9 Replies Latest reply on Apr 2, 2012 5:40 PM by kb9mfd

    Policy Based Routing and VPN

    kb9mfd New Member

      I have several vLans and two internet connections. Namely vLan 1 is our main office office vLan and it uses the first internet connection (vLan 3) for all our general traffic. I have a second internet connection that even though it has its own vLan (vLan 2) it is not setup in the Netvanta 1335 to do anything, it is directly connected to the WAN side of my VOIP server and my email/web server. I have another vLan (vLan 8) that I use for all my VOIP phones, and sip connections. I also have other vLans for other things, we host our internet for a few other companies in our building and they all use the first internet connection. I also have a few sites around the US that have remote sip phones. Right now they directly connect to the WAN side of my VOIP switch on the second internet connection. My goal is to ship out pre-programmed routers that have VPN tunnels built in so I can remotely administer the phones. What I need then is to setup vLan 8 to use the second internet connection only, and establish a vpn tunnel on the second internet connection that only can see vLan 8 (and hopefully set it up so I can connect to the peers, but they cannot connect to me except for the VOIP server's address, also prohibit vLan 8 from outside access with the exception of the vpn). The peers will have dynamic WAN ip addresses. I have been able to setup a VPN on the first internet connection to my first vLan, but what I have found is I cannot use the second internet connection because the default route is setup for the first internet connection. (and for vLan 8 I do not even have NAT setup either, it is isolated from the rest of the network except for the VOIP server) If I can setup vLan 8 to to use the second internet connection as its default route, I should be able to get the vpn to work. I will also have to maintain SIP across the tunnels. The rest is probably just security policies. Any documents or examples on how I would get this to work would be great. Thanks! - Jeremy

        • Re: Policy Based Routing and VPN
          Employee

          @kb9mfd - Thank you for your question. You are correct in that policy-based routing will help you configure this. You will configure two route-maps on the router. One route-map will be applied to the vlan 8 interface and will allow you to route traffic from vlan 8 to go over the second internet connection. The other route-map will be applied internally to the router that will allow any traffic sourced from the second internet connection's WAN IP address to go out the second internet connection. This is with the assumption that the second internet connection's WAN IP is static. In addition to this, you can also configure an access-policy on vlan 8 to restrict its connectivity to other networks and equipment.

           

          A route-map has a selection of criteria it can match on. In your case, an access-list (ACL) will work. Other match criteria include IP precedence, DSCP, and packet length in bytes. Then, you can specify a next-hop in the route-map for traffic matching your criteria to use. The guide below explains how to set up policy-based routing and has some examples as well.

           

          Policy-Based Routing - https://supportforums.adtran.com/docs/DOC-3587

           

          Let us know if you have any further questions on this topic.

           

          Thanks,

          Noor

          1 of 1 people found this helpful
          • Re: Policy Based Routing and VPN
            kb9mfd New Member

            I have finally returned to trying to get this going. I have read over the document and can see how powerful this can be. There is not a example that is close enough for me to model after, so if anyone knows one that would be helpful. My first question is when creating the ACL to match the traffic, if I am specifying the source to be the vlan's subnet, what do I use for the destination to match in order to send the default route traffic? Do I put in the vlan's interface address or the gateway of the second internet connection?

             

            Based off what I am understanding, here are the steps that I need to configure:

            1. Setup a security Policy for that vLan for NAT to go to the second interface

            2. Create a ACL to select the traffic that is going outside the local network(s) (the Adtran will route traffic between the vLans)

            3. Setup the route map to take the matched traffic threw the proper interface

             

            I already have step 1 done, so I assume step 2 is:

                 ip access-list extended VOIP-Gateway

                 permit ip host 172.28.130.0/24 69.123.222.333/26

            Then the route map

                 route-map VOIP-Tunnel permit 10

            Then match traffic

                 match ip address VOIP-Gateway

            And specify the action

                 set default interface vlan 2 (or do I need to use the actual gateway address instead of the interface?)

             

            Please review and let me know if I am getting this correct. Thanks! - Jeremy

             

            Message was edited by: kb9mfd I just noticed I needed to also make another policy for traffic that originated from the second interface. What do I specify in the ACL for the matching traffic? Can I just then add it to the same map "VOIP-Tunnel"? - Jeremy

              • Re: Policy Based Routing and VPN
                Employee

                Jeremy,

                 

                You are on the right track. I wanted to make a couple of modifications to what you have already thought of.

                 

                2. Create an ACL to select the traffic that is going outside the local network(s) (the Adtran will route traffic between the vLans)   

                     This is correct. However, your ACL will need to take into consideration that it needs to ignore traffic destined for the other LANs in your network. I'm going to assume vlan 8 is on the 172.28.130.0/24 network and, for my example's sake, I'm going to pretend that vlan 1 is on a 192.168.1.0 /24 network. The ACL would look something like this:

                 

                     ip access-list extended VOIP-Gateway

                          deny ip 172.28.130.0 0.0.0.255 192.168.1.0 0.0.0.255

                          permit ip any any

                The 'deny' statement will tell the route-map to not apply it settings to that statement, and to for the router to use the route table instead. This way we can use the route map on all traffic outbound except for interVLAN traffic, which the route table will handle.

                 

                3. Setup the route to take the matched traffic through the proper interface

                     This is correct. Everything looks configured correctly on your route map except I would change the action. Using the "set default interface" command will only use the route map if there is no route in the route table for the destination. I would suggested using either the "set ip next-hop" or "set interface" command instead.

                 

                Also, do not forget to assign this route-map to the vlan 8 interface.

