Solved

Help Designing Network with Policy Route

Posted on 2013-12-16
61
307 Views
Last Modified: 2013-12-21
Hello Experts,

Please have a look at the below image. I have 2 Routers Connected two different ISP's

Behind router I have multi-layer switch with several vlan's. VLAN 50 users connected to Access Switch. I want distribute the internet access for this vlan user.

Meaning only for certain websites ( like Facebook, Youtube) that I know should go to ISP1
and for the rest of the web and other traffic should go to ISP 2.

I would highly appreciate if any expert can help to achievePolicy Route this scenario.
0
Comment
Question by:cciedreamer
  • 36
  • 24
61 Comments
 
LVL 5

Expert Comment

by:tercex11
Comment Utility
From your drawing I am not sure which device is the default gateway for VLAN 50, but that device which is the default gateway for those users needs to have routes added to it that sends any traffic destined for the entire IP range or Facebook(173.252.64.0 /18) or Youtube (74.125.0.0/16) and any other sites you wish to go to using ISP1 to the ISP1 Routers IP and then the Gateway of last resort for all other traffic should point to the ISP2 routers IP.

So basically you need to lookup the full network rages of the sites you want send the traffic to over a specific gateway. You can look this up using http://network-tools.com/ or some other free site on the internet.
Then you need to add those router e.g. "ip route 173.252.64.0 255.255.192.0 ISP1 IP
You also need a gateway of last resort route to point to ISP2 for the other traffic.
ip route 0.0.0.0 0.0.0.0 ISP2 IP

Good luck,
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Thanks for the response.

The default for the client is my core switch.

There are some websites there IP address keeps changing.
How can I tell router or switch  to filter the URL send to  ISP1 and other traffic to ISP2
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
BTW, We don't to affect other vlans. Meaning other vlans should not route internet traffic to router (ISP 1 and ISP 2)  shown in the diagram
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
This is where your needs are best served by a proxy server such as Squid rather than a switch and router combination. Switches don't have any way to differentiate URLs, so your decision can't take place there.

With a proxy server, you can flag these destinations by marking the packets as they are transmitted. The switch can then use PBR to direct marked packets to R9 and everything else to R10 based on the marking.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
I have worked with Microsoft TMG but I am not sure how to get working this scenario.

Please can you provide some or guide if you have.

There's no way to do with router ?
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
If both of your ISPs are on the same router, you can do it fairly easily, but your diagram suggests that you want the switch to do it. It just doesn't have the ability to extract the URLs from the HTTP requests and you need to mark the packets *before* they get to the router.

I don't know much about TMG. I've removed a lot of them from customers' sites, but never actually installed one. Squid works nicely though.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
I have 2 type of connections

- DIA Leased Line ( Point to Point with ISP)
- PPPoe Connection

Is it possible to configure on the same router.

I have no problem configuring on same router In fact I prefer to do  that..

Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Actually, on further investigation, it looks like the traffic needs to be flagged *before* it gets to the router in either case. You can't do PBR with URL filtering on the same router because the source and destination have already been decided before the ZPF policy engages.

Another possibility is to check with ARIN (or other appropriate regional NICs) and just static route all IPv4 blocks that are owned by the organizations in question to the appropriate destinations.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

Ok Lets forget about the URL's

Lets assume I have the following IP's websites like 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 I want them to go through ISP 1

and all other traffic to ISP 2. I want setup on the same router.

