Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
2
Replies

ASR IOS XE route all traffic to policy IPsec tunnel

msegersvard
Level 1
Level 1

‎10-20-2021 08:50 AM

server vrf -- mpls/bgp -- ASR -- internet -- vpn peer -- internet

 

I have a ASR with a lot of policy tunnels. Sometimes there is a need to route all traffic from our datacenter through a IPsec VPN tunnel. For example it might be a network segment that has no internet access of firewall and servers on that segment need internet access.

 

With a VXR I would create normal policy tunnel and define VPN tunnel destination proxyID ANY.

ip access-list extended vpn-acl
permit ip 192.168.0.0 0.0.0.255 any

 

That would ofc be mirrored by the remote VPN device. For some reason crypto map reverse-route static doesn't add default route to vrf routing table so I would add a static route.

ip route vrf vpn-vrf 0.0.0.0 0.0.0.0 ethernet0/0(internet interface) x.x.x.x (vpn peer IP)

 

On a VXR this would allow 192.168.0.0/24 subnet to access any IP address via the VPN tunnel. It would also allow VXR to use BGP to advertise default route to server segment.

 

On the ASR non of this works and I can't figure out why. Adding the static route will add it to vpn vrf routing table but it will not advertise to server segment. BGP is configured to advertise statics and default.

address-family ipv4 vrf vpn-vrf
redistribute connected
redistribute static
default-information originate
exit-address-family

 

Any ideas? Or shall I open a TAC for this?

 

P.S. Tunnel interface is not possible due to some limitations in the architecture. I'll have to figure out why I can't use those.

Labels:
0 Helpful
2 Replies 2

Pablo
Cisco Employee
Cisco Employee

‎10-20-2021 12:06 PM

Can you post the result from these outputs: 

 

show bgp vpnv4 unicast vrf vpn-vrf neighbors X.X.X.X advertised

show bgp vpnv4 unicast vrf vpn-vrf

show bgp vpnv4 unicast vrf vpn-vrf summary 

show ip vrf vpn-vrf

 

-Pablo

0 Helpful

msegersvard
Level 1
Level 1
In response to Pablo

‎10-21-2021 11:43 PM

#sh ip vrf vpn-vrf
Name Default RD Interfaces
vpn-vrf 1.102.109.172:10026 Lo591  << lo I used for testing

 

#sh bgp vpnv4 unicast vrf vpn-vrf
BGP table version is 7289284, local router ID is x.x.x.35
Route Distinguisher: 1.102.109.172:10026 (default for vrf vpn-vrf)
*> 0.0.0.0 vpn.peer.ip 0 32768 ?
*> 10.10.191.0/24 x.x.x.195 0 65000 65001 65002 ?
*> 10.100.0.0/23 vpn.peer.ip 0 32768 ?
*> 10.100.145.0/24 vpn.peer.ip 0 32768 ?

show bgp vpnv4 unicast vrf vpn-vrf summary   = blank output

 

show bgp vpnv4 unicast vrf vpn-vrf neighbors X.X.X.X advertised

DC MPLS BGP routing is not strong area and I can't figure out what IP I should use on the neighbor. ASR BGP config has a bunch of DC routers listed but all of those say "No such neighbor". If my vrf had direct BGP peering config this would be simple.

 

 

0 Helpful
Customers Also Viewed These Support Documents