Solved

CISCO Policy Based Routing

Posted on 2014-09-30
9
436 Views
Last Modified: 2014-09-30
Hi,

I have a quick question on PBR.  if I have multiple IPs that I want use PBR, do I need to create a policy for each unique IP or can I do the following.  we want to do load balancing between ISPs and the following have NAT policies.  Or do I need to create a policy for each IP and assign it to my vlan

access-list 10 deny ip host 192.16.1.1 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.2.2 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.3.3 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 permit 192.168.1.1 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.2.2 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.3.3 any (added any so that it can get to other vlans)

Created policy:
route-map OldASA permit 10
match ip address 10
set ip next-hop 10.2.0.3 (orgonal gateway with NAT policies)

Assigned policy to vlan16

ip policy route-map OldASA

Thank you for your help in advance
0
Comment
Question by:thomasm1948
  • 5
  • 4
9 Comments
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
You can use ACL but not extended ACL with signature of standard :)

If you use standard access list (access-list 10) you can't have any at the end of command  
:)

access-list 10 permit 192.168.1.1
access-list 10 permit 192.168.2.2
access-list 10 permit 192.168.3.3  

you apply ACL to interface
interface vlan 16
ip policy route-map OldASA

And you need also do next (on L3 switch) if you want PBR to work on VLAN

Switch(config)# sdm prefer routing
Switch(config)# end
Switch# reload
0
 

Author Comment

by:thomasm1948
Comment Utility
How could I configure the route map.  Would it be the same as
route-map OldASA permit 10
 match ip address 10
 set ip next-hop 10.2.0.3

and then apply it to the vlan

int policy route-map OldASA

Switch(config)# sdm prefer routing
 Switch(config)# end
 Switch# reload
0
 

Author Comment

by:thomasm1948
Comment Utility
also would the those ip addresses still have access to all of the other vlans that are configured on the core l3 switch
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
Comment Utility
If you ask, can you use ACL as address, yes you can.
It is usual way to configure route-map.

You can't apply policy based routing to VLAN, as much as I know.
Applying route map to VLAN interface is applying route-map to VLAN.

If you don't do carefully your PBR and your ACL's, you can end up with routing like one on the picture.
So I can't really tell you will you still be able to access to other VLAN's, that depends on other parts of configuration, not just on PBR.

PBR and what can happen later :)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:thomasm1948
Comment Utility
I do not see int policy route-map under the global confg.  If I go to int vlan 16 then I see ip policy route-map
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
That is what I'm trying to tell you.

Applying route map to VLAN interface is applying route-map to VLAN.

you wrote
Vlan 16
int policy route-map OldASA

Probably just bad communication, and we talk about same thing. :)
0
 

Author Comment

by:thomasm1948
Comment Utility
sorry I misread your statement.

so I might want to use then access-list permit extended 192.168.1.1 any.  just to make sure.  I confused on this one I have to admit
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
Yes, you can use ACL it that manner.
0
 

Author Closing Comment

by:thomasm1948
Comment Utility
Thank you for all of your help
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now