Solved: Re: exclude a network from PBR

manvik · ‎05-12-2022

in my catalyst have a PBR (policy based routing) which redirects all TCP 443 destination traffic to a different server/IP.

how can I exclude one destination IP or network from this PBR.

current config;

ip access-list extended 110
102 permit tcp any any eq 443
103 permit tcp any any eq www
104 permit icmp any any

route-map pbr-web permit 10
match ip address 110
set ip next-hop 172.20~~.x.x~~

Jon Marshall · ‎05-12-2022

It depends on your switch but they don't always support route map deny statements and in addition they recommend not to use deny lines in your acl because that sends the packets to the CPU which has a hit on performance.

You could try having a permit statement before your existing one ie.

route map pbr-web permit 5
match ip address <acl no> <--- this matches the IP or IPs you want to exclude

with no set statement it should just use the global routing table but you would need to test.

Of course your switch may not have the above limitations, you need to check the configuration guide to be sure.

Jon

View solution in original post

MHM Cisco World · ‎05-12-2022

Add route-map seq 5 deny

Match acl "Permit host ip tcp port"

Then use same previous route-map 10 permit

Jon Marshall · ‎05-12-2022

It depends on your switch but they don't always support route map deny statements and in addition they recommend not to use deny lines in your acl because that sends the packets to the CPU which has a hit on performance.

You could try having a permit statement before your existing one ie.

route map pbr-web permit 5
match ip address <acl no> <--- this matches the IP or IPs you want to exclude

with no set statement it should just use the global routing table but you would need to test.

Of course your switch may not have the above limitations, you need to check the configuration guide to be sure.

Jon

manvik · ‎05-12-2022

Thank you @Jon Marshall @MHM Cisco World i tried below, still no luck. any changes to be done?

ip access-list extended 110
102 permit tcp any any eq 443
103 permit tcp any any eq www
104 permit icmp any any
ip access-list extended 111
101 permit ip any 172.24.0.0 0.0.31.255

route-map pbr-web permit 5
match ip address 111
set ip next-hop 10.20.60.2
route-map pbr-web permit 10
match ip address 110
set ip next-hop 10.20.5.1

Jon Marshall · ‎05-12-2022

Your PBR looks fine so the interface you have applied it to, is that where all the traffic arrives at the device on ?

Jon

manvik · ‎05-12-2022

Yes, it's applied to a VLAN interface. acl 110 is working fine. traffic is going to IP in the route-map 10

Jon Marshall · ‎05-12-2022

So the exclusion is for any traffic going 172.24.0.0 -> 172.24.31.255 ?

There is nothing wrong with your PBR configuration assuming the above and the next hop IP is reachable from the switch but difficult to say for sure without knowing your network topology.

Jon

MHM Cisco World · ‎05-12-2022

Just push route map line 10 to be 5

And route map line 5 to be 10

That it

paul driver · ‎05-12-2022

Hello

Create a new acl for that specific or any future hosts you wish to deny from the policy then also create an additional PBR deny stanza then just add that newly created ACL only and nothing more

Example:
ip access-list extended 111
permit ip host x.x.x.x any

route-map pbr-web deny 5
match ip address 111

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

manvik · ‎05-12-2022

thank you @paul driver @Jon Marshall

tried with this too;

ip access-list extended 111
101 permit ip host 0.0.0.0 172.24.0.0 0.0.31.255 log

route-map pbr-web deny 5
match ip address 111

We are testing access to an website in 172.24.x.x, from a client system. Site is not loading. Traceroute shows hope till this switch only.

Jon Marshall · ‎05-12-2022

Is the next hop of 10.20.60.2 directly connected to the switch ?

Jon

manvik · ‎05-12-2022

yes it is.

manvik · ‎05-12-2022

Guys i got it working, thank you for the support. Working commands;

ip access-list extended 110
102 permit tcp any any eq 443
103 permit tcp any any eq www
104 permit icmp any any
ip access-list extended 111
101 permit ip any 172.24.0.0 0.0.31.255

route-map pbr-web permit 5
match ip address 111
set ip next-hop 10.20.60.2

route-map pbr-web permit 10
match ip address 110
set ip next-hop 10.20.5.1

MHM Cisco World · ‎05-12-2022

As i mention above

You push acl for tcp up

Good job friend.

paul driver · ‎05-12-2022

Hello

Glad you got it working however the example I provided should have also worked without specifying any other next hop ip address -UNLESS that is you wanted to PBR that specific host to yet another next-hop address other than the default set in the GRT.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul