Running 3rd party App over VPN tunnel
Hi EE,
I have three 887 cisco routers, RA1, RB1 and RB2
Site A has RA1 and site B has RB1 and RB2
I have a third party Application (APP) that runs on 5 PCs at Site B (10.10.10.1-5) and they use a Server at site A (10.10.0.10) to complete their work using this APP.
I have created 2 VPN tunnels RA1 <->RB1 (Tunnel1) and RA1 <->RB2 (Tunnel2). The physical end points on RA1 is the same for both tunnels (dial0) Both subnets can reach each other and also the internet.
I want to isolate the traffic for APP (port XXXX) to go only via Tunnel2 between the 5PCs and server. All other traffic (http,https, ftp...internet traffic etc) should go via tunnel 1. The hosts on site B that use the APP also uses internet so internet traffic should go via tun1.
Any thoughts, ideas and pointers to right direction most appreciated. Thanks.
I have three 887 cisco routers, RA1, RB1 and RB2
Site A has RA1 and site B has RB1 and RB2
I have a third party Application (APP) that runs on 5 PCs at Site B (10.10.10.1-5) and they use a Server at site A (10.10.0.10) to complete their work using this APP.
I have created 2 VPN tunnels RA1 <->RB1 (Tunnel1) and RA1 <->RB2 (Tunnel2). The physical end points on RA1 is the same for both tunnels (dial0) Both subnets can reach each other and also the internet.
I want to isolate the traffic for APP (port XXXX) to go only via Tunnel2 between the 5PCs and server. All other traffic (http,https, ftp...internet traffic etc) should go via tunnel 1. The hosts on site B that use the APP also uses internet so internet traffic should go via tun1.
Any thoughts, ideas and pointers to right direction most appreciated. Thanks.
+1 for policy based routing (PBR).
ASKER
deepdraw, thanks. PBR works well for RA1 but what I want to achieve also is for all 5 PCs to use RB2 when going to server. Both routers connect to the same subnet 10.10.10.0 with address of RB1 .111 and RB2 .112
Leaves me with:
-Use only one gateway for hosts. i.e .112. This means that I can then use PBR on RB2 to pass traffic to RA1 or route traffic to RB1 if not going to server.
-use two gateways
gateway 112 for traffic going to server and gateway 111 for traffic going to everything else. Any ideas on how to achieve this?
Leaves me with:
-Use only one gateway for hosts. i.e .112. This means that I can then use PBR on RB2 to pass traffic to RA1 or route traffic to RB1 if not going to server.
-use two gateways
gateway 112 for traffic going to server and gateway 111 for traffic going to everything else. Any ideas on how to achieve this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So what you are saying is that any traffic going to server will go 2 hops before it goes out tun2. i.e PC1 -> RB!->RB2 (tun2) -> RA1 -> server. I'm trying to avoid the two hops for the traffic as both routers are connected to the LAN. If there are no other solution then may have to use that.
Why are you worried about two hops on the LAN? That's an easy and low networking cost solution. It's not like I am sending you over an extra WAN hop. The only other solution would be to manually configure each PC with static routes to the remote server pointing to Rb2, and that works only if all traffic to that IP can go over tunnel 2. Configuring static routes on the workstations is a horrible plan IMHO with lots of drawbacks and will save less than 1 ms.
PC1 -> RB1->RB2 (tun2) -> RA1 -> server
Is pc1 connected straight to the router or is there a switch in between, if so are both router plugged into the switch?
are both the routers connected?
do you want to set up the vpn EIGRP and use QOS instead?
Is pc1 connected straight to the router or is there a switch in between, if so are both router plugged into the switch?
are both the routers connected?
do you want to set up the vpn EIGRP and use QOS instead?
ASKER
Both Rb1 and rb2 are plugged in to a switch and so as the PCs. Will implement pbr and that should do it as it is all gigabit speed anyway on the Lan side. There is no need for Eigrp vpn or QOS as IP traffic from PC to the server will all go through the tunnel as that is the destination so static routes are enough. Thanks.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html
Let me know if you get stuck.