cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

252
Views
25
Helpful
4
Replies
Highlighted
Participant

all traffic from branch

We have a Cisco router at branch office with a site to site VPN connection that terminates at HQ on an ASA. Internet traffic has been breaking out at the local branch router. This all works fine. We have just added a Layer 2 link to the branch router and that is now the primary link back to HQ, all traffic including internet now goes across this link and nat is performed at HQ

What we want to do is have the VPN link as a failover in case the Layer 2 goes down.  We would need all traffic including internet connections to go across the VPN. I am not sure how to get all traffic across the VPN. I did try doing ip any any on the acl for the VPN but that failed. I am guessing it is my default route that will need to be changed, but the VPN doesn't have an interface associated. does anyone have any ideas?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: all traffic from branch

As usual, there is more than one way to solve this.

It will be much easier when you convert your VPN to a route-based VPN which is supported in IOS for many years. With that, you have a tunnel-interface representing your VPN.

Next, if you do not want to break out internet-traffic locally, add a static /32 route to the HQ VPN-gateway. With that you can have routed "any" through your VPN and still have your route to the VPN-peer.

4 REPLIES 4
VIP Engager

Re: all traffic from branch

Hi,

The default route destination interface will be assigned your WAN interface port ID as

 

IP route 0.0.0.0 0.0.0.0 gig1/0 

Here, Gig1/0 will be your backup ISP. 

 

But You can use the IPSLA and Track to change the priority and add or remove the route from the routing table.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Resume duty after a long holiday
Participant

Re: all traffic from branch

Hi Deepak, I have got IP SLA in place and it works fine, trouble is I need all traffic to go over VPN when failied over

VIP Mentor

Re: all traffic from branch

As usual, there is more than one way to solve this.

It will be much easier when you convert your VPN to a route-based VPN which is supported in IOS for many years. With that, you have a tunnel-interface representing your VPN.

Next, if you do not want to break out internet-traffic locally, add a static /32 route to the HQ VPN-gateway. With that you can have routed "any" through your VPN and still have your route to the VPN-peer.

Participant

Re: all traffic from branch

many thanks, for the replies, I will give route based a go