Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1306
Views
0
Helpful
16
Replies

Policy Base Routing

Go to solution
hs08
VIP
VIP

‎09-16-2024 08:27 PM

 

Hello,

On our branch i have  2 path to the internet, 1st via local internet on the site and 2nd via Head Office via WAN.
All traffic to other branch, Head Office should pass thru via Head Office via WAN and all internet traffic including to Microsoft Azure (using VPN site to site) should use local internet and will failover to HO via WAN if the local connection is down.

On the core switch i make route-map like below

ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

ip access-list extended INET-VIA-FORTI
10 permit ip any any

route-map PBR-INET deny 10
match ip address Internal-DC
!
route-map PBR-INET permit 20
match ip address INET-VIA-FORTI
set ip next-hop 10.102.173.2

then i apply in vlan interface 

interface Vlan101
ip address 10.102.1.1 255.255.255.0
ip ospf 100 area 0.0.0.102
ip policy route-map PBR-INET

also i have static route to our azure (10.201.0.0/16) to local internet 
ip route 10.201.0.0 255.255.0.0 10.102.173.2

With above configuration all hosts under vlan 101 can access to the internet via local internet, can access to azure via local internet and also can access to other branch, HO via WAN. So everything is run normally until then i realized i have ACL

ip access-list extended Internal-DC
1 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

This ACL applied to the route map, and i my mind traffic to the azure with subnet 10.201.0.0/16 will match to this ACL and the traffic should be denied by route map
route-map PBR-INET deny 10
match ip address Internal-DC

This mean traffic to the azure should routed to the HO via WAN even i have static route to 10.201.0.0/16 via local internet, am i right?

Labels:
0 Helpful
16 Replies 16

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-17-2024 03:13 AM

Just wondering, if you're using OSPF and default originate, have you considered using it as a type 1?

0 Helpful

Go to solution
paul driver
VIP
VIP

‎09-17-2024 03:35 AM

Hello

@hs08 wrote:

With that configuration my logic say traffic only traffic to 10.201.0.0 will go to hop 10.102.173.2, am i correct?

What i want is :

  • Traffic to azure from all subnet go via 10.102.173.2
  • Traffic to other branch, HO will go via WAN
  • Traffic to internet from VLAN 100 will go via WAN
  • Traffic to internet from VLAN 101 will go to 10.102.173.2

No it should do what you require it to do, providing the default for all traffic without any PBR is routed via HQ nexthop and NOT internet breakout?

the full route-map should read..

ip access-list extended Internal-DC
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

ip access-list extended NET
permit ip any 10.201.0.0 0.0.255 255

route-map PBR-INET permit 5
match ip address NET
set ip next-hop 10.102.173.2

route-map PBR-INET deny 10
match ip address Internal-DC

route-map PBR-INET permit 20  <  this is a catch all statement
set ip next-hop 10.102.173.2


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents