{"id":58,"date":"2019-01-22T22:54:53","date_gmt":"2019-01-22T22:54:53","guid":{"rendered":"https:\/\/thelordofthepings.newedgenetworking.com\/wp\/?p=58"},"modified":"2023-08-22T01:12:01","modified_gmt":"2023-08-22T01:12:01","slug":"guest-wifi-and-branch-backup-vpn-redo","status":"publish","type":"post","link":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/2019\/01\/22\/guest-wifi-and-branch-backup-vpn-redo\/","title":{"rendered":"Guest wifi and branch backup VPN redo"},"content":{"rendered":"

This post is about a situation I ran into a while ago and records my configs and testing for converting from a PBR setup to VRF on a Cisco 881 router with a diagram at the end.<\/span><\/p>\n

Through a combination of configs involving PBR (Policy Based Routing) AKA Source Routing (as opposed to standard Destination Routing), Proxy Server exceptions, and Default Route\/missing Default Route it was impossible to get to internet facing apps\/sites over guest wifi or branch backup VPN.<\/span><\/p>\n

I knew I could use VRF\u2019s (Virtual Routing and Forwarding) to separate the traffic and solve the issue, but had to prove it to my team as they weren\u2019t familiar with VRF\u2019s. A Cisco router without VRF\u2019s built only has the \u201cglobal routing table\u201d. VRF\u2019s create separate instances of routing tables; one for each VRF, while leaving the global in place.<\/span><\/p>\n

IOS-XE comes with a mgmt-intf VRF by default for a separate management network. Carriers use VRF\u2019s, or contexts in some non Cisco hardware, to keep customers traffic separate and allow for overlapping network schemes. If needed you can \u201cleak routes\u201d between VRF\u2019s and\/or the global routing table. This would be done if the carrier has something like a network monitoring server that needs to access customer devices.<\/span><\/p>\n

I used a post by Jeremy Stretch at packetlife.net as a guide and to show that someone smarter than me confirmed the design. <\/span>http:\/\/packetlife.net\/blog\/2012\/sep\/4\/simultaneous-tunneled-and-native-internet-access\/<\/span><\/a><\/p>\n

Jeremy\u2019s post goes into the details of building everything from the base up.<\/span><\/p>\n

 <\/p>\n

Testing:<\/h1>\n

Test from a computer on guest wifi:<\/b><\/h2>\n
C:\\Users\\>tracert google.com<\/span>\r\n\r\nTracing route to google.com [172.217.5.78]<\/span>\r\n\r\nover a maximum of 30 hops:<\/span>\r\n\r\n \u00a01<\/span> 81 ms \u00a0\u00a0139 ms 251 ms \u00a0172.17.1.1<\/span>\r\n \u00a02 \u00a0152 ms<\/span> 35 ms<\/span> 29 ms \u00a0[10.1.180.1]<\/span>\r\n \u00a03 \u00a0520 ms \u00a0\u00a0173 ms 652 ms \u00a0[10.254.254.161]<\/span>\r\n \u00a04 <\/span> 4 ms \u00a0\u00a0\u00a0\u00a06 ms <\/span> 7 ms \u00a0[****]<\/span>\r\n \u00a05 <\/span> 8 ms <\/span> 5 ms \u00a0\u00a0\u00a015 ms [****]<\/span>\r\n \u00a06<\/span> 12 ms<\/span> 10 ms <\/span> 6 ms \u00a0144.228.109.65<\/span>\r\n \u00a07<\/span> 34 ms \u00a0\u00a0166 ms 219 ms \u00a0sl-mpe50-sea-.sprintlink.net [144.232.3.126]<\/span>\r\n \u00a08 \u00a0662 ms \u00a0\u00a0638 ms 849 ms \u00a072.14.242.31<\/span>\r\n \u00a09 \u00a0572 ms<\/span> 45 ms <\/span> 9 ms \u00a0108.170.245.115<\/span>\r\n10 \u00a0\u00a0578 ms \u00a0\u00a0995 ms 370 ms \u00a066.249.94.201<\/span>\r\n11 \u00a0\u00a0955 ms \u00a0\u00a0618 ms 507 ms \u00a0209.85.240.228<\/span>\r\n12 \u00a0\u00a0268 ms \u00a0\u00a0457 ms 447 ms \u00a0216.239.54.158<\/span>\r\n13 \u00a0\u00a0358 ms \u00a0\u00a0342 ms 638 ms \u00a0216.239.51.124<\/span>\r\n14 \u00a0\u00a0\u00a061 ms<\/span> 71 ms<\/span> 51 ms \u00a0108.170.247.193<\/span>\r\n15 \u00a0\u00a0\u00a056 ms<\/span> 88 ms<\/span> 68 ms \u00a0108.170.237.113<\/span>\r\n16 \u00a0\u00a0\u00a055 ms<\/span> 32 ms<\/span> 44 ms \u00a0172.217.5.78<\/span>\r\n\r\nTrace complete.<\/span><\/pre>\n
Test from a computer on the regular corp wifi or LAN:<\/b><\/h2>\n
C:\\Users\\>tracert google.com<\/span>\r\n\r\nTracing route to google.com [172.217.5.78]<\/span>\r\n\r\nover a maximum of 30 hops:<\/span>\r\n \u00a01<\/span> 12 ms <\/span> 5 ms<\/span> 11 ms \u00a0192.168.2.1<\/span>\r\n \u00a02 <\/span> 5 ms <\/span> 5 ms <\/span> 3 ms \u00a010.3.254.1 < --- Headend Tunnel interface<\/span>\r\n \u00a03<\/span> 10 ms <\/span> 4 ms \u00a0\u00a0\u00a0\u00a05 ms [10.254.254.161]<\/span>\r\n \u00a04<\/span> 17 ms <\/span> 2 ms \u00a0\u00a0\u00a0\u00a09 ms [***]<\/span>\r\n \u00a05 <\/span> 6 ms <\/span> 4 ms <\/span> 4 ms  [****]<\/span>\r\n \u00a06<\/span> 10 ms <\/span> 3 ms \u00a0\u00a0\u00a0\u00a07 ms 144.228.109.65<\/span>\r\n \u00a07 <\/span> 6 ms <\/span> 2 ms <\/span> 2 ms \u00a0sl-mpe50-sea-.sprintlink.net [144.232.3.126]<\/span>\r\n \u00a08 <\/span> 5 ms <\/span> 4 ms \u00a0\u00a0\u00a0\u00a05 ms 72.14.242.31<\/span>\r\n \u00a09 <\/span> 7 ms <\/span> 4 ms <\/span> 3 ms \u00a0108.170.245.115<\/span>\r\n10 \u00a0\u00a0\u00a0\u00a09 ms<\/span> 12 ms <\/span> 9 ms \u00a066.249.94.201<\/span>\r\n11 \u00a0\u00a0\u00a010 ms<\/span> 29 ms<\/span> 26 ms \u00a0209.85.240.228<\/span>\r\n12 \u00a0\u00a0\u00a034 ms<\/span> 54 ms<\/span> 59 ms \u00a0216.239.54.158<\/span>\r\n13 \u00a0\u00a0\u00a032 ms<\/span> 32 ms<\/span> 32 ms \u00a0216.239.51.124<\/span>\r\n14 \u00a0\u00a0\u00a030 ms<\/span> 31 ms<\/span> 30 ms \u00a0108.170.247.193<\/span>\r\n15 \u00a0\u00a0\u00a033 ms<\/span> 30 ms<\/span> 29 ms \u00a0108.170.237.113<\/span>\r\n16 \u00a0\u00a0\u00a038 ms<\/span> 31 ms<\/span> 40 ms \u00a0172.217.5.78<\/span>\r\n\r\nTrace complete.<\/span><\/pre>\n
 <\/p>\n
Config differences:<\/b><\/h1>\n
ADD config:<\/b><\/h2>\n
First you have to create a named VRF. Some people use all caps for VRF names to make them stand out. I don\u2019t because it\u2019s a pain when you want to ping, trace, or use any VRF specific commands.<\/span><\/p>\n
!The VRF names doesn\u2019t matter but fdoor relates to Front Door VRF sometimes used with DMVPN. It separates the base routing and the \u201coverlay routing\u201d used by the VPN. You could also put all interfaces in VRF\u2019s and not use the global routing table but I didn\u2019t.<\/span><\/p>\n
!<\/span>Create the VRF.<\/span><\/i>\r\n!<\/span>\r\nip vrf fdoor<\/span>\r\n!<\/span>\r\n!<\/span>Required to support DHCP when using VRF\u2019s.<\/span><\/i>\r\nno ip dhcp use vrf connected<\/span>\r\n!<\/span>\r\n!<\/span>Place the internet interface in the VRF<\/span><\/i>\r\ninterface <internet-interface><\/span>\r\nip vrf forwarding fdoor<\/span>\r\n!<\/span>\r\n!<\/span>Place the guest interface in the VRF<\/span><\/i>\r\ninterface vlan15<\/span>\r\nip vrf forwarding fdoor<\/span>\r\n!<\/span>\r\n!<\/span>Tell the tunnel to use the VRF for its source interface.<\/span><\/i>\r\nInterface <tunnel-number><\/span>\r\ntunnel vrf fdoor<\/span><\/pre>\n
CHANGE config:<\/b><\/h2>\n
!<\/span>The NAT needs to be told about the VRF.<\/span><\/i>\r\n!<\/span>Change this:<\/span><\/i>\r\nip nat inside source list 130 interface <internet-interface> overload<\/span>\r\n!<\/span>\r\n!<\/span>To this:<\/span><\/i>\r\nip nat inside source list 130 interface <internet-interface> vrf fdoor match-in-vrf fdoor overload<\/span>\r\n!The default route needs to be moved to the VRF.<\/span><\/i>\r\n!<\/span>Change from this:<\/span><\/i>\r\nip route 0.0.0.0 0.0.0.0 <internet-interface> <internet-gw><\/span>\r\n!<\/span>\r\n!<\/span>To this:<\/span><\/i>\r\nip route vrf fdoor 0.0.0.0 0.0.0.0 <internet-interface> <internet-gw><\/span><\/pre>\n
REMOVE config:<\/b><\/h2>\n
!<\/span>\r\ninterface Vlan10<\/span>\r\nno ip policy route-map wifi-mgmt-route-map <\/span>\r\n!<\/span>\r\n!<\/span>\r\ninterface Vlan30<\/span>\r\nno ip policy route-map wifi-guest-route-map<\/span>\r\n!<\/span>\r\n!<\/span>\r\ninterface Vlan36<\/span>\r\nno ip policy route-map LAN-route-map<\/span>\r\n!<\/span>\r\n!<\/span>\r\nno route-map wifi-mgmt-route-map permit 10<\/span>\r\n !match ip address CAPWAP-traffic<\/span>\r\n !set ip precedence flash-override<\/span>\r\n !set ip next-hop <branch-LAN-gw><\/span>\r\n!<\/span>\r\nno route-map LAN-route-map permit 10<\/span>\r\n !match ip address all-except-localwifi<\/span>\r\n !set interface Tunnel1999<\/span>\r\n!<\/span>\r\nno route-map wifi-guest-route-map permit 10<\/span>\r\n !match ip address 130<\/span>\r\n!<\/span>\r\n!<\/span>These routes are not needed as we have dynamic routes for the tunnel and a static default route for internet access in the fdoor VRF.<\/span><\/i>\r\nno ip route 0.0.0.0 0.0.0.0 vlan33 <branch-LAN-gw> 254<\/span>\r\nno ip route <DNS1> 255.255.255.255 <internet-interface> <internet-gw><\/span>\r\nno ip route <DNS2> 255.255.255.255 <internet-interface> <internet-gw><\/span><\/pre>\n
As you can see you end up with less configs and better routing. I was able to convert a few hundred of these setups over a few weeks with old school copy pasta. But it I had to do this again I\u2019d spend time on a Python script that would convert, test, and document the results.<\/span><\/p>\n\n\n
<\/span><\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
This post is about a situation I ran into a while ago and records my configs and testing for converting from a PBR setup to VRF on a Cisco 881 router with a diagram at the end. Through a combination of configs involving PBR (Policy Based Routing) AKA Source Routing (as opposed to standard Destination […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[35,3,45],"tags":[12,47,46],"class_list":["post-58","post","type-post","status-publish","format-standard","hentry","category-cisco","category-routing","category-wifi","tag-cisco","tag-vpn","tag-wifi"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/posts\/58","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/comments?post=58"}],"version-history":[{"count":12,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/posts\/58\/revisions"}],"predecessor-version":[{"id":335,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/posts\/58\/revisions\/335"}],"wp:attachment":[{"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/media?parent=58"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/categories?post=58"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrewjwhittle.com\/wp-lotpnet\/wp-json\/wp\/v2\/tags?post=58"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}