03-07-2013 08:02 AM - edited 03-04-2019 07:13 PM
I'm doing some PBR on a 6509 and have the following:
route-map CLIENT-SVCS permit 10
match ip address CLIENT-MGMT-SERVICES
set ip next-hop 192.168.1.2
This policy will be applied to an SVI, which is on the external side of an HA firewall pair. On the internal side of the pair is our server farm. So, I don't want to accidentally block all other traffic that's not matched by the CLIENT-MGMT-SERVICES ACL. Do I need something like this:
route-map CLIENT-SVCS permit 10
match ip address CLIENT-MGMT-SERVICES
set ip next-hop 192.168.1.2
route-map CLIENT-SVCS permit 20
Then apply the policy to the SVI?
03-07-2013 08:21 AM
In normal pbr, you don't need a trailing permit. Whatever doesn't match will be forwarded normally based on the routing table.
Hth,
John
Sent from Cisco Technical Support iPhone App
03-07-2013 10:16 AM
Thank you, John. I had done that in the past (no trailing permit), but I got the impression from someone else that I needed it so that all unmatched traffic would pass - assuming there was an implicit deny, like an ACL has.
03-07-2013 12:02 PM
Hello aweise,
As John said, no trailing permit sequence is needed, if you think about it, it is logical, even if next-hop mentioned in route-map is not available, no traffic will be blackholed. It will be routed based on routing table.
Best Regards
Please rate helpful posts and close solved questions
03-07-2013 12:11 PM
When you're using it for pbr, you don't need the trailing permit. When you're using route-maps for routing (say bgp), then you need the trailing permit in order to catch all of the other routes so they don't get denied into the table. Otherwise, you should be good with what you have above.
For example, if you have 3 routes and you want to change the local-pref on a single route:
access-list 10 permit 192.168.1.0 0.0.0.255
route-map LocalPref permit 10
match ip address 10
set local-pref 150
router bgp 1
neighbor 1.1.1.1 route-map LocalPref in
If you didn't put the "route-map LocalPref permit 20", then you'd get the single route of 192.168.1.0 with a local-pref of 150, but you'd deny your other routes (192.168.2.0 and .3.0). That's where the implicit deny comes in.
HTH,
John
*** Please rate all useful posts ***
03-07-2013 01:02 PM
More to John's point, here is an excerpt from Cisco:
Do not configure a set command in a deny route-map clause because the deny clause prohibits route redistribution—there is no information to modify.A route-map clause without a match or set command performs an action. An empty permit clause allows a redistribution of the remaining routes without modification. An empty deny clause does not allows a redistribution of other routes (this is the default action if a route-map is completely scanned but no explicit match is found).Based on the information in this section, the previous OSPF-to-EIGRP route-map example does this:
HTH!
-Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide