Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
hdas
Participant

ClusterXL - PBR for Internet connection, IPSec VPN, Client VPN, and NAT(R80.40)

Hello,

I'm planning to configure the ClusterXL with 4 internet connections and PBR, I would like to know if it will work also for the VPN IPSec, VPN Client, and NAT.

 

CP_PBR.jpg

  1. VPN IPsec on the first internet connection
  2. VPN Client on the second internet connection and some Static NAT
  3. NAT on the third connection
  4. No PBR on the fourth internet connection (default route)

 

Regards

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

The appropriate Link Selection setting would be needed for the VPN to work properly.
Not sure what you mean by "NAT on the third connection" can you clarify?

0 Kudos
hdas
Participant

Hi PhoneBoy,

 

thanks for your reply.

Let me describe better what I want to achieve:

  • VLAN1 should be reachable only from the VPN IPsec & Client VPN and should be able to surf the internet + PBR Next-Hop 1st internet connection.
  • VLAN2 should be able to surf the internet and Static NAT (map some internal IP to external IP) + PBR Next-Hop 2nd internet connection.
  • VLAN3 should be able to surf the internet + PBR Next-Hop 3rd internet connection.
  • VLAN4 should be able to surf the internet = No PBR default route (routing table)
  • VLAN2, VLAN3, VLAN4 should be able to communicate.

The ClusterXL is the default gateway for all 4 VLANs. 

Now, how can I implement all this?

Is there any drawback or limitation for the VPN traffic?

CP_PBR.jpg

Thank you,

 

0 Kudos
Vladimir
Champion
Champion

Hmm.. rather odd setup imho... but if you look at the Link Selection/reply from the same interface, that should cover inbound traffic. That said, I believe the PBR has some limitations that may be material to you. Not sure what version you are on, but those listed in SK100500 were still applicable to R80.40.

PhoneBoy
Admin
Admin

Properly setting the Link Selection and VPN community is required to ensure only the relevant VLANs are accessible and the VPN will transit the correct link.
You'll need appropriate PBR Routes for all of this for VLAN1-3.
Since you're talking about Default Route, make sure you're at least on R80.30.
VLAN2-4 should be able to talk assuming routes and Access Policy is defined appropriately.

You've not mentioned what should happen if one of these Internet connections fails.
The VPN would be most impacted by this, but I believe the other parts of this should work.

(1)
hdas
Participant

Hi PhoneBoy,

very good point "You've not mentioned what should happen if one of these Internet connections fails."  - Just to make things easier, I'll implement some FHRP (VRRP or HSRP) as the next-hop for the PBR.

"Since you're talking about Default Route, make sure you're at least on R80.30." - I'm on R80.40 now 😊

Could you kindly share a configuration template for the PBR? 😁

Thank you

 

 

PhoneBoy
Admin
Admin

0 Kudos