02-09-2014 10:00 AM - edited 03-04-2019 10:17 PM
I was looking for a way to route traffic such as bittorrent detected by the PDLMs on the router to another gateway to off-load that traffic from our primary ISP but not block or throttle it.
i was hoping there was a built-in mechanism to do so, and since the ports are dynamic, it makes it near impossible to use a nat statement do perform the same tasks.
any help would be much appreciated.
02-09-2014 10:51 AM
Hi Daniel,
You can do it using match policy-list option in route-map. Following is my lab test
!
class-map match-any ICMP
match protocol icmp
!
policy-map For-PBR
class ICMP
!
route-map PBR-NBAR
match ip policy-list For-PBR
set ip next-hop 34.0.0.4
!
interface Gig1/0
ip policy route-map PBR-NBAR
!
end
R3#show route-map
route-map PBR-NBAR, permit, sequence 10
Match clauses:
IP Policy lists:
For-PBR
Set clauses:
ip next-hop 34.0.0.4
Policy routing matches: 103 packets, 11742 bytes
-Vishesh
Don't forget to rate.
02-09-2014 10:58 AM
Command not listed under match ip. what versions are supported?
CPTNYCRT01(config-route-map)#match ip ?
address Match address of route or match packet
next-hop Match next-hop address of route
redistribution-source route redistribution source (EIGRP only)
route-source Match advertising source address of route
CPTNYCRT01(config-route-map)#do sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 18:13 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
CPTNYCRT01 uptime is 14 weeks, 2 days, 20 hours, 56 minutes
System returned to ROM by reload at 18:00:00 Eastern Thu Oct 31 2013
System restarted at 18:01:54 Eastern Thu Oct 31 2013
System image file is "flash:c2800nm-advipservicesk9-mz.151-4.M4.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 2821 (revision 3.0) with 1034240K/14336K bytes of memory.
Processor board ID FHK0847F1PQ
2 Gigabit Ethernet interfaces
1 ATM interface
1 Channelized T1/PRI port
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
126976K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2821 FHK0847F1PQ
Configuration register is 0x2102
CPTNYCRT01(config-route-map)#
02-09-2014 11:02 AM
Hello Vishesh,
I am afraid you are not correct. You are confusing a policy-map with an ip policy-list - these two are different and unrelated constructs. Your example appears to work because the route-map refers to a non-existent ip policy-list and therefore produces a match (it's like referring to a non-existent ACL), but because of this, it applies to all traffic, not just to the ICMP packets.
Unfortunately, a route-map used to drive PBR is unable to directly refer to a class-map or to a qos-group value. The only solution I was able to create was to actually mark ingress packets with a non-zero DSCP value, and then base the PBR on the DSCP value, e.g.:
class-map match-all TELNET
match protocol telnet
!
policy-map fa0/1-in
class TELNET
set dscp af13
!
ip access-list extended AF13
permit ip any any dscp af13
!
route-map PBR permit 10
match ip address AF13
set ip next-hop 10.0.23.3
!
interface FastEthernet0/1
ip address 10.1.12.2 255.255.255.0
ip policy route-map PBR
service-policy input fa0/1-in
Ingress traffic on Fa0/1 is first inspected by the fa0/1-in policy-map that identifies the Telnet traffic, and marks the packets with DSCP value of AF13. Afterwards, the PBR looks for all AF13-marked packets, and PBRs them to a different next hop. On ingress, QoS marking is performed before PBR.
It is admittedly a hack...
Best regards,
Peter
02-09-2014 11:24 AM
Hi Peter,
You are right, I mistook the policy-list for a policy-map.
R2(config-route-map)#match policy-list ?
WORD IP Policy map name
Seems like yours is the only way to configure it. Thanks for clearing that.
-Vishesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide