Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1476
Views
0
Helpful
6
Replies

Can PBR be configured based on (source) Interface rather than IP/Range

fbeye
Level 4
Level 4

‎11-27-2021 05:38 PM

Hello

 

I was just curious if PBR could be implemented identically as typically done but instead use a Range of Interfaces (GE 1/0/1-15 use this WAN Routing)  as opposed to IP’s. 

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎11-28-2021 12:01 AM

You ask an interesting question. It would be helpful if we knew a bit more about this environment. What kind of device are you dealing with? What kind of interfaces are these (especially are they routed ports or are then layer 2 switching ports)?

As far as I can tell there is no support in PBR for a match statement which matches interfaces. So the simple change from match ip to match interface would not work. But perhaps there is a way to achieve what you want. In PBR it is possible for the route map to have a set statement but no match statement. In this case PBR is applied to all traffic entering the interface. So it would be possible to configure a PBR route map which has a set statement (set ip next-hop, set ip default next-hop, set interface) with no match statements. Then apply the route map to the appropriate interfaces. If the range of interfaces are routed ports then apply PBR to each interface, and if the range of interfaces are switch ports then apply PBR to the vlan interface.

Does it sound like this would achieve what you want?

HTH

Rick
0 Helpful

fbeye
Level 4
Level 4
In response to Richard Burts

‎11-28-2021 08:45 AM

Hello, and thank you all of you for your responses.

 

I guess my thinking was, as we’ve discussed in my previous threads, that I wanted this range of IP’s to go to this WAN for Internet and this other range of IP’s to go to this other WAN for Internet. 
192.168.5.0 0.0.0.15 would go to WAN 1

192.168.5.30 0.0.0.15 would go to WAN2

I manually set the specific devices I want on which WAN (but mostly so that I always know which IP’s belong to what).

My thinking was any ‘new’ device that gets plugged in is on DHCP (for simple fact I don’t wanna manually configure everything) BUT the downside is I’ll never know which range DHCP chooses to hand out an IP to. 
I suppose I could just narrow it down to allowing only 2 specific IP’s to go to WAN 2 and the rest, whatever they may be via DHCP, go to WAN 1. I just figured Interface association towards a PBR to a specific WAN would work, but maybe just isolating the 2 specific IP’s would be better?

 

If so I would have to not use a range of IP’s but to allow 192.168.5.37 and 192.168.5.38 only into WAN2.

The only downside to that would be is if I wanted for whatever reason to surf the WEB using WAN2 (as its on a VPN) I’d now not be able to cause of the specific IP’s, which is where I was asking based on Interface rather than IP. 
Regardless, we have my current set up working flawlessly, though for some reason doesn’t pass DNS still. I’ve set up DNS ON the Switch but though my PC grabs the correct IP, I have to manually input DNS. 
That’s a diff problem we need not focus on. 

0 Helpful

paul driver
VIP
VIP
In response to fbeye

‎11-28-2021 10:15 AM

Hello
unless those new address ranges originate from  an additional routed interface you would always need to amend an access-list to policy route specific traffic from an interface that carry’s hosts that dont fall into the PBR category.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to paul driver

‎11-29-2021 07:37 AM

In my first response I asked this question "What kind of interfaces are these (especially are they routed ports or are then layer 2 switching ports)?" I get the impression that the interfaces we are talking about are switch ports (that belong to a vlan). Is that correct?

One important thing to keep in mind is that PBR is always applied on a layer 3 routed interface. PBR can not be applied on a layer 2 switchport.

I am not clear about how you have configured DHCP. I think that I understand that you have one group of IP addresses that you manually configure on certain devices in your network, a second group of IP addresses that you manually configure on other devices, and a third group of addresses that you use in DHCP for the rest of the devices. If that is the case then it should be possible to configure PBR with a section that has an access list identifying the first group, a match statement using that access list, and a set statement which specifies their path to the Internet. Then a section that has an access list identifying the second group, a match statement using that access list, and a set statement which specifies their path to the Internet. Then a section that has an access list identifying the third group, a match statement using that access list, and a set statement which specifies their path to the Internet. Assuming that all of these ports are in a single vlan then PBR would be configured on the SVI for that vlan.

HTH

Rick
0 Helpful

paul driver
VIP
VIP

‎11-28-2021 05:36 AM - edited ‎11-28-2021 05:37 AM

Hello

it would just as easy to apply the policy to each routed port using a range command

Interface range gig0/0/1 -5
Ip policy route-map xxx


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Georg Pauwen
VIP
VIP

‎11-28-2021 06:11 AM

Hello,

 

I guess to simply answer the question: no. There is no 'match interface' or anything similar to that.

0 Helpful
Customers Also Viewed These Support Documents