Now can you please help with configuration. I have 2 type connection DIA and PPPoe

Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Given that your PPPoE and DIA connections are both point-to-point, you can run with the following:

ip route 1.1.1.1 255.255.255.255 Dialer1
ip route 2.2.2.2 255.255.255.255 Serial0

Replace the interfaces appropriately, of course.  If you're wanting to capture entire organizations, you're looking at much bigger blocks.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir what if I want to use PBR.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
If you're going to use PBR, you need something to define the policy. What are you planning on using? The configuration will be different depending on the criteria.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
If you just want to route everything from VLAN50, you can do something like this:

ip access-list extended acl-vlan50
 permit ip 10.1.50.0 0.0.0.255 any
!
route-map rm-pbr
 match ip address acl-vlan50
 set interface Dialer1
!
interface FastEthernet0/0
 ip policy route-map rm-pbr

Change FastEthernet0/0 to whatever interface LAN traffic will be entering on and Dialer1 to whatever interface you want to push the traffic out on. Anything that doesn't match the ACL will fall down to whatever you've defined in the normal routing table.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir I will give try and update you
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hello Sir,

Please have a lookg at my config. Just to make sure going on right track

ROUTER CONFIG


interface GigabitEthernet0/0
 description << Connection to ISP1 >>
 ip address 100.100.100.100 255.255.255.252
 ip nat outside

interface GigabitEthernet0/1
 description << Connection to ISP2 >>
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 
interface GigabitEthernet0/2
 ip address 10.1.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 ip policy route-map ISP1
 
 interface Dialer0
 
  ip address negotiated
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly in max-reassemblies 512
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  ppp authentication pap chap callin
  ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
  ppp chap password 0 xxxxxxxxxx
  ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
  no cdp enable

ip route 0.0.0.0 0.0.0.0 Gi0/1





access-list 110
permit ip 10.1.50.0 0.0.0.255 host 1.1.1.1
deny ip any any

access-list 120 permit ip 10.1.50.0 0.0.0.0.255 any


route-map ISP1 permit 10
match ip address 110
set interface GigabitEthernet0/0

route-map ISP2 permit 20
match ip address 120
set interface dialer 0

ip nat inside source route-map ISP1 interface gi0/0 onverload
ip nat inside source route-map ISP2 interface dialer 0 overload
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hello,

I have configured the router but its not working as expected.

The cleints are not traffic to ISP 1 desitned to 1.1.1.1 as defined in Route Map.

The other traffic is going to dialer 0

Thanks

Please any help
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
If your connection is on GigabitEthernet0/0, then it isn't a point-to-point connection and that route map won't work unless your ISP has proxy ARP enabled.  Try this instead:

route-map ISP1 permit 10
match ip address 110
no set interface GigabitEthernet0/0
set ip next-hop x.x.x.x

Replace x.x.x.x with the default router IPv4 address provided by your ISP for that connection.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
hello sir Thanks for response. What about Dialer0 Do i need to change anything ?
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Dialer0 is an actual point-to-point link, so that can remain as-is.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,
How about my default route Is that OK Do I need to add default route to ISP1 ?

I have added for ISP2
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Anything that doesn't match the PBR route map will fall to normal routing, so you'll need a route for anything that needs to use that gateway and isn't covered by the PBR.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

Do I need to apply the route map on LAN interface. If yes then which should be as I have 2 Route Maps
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

This is my final router configuration. Still not working

interface GigabitEthernet0/0
 description << Connection to ISP1 >>
 ip address 100.100.100.101 255.255.255.252
 ip nat outside

interface GigabitEthernet0/1
 description << Connection to ISP2 >>
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 
interface GigabitEthernet0/2
 ip address 10.1.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 ip policy route-map ISP1
 
 interface Dialer0
 
  ip address negotiated
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly in max-reassemblies 512
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  ppp authentication pap chap callin
  ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
  ppp chap password 0 xxxxxxxxxx
  ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
  no cdp enable

ip route 0.0.0.0 0.0.0.0 dialer 0

access-list 110
permit ip 10.1.50.0 0.0.0.255 host 1.1.1.1
permit ip 10.1.50.0 0.0.0.255 host 2.2.2.2
deny ip any any

access-list 120 permit ip 10.1.50.0 0.0.0.0.255 any

ip nat inside source list 120 interface dialer 0 overload
ip nat inside source route-map interface gi0/0 overload

route-map ISP1 permit 10
match ip address 110
set ip next-hop 100.100.100.102
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hello,

