Re: Configure PBR

lam_sf · ‎12-12-2004

Hi,

I wld like to configure PBR on the Catalyst 5500 with the following config:

- source IP A will be routed to server X

- source IP B will be routed to server Y

- others will be routed to server Z

Is the above config possible for PBR? If yes, how do I configure the PBR to achieve above?

Thanks.

Prashanth Krishnappa · ‎12-12-2004

Do you have a router card(RSM) in your CAT5500? If you do, yes you can configure PBR. Policy routing is supported with IP MLS in Cisco IOS release 12.0(3) and later. Enter the "mls rp ip route-map global" configuration command to allow policy routing in conjunction with IP MLS.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_2/layer3/mls.htm#wp4797

For examples, search on CCO. Here is an example.

First set up access-list to match traffic

access-list 1 permit 129.71.0.0 0.0.255.255

access-list 2 permit 10.0.0.0 0.255.255.255

access-list 3 permit 192.168.0.0 0.0.255.255

Configure route-map statements

route-map students permit 10

match ip address 1 3

set ip default next-hop 10.1.1.1 <<--First g/w

!

route-map admin permit 20

match ip address 2

set ip default next-hop 20.1.1.1 <<--2nd g/w

Then apply these route maps to VLAN interfaces

interface Vlan1

ip address x.x.x.x 255.255.255.0

ip policy route-map students

!

interface Vlan2

ip address x.x.x.x 255.255.255.0

ip policy route-map admin

lam_sf · ‎12-12-2004

Thx for the response.

Yes, there is an RSM card in the CAT5500.

From the examples, can I apply both route maps to the same VLAN interfaces, i.e. apply both route-map students and admin to Vlan1?

nsysblh · ‎12-13-2004

No, only one route-map per interface.

However, you can have an arbitrary number of 'route-map xxx permit yy' sections with xxx having the same name and yy being different. In that case, if the lowest yy doesn't match, the next highest yy is checked and so on until it falls of the end. After if falls off the end, the normal routing table is consulted, as usual.

For example (this doesn't follow the previous example because I am replying and can't see the beginning of this conversation):

route-map everybody permit 10

match ip address 1

set ip next-hop 192.168.0.1

!

route-map everybody permit 20

match ip address 2

set ip next-hop 192.168.1.1

If access-list 1 matches, the packet would go to 192.168.0.1, and if 2 matches, it would go to 192.168.1.1. If neither match, the normal routing table would forward the packet as if PBR were not in place.

Also, if either of the 2 above next-hop addresses are not available on a directly connected interface, the packet is dropped (fails encapsulation). This could be the case if the IP is mistyped in the access-list, or if the desired interface is in the down state. Since you get to override all the normal routing processes, you have to make sure where you want the packet to go.