                 

                As far as the second route-map goes, you will need to create an ACL that will be different than the one you are using for your original route-map, VOIP-tunnel. This will be a different route-map as well. However, the set command will look the same as it did for the first route-map. Also keep in mind, that this route-map will need to be applied locally to the router with the "ip local policy route-map <route-map name>" command. The ACL will look like the following:

                 

                ip access-list extended SecondInt

                     permit ip host <vlan 2 IP address> any

                 

                Please do not hesitate to let us know if you have any further questions.

                 

                Thanks,

                Noor

                1 of 1 people found this helpful
                  • Re: Policy Based Routing and VPN
                    kb9mfd New Member

                    Thank you that was very helpful and I only have one question yet on that configuration and a couple on the vpn side of this. I have 9 vlans currently active and possibly more if you count the vpn tunnels. Do I have to enter a deny for every other subnet the adtran is routing internally? I assume if so, I only need to enter the ones I want communication between. (like what I have to enter in the Security Zones in order for traffic to flow between vLans)

                     

                    Does any of this change or do I need to add anything when vpn is be utilized? If I have 2+ vpn tunnels terminate to this vlan (via the second internet connection), do I also have to enter their remote subnets as a deny in order for the packets to flow from one vpn endpoint to the other point to point?

                     

                    Does the ACL that you gave me for the second internet connection also mean that if I port map a port from the second internet connection to a device on another vlan that has its default connection to the first internet connection, the adtran will know to route the return packets back across the second connection even though the default gateway is set to the first connection? (assuming I have a nat entry in the Security Zone allowing it)

                     

                    Thank you for all the help! - Jeremy

                     

                    Message was edited by: kb9mfd I just thought of it, could I just enter a deny for 172.16.0.0/12 and 192.168.0.0/16 to cover all local network address that I may have as local networks?

                      • Re: Policy Based Routing and VPN
                        Employee

                        Jeremy,

                         

                        Yes, you will need to enter 'deny' statements to include all subnets that the Adtran needs to route internally and, yes, you will only need to enter the ones you want communications between. You will be able to prevent vlan 8 from communicating with specific subnets by adding a deny rule in VLAN 8's access-policy/security zone.

                         

                        You do not, however, need to add 'deny' rules for your VPN subnets since no traffic from VLAN 8 goes over your VPN tunnels over the primary internet connection.

                         

                        When you add VPN to the second internet connection, all the pieces should already be in place for traffic from VLAN 8 to be routed over the second internet connection. The only time you will want to add a 'deny' statement to VLAN 8's route-map is when you want the Adtran to route it internally or go over the first internet connection (which is the default route in the route table).

                         

                        Your last question is where things can get complicated. If you map a port from the second internet connection to a vlan other than VLAN 8, assuming  you have a NAT entry in the vlan's security zone allowing it, you will need to have a route-map assigned to that particular vlan to ensure that the return traffic for that port forward goes back out the second internet connection. In addition, you will need to disable rpf-check on the security zone/access-policy assigned to the second internet connection interface. The command for this would be, "no ip policy-class <policy-class name> rpf-check".

                         

                        For example, say you have a port forward for RDP traffic to go to a device in VLAN 1. In this case, we'll just say it is coming in on 10.10.10.1 and is being forwarded to 192.168.1.1. The port-forward ACL would look something like this:

                        ip access-list extended InboundRDP

                             permit ip any host 10.10.10.1 eq 3389

                         

                        You would need a route-map assigned to VLAN 1 that would force the return RDP traffic to go out the second internet connection. The ACL for that route-map would look like this:

                        ip access-list extended OutboundRDP

                             permit ip host 192.168.1.1 eq 3389 any

                         

                        Let us know if you have any further questions.

                         

                        Thanks,

                        Noor

                        1 of 1 people found this helpful
                          • Re: Policy Based Routing and VPN
                            kb9mfd New Member

                            One quick question, how does the adtran know what the default gateway is for the interface? My two internet connections are two vlans (one is cable and the other is a T1 that the carrier changes to a Ethernet connection) and they both have 5 available IP addresses. I assume I enter both in the route table but what do I make the administrative distance? (right now I have the first one a '1' and the second a '5', do they both need to be a '1'?) Does the adtran then just learn what one to use with what interface? - Thanks! - Jeremy

                             

                            --- Update

                            I used "set ip next-hop" to get it to work and it does work now, so I assume that I do not need to mess with the route table. If I want to deny internet access from all the clients in vlan 8, but want to run vpn's threw it so all the peers (both local and remote) can see each other, is that possible (the vpn peers will not have a known or dynamic ip address) and will that configure with a ACL or do I change Security Policies? Thanks! - Jeremy

                              • Re: Policy Based Routing and VPN
                                Employee

                                Jeremy,

                                 

                                Yes you are correct. You don't need to make any changes to the route table. Based on the fact that you already had a primary internet connection up and working through the 1335 told me you had already entered a default route in your route table. That default route is what specifies which path a packet should take if there is no route or route-map entry matching it. It would have a destination network of 0.0.0.0 with a mask of 0.0.0.0 and a next-hop specified in your route table.

                                 

                                Regarding your second question, you will need to modify both the security zone/access-policy AND the route map. On the security zone, you can stop VLAN 8 from getting to the internet by removing the NAT statement. This will inhibit internet access for those clients. However, you will need to have "allow" rules set up for VLAN 8 to communicate with the remote and local networks that you want. On the route-map, you will only need to add "deny" statements in the ACL for networks that VLAN 8 needs to reach without going over the second internet connection.

                                 

                                NOTE: Access-lists and Access-policies are matched in a top-down fashion. Once a match is found, the other entries listed below will not be checked. You will want to make sure that your more specific rules are listed at the top.

                                 

                                Let us know if you have any further questions.

                                 

                                Thanks,

                                Noor