I figured it out

I change the NAT commands from

ip nat inside source route-map ISP1 interface gi0/0 onverload
ip nat inside source route-map ISP2 interface dialer 0 overload

to

ip nat inside source list 110 ISP1 interface gi0/0 onverload
ip nat inside source list 120 ISP2 interface dialer 0 overload

and its working fine.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Sorry about that... I was paying too much attention to the policy routing and not to the NAT configuration. Your route maps would have worked correctly if you had used "match interface" instead of "set interface". In this case you would have used one set of route maps with "set interface" for PBR and another set with "match interface" for the NAT.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

It would be much clear to me cli command..sorry for that.

This my current config

ip nat inside source list 110 ISP1 interface gi0/0 onverload
ip nat inside source list 120 ISP2 interface dialer 0 overload


route-map ISP1 permit 10
match ip address 110
set ip next-hop 100.100.100.102

Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Here's a sample for NAT overload with route-map. You don't need to be nearly so specific with this as you are with your PBR. The NAT route-map will only engage when traffic matches its outgoing interface, so allowing any private IPv4 address to any destination works best. This way, you don't have to change the NAT configuration if you're adding networks in the future.

object-group network OG-RFC1918
 10.0.0.0 /8
 172.16.0.0 /12
 192.168.0.0 /16
!
access-list ACL-NAT
 permit ip object-group OG-RFC1918 any
! (You don't need "deny ip any any" as this is assumed at the end of every ACL)
!
route-map RM-NAT-ISP1 permit 10
 match ip address ACL-NAT
 match interface GigabitEthernet0
!
route-map RM-NAT-ISP2 permit 10
 match ip address ACL-NAT
 match interface Dialer0
!
ip nat inside source route-map RM-NAT-ISP1 interface GigabitEthernet0/0 overload
ip nat inside source route-map RM-NAT-ISP2 interface Dialer0 overload

Open in new window


Leave your PBR configuration as-is and you should be fine. The route-map for ISP1 will be used when any traffic leaves via GigabitEthernet0/0. The route-map for ISP2 will be used for any traffic leaving via Dialer0. That is controlled through regular routing and your PBR.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi
And I apply the route map ISP 1 on inside interface
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Nope. The route-maps for NAT only exist in the NAT overload statement. Only your PBR route-maps get applied to the inside interface.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
I have tried this but not working with me

route-map RM-NAT-ISP1 permit 10
 match ip address ACL-NAT
 match interface GigabitEthernet0
!
route-map RM-NAT-ISP2 permit 10
 match ip address ACL-NAT
 match interface Dialer0
!
ip nat inside source route-map RM-NAT-ISP1 interface GigabitEthernet0/0 overload
ip nat inside source route-map RM-NAT-ISP2 interface Dialer0 overload

when I generate ping from router source inside interface and desitned to specific host defined in ACL for ISP 1 I recieved request time out

and no outsput when I sh ip nat translations.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Did you define the object group and the ACL-NAT access-list? Also, did you remove your current NAT overloads? The configuration I sent you is one I use on customer routers extensively, so I know it works.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

This is current configuration
int gi0/0
ip address 100.100.100.101 255.255.255.252
ip nat outside

int gi0/1
ip address 10.1.50.1 255.255.255.0
ip nat inside

interface Dialer0
 
  ip address negotiated
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly in max-reassemblies 512
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  ppp authentication pap chap callin
  ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
  ppp chap password 0 xxxxxxxxxx
  ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
  no cdp enable


access-list 110 permit ip 10.1.50.0 0.0.0.255 host 173.194.39.34
access-list 110 permit ip 10.1.50.0 0.0.0.255 host 4.2.2.2

access-list 120 permit ip 10.1.50.0. 0.0.0.255 any

route-map ISP1 permit 10
match ip address 110
match interface gi0/0

ip route 0.0.0.0 0.0.0.0 dialer0

ip nat inside source route-map ISP1 interface gi0/0 overload
ip nat inside route list 120 interface dialer 0 overload

Open in new window

0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
That explains much. It looks like you have a mash-up of the old nat configuration combined with pieces of the sample I have provided. Two different NAT mechanisms are definitely going to conflict and fail. Try removing your existing NAT configuration and using the example provided. Then you can add your standard routing and policy routing to get a working solution.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
I've removed your configuration from the router and paste it mine just to show you the result.

