy based routing at all.

Do youthink this could potentially work?

regards

Zahir

Zahir,

The simplest way would be to have a dynamic routing protocol - OSPF/EIGRP are fine, I would go with EIGRP as you do not need to think about your OSPF area design.  Have the dynamic routing protocol working over the p2p links.  Also have weighted static routes in the routers pointing to the ASA's for the remote VPN's.  Weight the static routes say with 200 - when the EIGRP/OSPF route is removed from the RIB - the static routes take over.  No need for the ASA's to perform RRI.

HTH>

Hi Andrew,

This is an even better option - awesome and thank you so much for your time and answer.

regards

Zahir

Zahir,

no problem - glad to help.

Andrew.

Review Cisco Networking for a $25 gift card