Re: Route all local traffic from site out its local ISP connection

mstrano@vestmark.com · ‎11-15-2019

Hey everyone,

Couple of quick question i wanted to ask. My recently started at a new company, and they have 4 remote sites and an HQ site. All sites have their own independent DIA circuit which currently are plugged into Cisco ASA firewalls via outside interface. All remote sites currently are connected to HQ via VPLS/MPLS private layer 2 links and egressing HQ ISP. I am looking to have each site go out its on local DIA rather than come back to HQ. I would imagine all i would need to do for this is to create a last resort route of 0.0.0.0 0.0.0.0 X.X.X.X (firewall inside trusted connection to core switch, /30?) and anything that is not a locally connected route will use this route and get to the firewall, where NAT and ACL policy would apply for egress internet traffic? I am ultimately going to have to egress links from each core at each site. One link will connect to a SD-WAN device which will route private inter-site traffic, and other link will go to our firewall, handling internet ONLY traffic. I want to create 2 routes to handle these request. Anything not locally connected looking to talk to other internal company network, egress link 1 via route x.x.x.x -> sd-wan appliance, then this routes for us to other sites. The other link, egress to ASA firewall for outbound traffic. Can anyone possible lend some assistance on best way to achieve this goal? thank you so much!!!

Jon Marshall · ‎11-15-2019

Why does each site have local internet if is not being used ie. is it used for anything ?

In answer to your general question if everything is L2 VPLS then adding a route to the local site core switch will do nothing because the local site traffic is not routed on that switch if I am understanding your topology correctly.

Where are the L3 interfaces for the local site vlans (presumably at HQ) ?

Jon

mstrano@vestmark.com · ‎11-15-2019

All Layer 3 SVI's are all on HQ core switch. The DIA circuits were never used because the knowledge to do so was lacking. Now that i have taken over, i am looking to make each local site have its local GW on their respective core switches, which should then have 2 routes. I feel one /30 from core to the sd-wan for inter-site routing and the other /30 to the firewall for ONLY for internet traffic. DOes this make sense?

Jon Marshall · ‎11-15-2019

Yes it makes sense ie. route on each site switch for the local vlans and then you can control what routes where.

I am just not sure how this fits in with your current WAN setup at the moment ie. are you doing to a L3 MPLS VPN setup ?

Jon

mstrano@vestmark.com · ‎11-15-2019

Hi Jon,

so currently, how it works is we are broadcasting layer 2 traffic from a few networks across these private links. We want to fix that. We have two providers that give us a private layer hand-offs to their PE switches. We use Crown Castle and Centurylink. We use these networks to route to our other sites. 3 of our sites now are all on the a 1gig mesh private hand-off to our PE edge switch using Crown Castle, and one is using Comcast. From there, as far as we are concerned, its all layer 2 over their VPLS/MPLS backbone. hey tag all our traffic with their own tag this way we are easily able to manipulate routes if needed. On our current core switch, the Jersey city network 10.140.100.0/23, Chicago LAN 10.185.100.0/24 and LV_LAN 10.41.100.150 all have their L3 SVI GW on our HQ core switch. The goal for me would be to take L3 SVI's off HQ, add to each site core switch, respectively, then create 2 /30 networks that will route only LOCAL traffic out its DIA to the internet, where i would then create NAT's on the asa for each site, and anything other than internet traffic will egress the core, and ingress the SD-WAN which will inter-site route. Does this seem like a good plan? If so, add 2 routes on each core. ip route 0.0.0.0 0.0.0.0 10.250.100.0/30 (asa inside address connecting to core) and another route ip route 10.0.0.0 0.255.255.255 10.x.x.x.(core switch to sd-wan) for all inter-site routing)? all subnets are 10.x.x.x, so i could just use a summary route for all traffic that is not local but matches 10.x.x.x right?

Jon Marshall · ‎11-15-2019

There is nothing wrong with your plan in terms of routing locally and having two routes and yes you can use a summary route for all 10.x.x.x subnets as these are never routed on the internet anyway.

My only concern was how your WAN worked and if moving the L3 SVIs to the local switches would break connectivity but if you are happy it won't then I can't see anything wrong with your plan.

Jon