04-20-2015 10:19 AM - edited 03-07-2019 11:38 PM
I have a client, who has MPLS connecting all spoke sites back to the HUB or NOC. Obviously, we have 1 default route currently. The MPLS is currently running on 1.5M T1. Customer refuses to increase capacity and bring in Metro-E/Fiber. They brought in copper/cable ISP instead. Now, customer wants us to setup a site-to-site VPN between the ASA at the NOC and the router at the spoke site. Problem is, they want all the VDI traffic to ride the T1 MPLS, but the want all imaging (specific destination IP) traffic to ride the site-to-site VPN.
How can I make this happen? ATT MPLS is the current active MPLS connection. Earthlink was replaced by ATT.
How can I accomplish sending specific traffic destined for a specific IP address across the VPN tunnel, but all other traffic ride the MPLS?
Current setup on the spoke router is:
*******************************************************************START CODE********************************************************************
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ***MPLS to Earthlink***
shutdown
ip address 10.10.11.2 255.255.255.252
ip nbar protocol-discovery ipv4
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ATT_MPLS
ip address 10.100.11.2 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet1/0
ip address 192.168.11.1 255.255.255.0
ip helper-address 192.168.1.11
ip nbar protocol-discovery ipv4
ip flow ingress
ip flow egress
ip virtual-reassembly in
!
interface GigabitEthernet1/1
description Internal switch interface connected to EtherSwitch Service Module
no ip address
!
interface Cellular0/0/0
no ip address
encapsulation slip
dialer in-band
dialer string lte
!
interface Vlan1
no ip address
!
router bgp 65311
bgp log-neighbor-changes
network 192.168.11.0
redistribute connected
neighbor 10.10.11.1 remote-as 65311
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet1/0
ip flow-export version 9
ip flow-export destination 192.168.1.20 2055
!
ip route 0.0.0.0 0.0.0.0 10.100.11.1
ip route 0.0.0.0 0.0.0.0 10.10.11.1 250
ip route 192.168.1.0 255.255.255.0 10.100.11.1
!
*******************************************************************END CODE********************************************************************
On the NOC side, I have:
MPLS router >> CORE
Internet router >> DMZ SWITCH >> CORE & ASA
Thanks in advance for your help.
04-20-2015 11:08 AM
To get the imaging traffic to go via the VPN for the specific destination IP addresses is easy, just add a route for it on the core.
The problem is the return traffic and you will have to use PBR to achieve that because you need to route traffic based on source IP address.
You cannot do that with a routing protocol.
If I have misunderstood please clarify.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide