For BGW1 with MPLS link I would have tried a next-hop configuration listing, with a Nexthop-list name, an empty Nexthop IP/DHCP and just added the IPsec name map for the VPN tunnel to VPNC. Then choose the preferred tunnel in the field: Using Ipsec tunnel to VPNC to select the VPN tunnel.
For Policy based routing, just make a policy with a rule source/dest some ip scopes/aliases and the Action: route next-hop-list the one you created above.
For BGW2. Your setup looks fine, but you don't need Next-hop IP. We only use empty Next-hop-list and then use IPSEC Map
------------------------------
Ole Morten Kårbø
ACP - Campus Access Professional
ACEA | ACSP | APS CX10000 | APS Central | APS SD-Branch
Netnordic Norway
------------------------------
Original Message:
Sent: Feb 08, 2024 08:15 AM
From: jrwhitehead
Subject: SD-Branch NextHop Configuration Question
Hi All,
In a SD-Branch environment on a site with a pair of branch gateways.. Branch gateway 1 (BGW1) has an MPLS WAN uplink and BGW2 has a Internet uplink with a static IP set.
WAN Redundancy is configured and both BGW are utilizing both WAN uplinks.
Primary path for Internet based traffic for clients should be the Internet uplink with the secondary being the via the tunnel to the VPNC using the MPLS uplink.
I can set the primary and secondary paths in DPS but that will attempt to push traffic over the MPLS underlay if the secondary path is used.
I think a nexthop assigned in a PBR, combined with the above DPS, would be required for this setup. The NextHop configuration would have a NextHop IP set as the Internet uplink gateway IP and the MPLS IPSec maps to the VPNC. This should be fine for BGW2 where the Internet WAN uplink resides, but what would I put in the NextHop IP section on BGW1 as this gateway doesn't know about the Internet uplink IP details? Would I just set the NextHop IP to DHCP and assign the Internet uplink VLAN ID?
Or is the a different/better way to do this?