cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
16
Replies

Policy Base Routing

hs08
Spotlight
Spotlight

 

Hello,

On our branch i have  2 path to the internet, 1st via local internet on the site and 2nd via Head Office via WAN.
All traffic to other branch, Head Office should pass thru via Head Office via WAN and all internet traffic including to Microsoft Azure (using VPN site to site) should use local internet and will failover to HO via WAN if the local connection is down.

On the core switch i make route-map like below

ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

ip access-list extended INET-VIA-FORTI
10 permit ip any any

route-map PBR-INET deny 10
match ip address Internal-DC
!
route-map PBR-INET permit 20
match ip address INET-VIA-FORTI
set ip next-hop 10.102.173.2

then i apply in vlan interface 

interface Vlan101
ip address 10.102.1.1 255.255.255.0
ip ospf 100 area 0.0.0.102
ip policy route-map PBR-INET

also i have static route to our azure (10.201.0.0/16) to local internet 
ip route 10.201.0.0 255.255.0.0 10.102.173.2

With above configuration all hosts under vlan 101 can access to the internet via local internet, can access to azure via local internet and also can access to other branch, HO via WAN. So everything is run normally until then i realized i have ACL

ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

This ACL applied to the route map, and i my mind traffic to the azure with subnet 10.201.0.0/16 will match to this ACL and the traffic should be denied by route map
route-map PBR-INET deny 10
match ip address Internal-DC

This mean traffic to the azure should routed to the HO via WAN even i have static route to 10.201.0.0/16 via local internet, am i right?

1 Accepted Solution

Accepted Solutions

Hello @hs08 ,

read my previous post in this thread I think I have provided a possible configuration for PBR that will satisfy all your requirements:

VLAN 100 IP subnet : 10.100.0.0/16

VLAN 101 IP subnet: 10.101.0.0/16

Azure network IP subnet : 10.201.0.0/16

  • VLAN 100 to Internet via WAN >> route-map PBR block 40
  • VLAN 101 to Internet via 10.102.173.2 > route-map PBR block 30
  • All VLAN to Azure via 10.102.173.2 >> route-map PBR block 10
  • All VLAN to 10.0.0.0/8 via WAN >> route-map block 20

 

Edit :

if SVI Vlan101 and Vlan 100 are directly attached to the core switch you need two route-maps one to apply to SVI vlan 100 and one to be applied to SVI vlan 100.

looking at your first post I think this is your case.  So you need to create two PBR route-maps they just change on setting the next-hop in last block

Alternatively you can apply the same PBR route-map on both SVIs for the way I have written the extended ACLs it will work.

Hope to help

Giuseppe

 

View solution in original post

16 Replies 16

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @hs08 ,

traffic denied by PBR route-map is routed in standard manner using the available best route:

you have the following route:

>> ip route 10.201.0.0 255.255.0.0 10.102.173.2

So traffic to the Azure network will be routed to the specified next-hop 10.102.173.2, that is also the next-hop used by the route-map in the second clause.

So internet traffic and traffic to Azure are routed via the Forti Firewall using the local internet handoff.

Hope to help

Giuseppe

 

Hi,

you have the following route:
>> ip route 10.201.0.0 255.255.0.0 10.102.173.2
So traffic to the Azure network will be routed to the specified next-hop 10.102.173.2, that is also the next-hop used by the route-map in the second clause.

Can i say the traffic should use local internet with next hop 10.102.173.2 due on the route-map i denied traffic from 10.0.0.0/8 to 10.0.0.0/8?

ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

ip access-list extended INET-VIA-FORTI
10 permit ip any any

route-map PBR-INET deny 10
match ip address Internal-DC
!
route-map PBR-INET permit 20
match ip address INET-VIA-FORTI
set ip next-hop 10.102.173.2

 

 

 

ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 <<- to start solve issue explain this ACL? Keep in mind the pbr not use for traffic between same subnet but for traffic between different subnet' so can you more elaborate about this acl

route-map PBR-INET deny 10
match ip address Internal-DC

Hi @MHM Cisco World 

As i mention previously that i have 2 connection for each site, one is pure internet connection and the other is WAN. I set main traffic to internet and azure for mostly subnet using local internet connection and traffic to other branch or to HO should use WAN connection for all subnet.

Also WAN connection able to provide internet connection for backup if internet link on the site is down. Core switch on the HO have ospf configuration 'default-information originate' so routing to the internet 0.0.0.0/0 will distributed to all core switch on each site.

Let say i want VLAN 100 internet connection using HO internet, so i no need make any static route 0.0.0.0/0 due OSPF already distribute this route.

VLAN 101 internet connection and azure should using local internet, so i must make one PBR to accomplished this where the PBR will set next-hop ip address to local firewall in the site.

Main purpose of below ACL is to make sure traffic to HO or other branch under subnet 101 will use WAN link rather than internet link. Local internet connection is only for to internet connection for some subnet and to azure for all subnet.

ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 

route-map PBR-INET deny 10
match ip address Internal-DC

With those configuration all traffic is working normally but when i check more details this morning, i can see traffic to the azure is use both link (i can see traffic log from 10.102.1.0/24 to azure 10.201.0.0/16 on local firewall and HO firewall).

Also my logic say because i have above ACL, traffic to the azure should use HO via WAN connection since traffic to Azure 10.201.0.0/16 will match with ACL Internal-DC and this traffic is denied on route-map.

Please share your opinion.

 

SubnetA-L2VPN-SubnetA

Same subnet in both site need l2vpn' it never use internet (Layer3) to connect each other.

MHM

Hi @MHM Cisco World 

I have no same subnet.

HO subnet : 10.100.0.0/16
Branch-1 : 10.101.0.0/16
Branch-2 : 10.102.0.0/16
Branch-3 : 10.103.0.0/16
Azure : 10.201.0.0/16

hs08_0-1726556801903.png

 

Hello @hs08 ,

if you want that traffic to Azure go to the HQ office you need to remove the static route using the local Firewall as next-hop.

You can eventually change it to a floating static route to be used when OSPF is down.

Edit:

if you do not use OSPF on WAN links the same idea can work you will have a primary static route using the WAN link to HQ and the floating static route to use the local handoff or you can do the opposite if this is what you want to achieve.

You can do the following:

conf t

no ip route 10.201.0.0 255.255.0.0 10.102.173.2

ip route 10.201.0.0 255.255.0.0 10.102.173.2 150

the 150 is an AD that is greater then OSPF default AD 110. In this way the local static route will become a backup route.

note : This works if from HQ the branch office receive the same prefix in OSPF with the same prefix length.

The PBR is not involved in routing to Azure because the traffic flow packets match the first route-map block with deny action.

Hope to help

Giuseppe

 

 

What i want is :

  • Traffic to azure from all subnet go via local interne
  • Traffic to other branch, HO will go via WAN
  • Traffic to internet from VLAN 100 will go via WAN
  • Traffic to internet from VLAN 101 will go to local internet.

Hello @hs08 ,

your current PBR configuration does not provide the desired goals.

For sake of simplicity let's suppose the following

VLAN 100 IP subnet : 10.100.0.0/16

VLAN 101 IP subnet: 10.101.0.0/16

Azure network IP subnet : 10.201.0.0/16

ip extended ACL ToAzure

ip access-list extended ToAZure
1 permit ip 10.100.0.0 0.1.255.255 10.201.0.0 0.0.255.255

! local subnets to Azure

ip access-list  extended VL101-to-internet

permit ip 10.101.0.0 0.0.255.255 any

! above ACL for internet access of VLAN 101 subnet

ip access-list  extended LOCAL-TO-DC

deny ip 10.100.0.0 0.1.255.255 10.201.0.0 0.0.255.255

permit ip 10.100.0.0 0.1.255.255 10.0.0.0 0.255.255.255

!

