cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
888
Views
0
Helpful
4
Replies

I want to implement PBR on internet circuit

mjhagen
Level 1
Level 1

I am currently running BGP with my ISP for 2 links provided by them. All our incoming traffic is sent to the firewall by the directly connected network on ethernet interface. I want to be able to match traffic from a source and sent it to another destination other than the firewall. It looks like I can do this with a route-map? Would this be correct?

access-list 110 permit ip host x.x.x.x (some source) host 1.2.3.10 (static rule on firewall)

route-map varnish-access permit 10

     match ip addess 110

     set ip next-hop 1.2.3.20 (another host outside firewall)

     set interface g 0/1

int g 0/1

ip policy route-map varnish-access

4 Replies 4

Hi,

   Yes you can do this with PBR. To make sure that using a "set ip next-hop" is for the ip address that is a next-hop of connected interface on the router.  To make sure that the direction of acl you created is correct.  The following command is what you want.

!

route-map varnish-access permit 10

     match ip addess 110

     set ip next-hop 1.2.3.20 (another host outside firewall)

!

HTH,

Toshi

Are you saying that the next hop needs to be the router IP address? My next hop was going to be the server directly connected to same segment as firewall

Router to ISP G-0/1 1.1.1.1

Router 1.2.3.1

Firewall 1.2.3.254

Next Hop server 1.2.3.20

The next-hop IP address can be the IP address of any device you want ie. a router/switch/firewall/server/host etc.

Jon

The policy based route worked fine however it opened another issue. What I am trying to accomplish with the route is the next hop I am using is a proxy server to cache web content. What is happening is the server sees the request and forwards it to the firewall to access real server but it is forwarding the traffic with original source IP of requester and not the proxy server address so the return traffic does not go through proxy server. Any ideas?

Review Cisco Networking for a $25 gift card