Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
0
Helpful
5
Replies

Problems using Policy Based Routing with an Extended access list.

eric
Level 1
Level 1

‎04-23-2003 12:07 PM - edited ‎03-02-2019 06:50 AM

I am attempting to use PBR to roughly balance the load between 2 internet connections. I do not own any public address space, nor am I using BGP.

When I tested PBR using a standard access list, it worked fine. When I built up my exteneded access list however, the policy routing doesn't seem to be happening. My main need is for 2 networks to use 1 gateway and 2 networks to use another. So, when the PBR is working, I would be sending 10.10.1.0 and 10.10.2.0 through 1 gateway and 10.10.3.0 and 10.10.4.0 through another.

Relevant config info:

access-list 101 deny ip any xxx.xxx.xxx.xxx 0.0.0.255

access-list 101 deny ip any xxx.xxx.xxx.xxx 0.0.0.255

access-list 101 deny ip any xxx.xxx.xxx.xxx 0.0.7.255

access-list 101 deny ip any xxx.xxx.xxx.xxx 0.0.1.255

access-list 101 deny ip any 10.1.2.0 0.0.0.255

access-list 101 deny ip any 10.1.4.0 0.0.0.255

access-list 101 deny ip any 10.101.0.0 0.0.255.255

access-list 101 permit ip 10.10.1.0 0.0.0.255 any

access-list 101 permit ip 10.10.2.0 0.0.0.255 any

route-map ip permit 101

match ip address 101

set ip next-hop 10.100.0.3

interface FastEthernet0/1

description gateway router 1 external interface

ip address 10.100.0.4 255.255.255.0

ip policy route-map 101

duplex auto

speed auto

If anyone could help with this, I would greatly appreciate it.

Eric Clark

Labels:
0 Helpful
5 Replies 5

thisisshanky
Level 11
Level 11

‎04-23-2003 01:40 PM

Hi Eric,

I would advice to do this, Instead of making the acl 101 so complex, make it simple as follows.

access-list 101 permit ip 10.10.1.0 0.0.0.255 any

access-list 101 permit ip 10.10.2.0 0.0.0.255 any

access-list 102 permit ip 10.10.3.0 0.0.0.255 any

access-list 102 permit ip 10.10.4.0 0.0.0.255 any

If you remember, accesslists have a implicit deny at the end, so what ever is not permitted, wont be matched. You dont need to deny all those specific traffic in this case as, anyways they will be denied by the implicit deny all at the end.

Now to load balance between the traffic your routemap should look like,

route-map ip permit 101

match ip address 101

set ip next-hop ---- (those matched by acl 101 goes to gateway1)

route-map ip permit 102

match ip address 102

set ip next-hop ---- (those not matched by acl 101 goes to

gateway2)

route-map ip permit 103 ----(empty instance of route-map matches remaining

traffic and will be normally routed.)

interface FastEthernet0/1

description gateway router 1 external interface

ip address 10.100.0.4 255.255.255.0

ip policy route-map ip ----- (if you notice your config shows the route-map

name as 101 and not ip - perhaps you applied the

wrong route-map name )

duplex auto

speed auto

Hope that helps!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

rjackson
Level 5
Level 5

‎04-23-2003 01:47 PM

The policy needs to be applied to the interface where the packets enter the router so it can be used to determine which interface to forward it out. The description makes it look like you have it on one of the external interfaces. It has the same network as the next hop.

Are both of the internet connections on the same router? If so you also need to force the other two networks out the other internet connection. by default they will just route normally. If the default route of the router points that way that would be enough.

0 Helpful

eric
Level 1
Level 1
In response to rjackson

‎04-23-2003 05:22 PM

I am not sure why I applied it to that interface, you are right that it should be on the internal.

I have a pair of gateway routers that are running HSRP. I have 2 firewalls whose internal interfaces are in the same network as the HSRP router external interfaces. Be default we route out 1 firewall to the ISP its connected too. We have another firewall that is connected to another ISP.

(ISP) (ISP) - default route

| |

(FW) (FW)

| |

----------------------

| |

(RTR) (RTR) - running HSRP

| |

-----------------

|

(USERS)

I'm trying to get about 1/2 of my users out each side with the routing policy.

0 Helpful

eric
Level 1
Level 1
In response to eric

‎05-02-2003 10:21 AM

Just to close this issue. It turns out that the problem was that I was calling a Route-map that did not exist. I changed the name I referenced and it works.

Thanks for the assistance though.

Eric Clark

0 Helpful

mehmoodsajid
Level 1
Level 1
In response to eric

‎05-02-2003 11:44 AM

:)

i say that too when i say your setings you applay route-map number not its name so .......

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card