given the above ACLs you can build a multiple blocks route-map starting from most specific traffic flows

route-map PBR permit 10

match address ToAzure

set ip next-hop 10.102.173.2 

route-map PBR permit 20

match address LOCAL-TO-DC

set ip next-hop <WAN-IP-next-hop>

route-map PBR permit 30

match address VL101-to-internet

set ip next-hop 10.102.173.2

route-map PBR permit 40

set ip next-hop <WAN-IP-next-hop>

Warning : this single PBR route-map can be applied inbound to a device where the VLAN 100 and VLAN 101 are not directly connected.

if these subnets are directly connected to your core switch you need to split the route-map and to use two different route-maps applied one to SVI Vlan100 and one to SVI vlan101

Hope to help

Giuseppe

 

Hi @Giuseppe Larosa 

Here my requirement.

VLAN 100 IP subnet : 10.100.0.0/16

VLAN 101 IP subnet: 10.101.0.0/16

Azure network IP subnet : 10.201.0.0/16

  • VLAN 100 to Internet via WAN
  • VLAN 101 to Internet via 10.102.173.2
  • All VLAN to Azure via 10.102.173.2
  • All VLAN to 10.0.0.0/8 via WAN

 

Hello @hs08 ,

read my previous post in this thread I think I have provided a possible configuration for PBR that will satisfy all your requirements:

VLAN 100 IP subnet : 10.100.0.0/16

VLAN 101 IP subnet: 10.101.0.0/16

Azure network IP subnet : 10.201.0.0/16

  • VLAN 100 to Internet via WAN >> route-map PBR block 40
  • VLAN 101 to Internet via 10.102.173.2 > route-map PBR block 30
  • All VLAN to Azure via 10.102.173.2 >> route-map PBR block 10
  • All VLAN to 10.0.0.0/8 via WAN >> route-map block 20

 

Edit :

if SVI Vlan101 and Vlan 100 are directly attached to the core switch you need two route-maps one to apply to SVI vlan 100 and one to be applied to SVI vlan 100.

looking at your first post I think this is your case.  So you need to create two PBR route-maps they just change on setting the next-hop in last block

Alternatively you can apply the same PBR route-map on both SVIs for the way I have written the extended ACLs it will work.

Hope to help

Giuseppe

 

check this if you have Q please ask 
MHM

hs08_0-1726556801903.png

Hello
Note: as by default "set ip next-hop " ignores the route table so that static route will be ignored and PBR will take preference.

Easiest way to pbr would to policy route on your specific traffic and leave all other traffic to route via the default nexthop, However based on your OP it seems you performing PBR against your default routing traffic.

If correct - I would say you just need to append another roue-map stanza to permit that /24 traffic to also be policy routed then no need for the static route.

no ip access-list extended INET-VIA-FORTI

route-map PBR-INET permit 20
no match ip address INET-VIA-FORTI  <--- not required to match any any it a catch stanza so ANY other traffic will match anyway

ip access-list extended NET
permit ip any 10.201.0.0 0.0.255 255

route-map PBR-INET permit 5
match ip address NET
set ip next-hop 10.102.173.2


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi @paul driver 

ip access-list extended NET
permit ip any 10.201.0.0 0.0.255 255

route-map PBR-INET permit 5
match ip address NET
set ip next-hop 10.102.173.2

With that configuration my logic say traffic only traffic to 10.201.0.0 will go to hop 10.102.173.2, am i correct?

What i want is :

  • Traffic to azure from all subnet go via 10.102.173.2
  • Traffic to other branch, HO will go via WAN
  • Traffic to internet from VLAN 100 will go via WAN
  • Traffic to internet from VLAN 101 will go to 10.102.173.2
Review Cisco Networking for a $25 gift card