Just curious to know is there anything wrong with my configuration

Actually my aim

Example

10.1.50.0 >> accessing 173.194.39.34 >> Go to ISP1
10.1.50.0 >>  any other traffic >>> Go to ISP2
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hi,

I have tried now your configuration but still the same result as above.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Any further help Sir !
0
 
LVL 22

Accepted Solution

by:
Jody Lemoine earned 500 total points
Comment Utility
Try this to get both working:

interface GigabitEthernet0/0
 description << Connection to ISP1 >>
 ip address 100.100.100.100 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no cdp enable
!
interface GigabitEthernet0/1
 description << Connection to ISP2 >>
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface GigabitEthernet0/2
 ip address 10.1.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ip policy route-map RM-PBR
! 
interface Dialer0 
  ip address negotiated
  ip mtu 1492
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer persistent
  ppp authentication pap chap callin
  ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
  ppp chap password 0 xxxxxxxxxx
  ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
  no cdp enable
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
object-group network OG-RFC1918
 10.0.0.0 /8
 172.16.0.0 /12
 192.168.0.0 /16
!
object-group network OG-VLAN50
 10.1.50.0 /24
!
object-group network OG-PBR
 host 1.1.1.1
 host 2.2.2.2
!
access-list ACL-PBR
 permit ip object-group OG-VLAN50 object-group OG-PBR
!
route-map RM-PBR permit 10
 match ip address ACL-PBR
 set ip next-hop 100.100.100.101
!
route-map RM-NAT-ISP1 permit 10
 match ip address ACL-NAT
 match interface GigabitEthernet0
!
route-map RM-NAT-ISP2 permit 10
 match ip address ACL-NAT
 match interface Dialer0
!
ip nat inside source route-map RM-NAT-ISP1 interface GigabitEthernet0/0 overload
ip nat inside source route-map RM-NAT-ISP2 interface Dialer0 overload

Open in new window

0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Thanks Sir,

Its working. Big Help

One last thing "traffic that is policy routed (on leased line) to take the other path if leased line is down but I don't want other traffic that is routed to adsl to take leased line if adsl goes down ?.

I have around 15-20 that will be routed to leased line.

Thanks
0
 
LVL 22

Assisted Solution

by:Jody Lemoine
Jody Lemoine earned 500 total points
Comment Utility
If you don't have a route pointing to the leased line, nothing will route across it if the ADSL goes down. Only the policy-routed traffic will use the leased line.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

You mean set interface dialer 0

route-map RM-PBR permit 10
 match ip address ACL-PBR
 set ip next-hop 100.100.100.101
 set interface dialer 0
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Sorry, I made a mistake in my original posting. You don't need to do anything. If the destination for the policy route doesn't exist, it will fall back to the normal routing table.

If you really want to be sure, you can manually set the interface for Dialer0 as you indicated. Did it not work when you tested it?
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Oops route-map NAT was incorrect -- Typo mistake

Its working now. You are great and you really helped me a lot.

I truly appreciate your support

God Bless You.

I'll just monitoring till tomorrow and will close the ticket.

Thanks
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
I hope you don't mind

In my production environment, the clients has default gateway pointing to switch.
The router has inside 10.1.50.2
Client Gateway 10.1.50.1

How I can define a rule on switch to route client traffic to route when the packet arrives to switch.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Most switches can't do PBR.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
I just want to route VLAN 50 traffic to router and then route can handle PBR

I have 6500 Switch

VLAN 50
ip address 10.1.50.1 255.255.255.0

Client
10.1.50.100/24
10.1.50.1 ( GW)

Thanks
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
If all Internet traffic is going to the router and it's deciding what to send over the DSL or leased line, you can just add a default route to the 6500 and you're good.

If you only want to send VLAN50 traffic to the router, the 6500 should be able to do PBR. Just use the PBR configuration from the router, adjust the next-hop and apply it to the switch.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

You mean add PBR on the switch as follows

route-map route_traffic_router permit 10
match ip address 120
set ip next-hop 10.1.50.2


But still vlan 50 should talk to other vlans
0
 
LVL 22

Assisted Solution

by:Jody Lemoine
Jody Lemoine earned 500 total points
Comment Utility
As long as your route map factors that in, you're good.

ip access-list extended 120
 deny ip 10.1.50.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny ip 10.1.50.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny ip 10.1.50.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 10.1.50.0 0.0.0.255 any
!
route-map route_traffic_router permit 10
 match ip address 120
 set ip next-hop 10.1.50.2

Open in new window


That will ensure that the policy doesn't match VLAN50 traffic going to any other private IPv4 address. Anything that doesn't match the policy will be routed normally.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Hello,
I will give try with overall confgiuration and let you know

Thanks Sir
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,
The very last question.

I have added PBR on our switch to route the traffic to Router initiating from vlan 20 ( terminating lease line and pppoe).

Vlan 20 can ping other vlans.

But I have another router connected to Switch interface ( Subnet : 172.16.1.0)
I am able to ping other vlans on switch from vlan 20

interface gi3/1
ip address 172.16.1.1 255.255.255.00

Router:

ip address 172.16.1.2 255.255.255.0



Any workaround to solve this.

Thanks for your precious time. I am really obliged.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
I've re-read your last comment a few times and can't find a problem that needs solving. Is there something that systems on vlan20 shouldn't be able to ping?
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

I'll post a diagram. One moment
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Oops not vlan 20, Typo Mistake its vlan 50 10.1.50.0
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Still not seeing a problem. If vlan 50 can ping other VLANs and all other traffic is being policy routed to the DSL router, that's what you said you wanted. What's the problem?
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
I'll post the diagram now 1 moment please
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
Sir,

Here is the diagram.

Now problem appearing from Vlan 50 I cannot ping 172.16.1.2.

Topology
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
When I try to ping it results in Destination Host Unreachable.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
I can't see any reason why this would be occurring. As long as the ACL was entered exactly as posted, it won't have anything to do with your PBR. Traffic from VLAN 50 to 172.16.0.0/12 is denied by the PBR and follows the normal routing table.
0
 
LVL 3

Author Comment

by:cciedreamer
Comment Utility
By this word

" Traffic from VLAN 50 to 172.16.0.0/12 is denied by the PBR and follows the normal routing table."

I went through the post to review and I found my mistake. Really sorry for that.

I guess I should close this ticket for now, it's being a long conversation. Even I am confused which post support suppose to be accepted as solution. Anyway I'll manage it.

ACL on switch I did not add ( bold rule)

ip access-list extended 120
deny ip 10.1.50.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny ip 10.1.50.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny ip 10.1.50.0 0.0.0.255 192.168.0.0 0.0.255.255

 permit ip 10.1.50.0 0.0.0.255 any
!
route-map route_traffic_router permit 10
 match ip address 120
 set ip next-hop 10.1.50.2

Finally I would like to thank you so much for your time, help and support. Being Friendly Got to learn many points from you.

Appreciating that.
0
 
LVL 22

Expert Comment

by:Jody Lemoine
Comment Utility
Not a problem. The deny rules are important. Without them, the PBR will policy route everything from VLAN 50 to the DSL router. Putting the deny rules in makes sure that traffic to other private networks is skipped by the policy and gets routed normally.
0
 
LVL 3

Author Closing Comment

by:cciedreamer
Comment Utility
Great Help and extremely supportive.

The answer to the original question asked has been selected "BEST Solution"

Thanks
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now