Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
6
Replies

Policy based routing across multiple hops

Joshua Engels
Level 1
Level 1

‎08-06-2013 07:04 AM - edited ‎03-04-2019 08:40 PM

Hi everyone,

I have a routing objective that I am having trouble wrapping my head around.  I have two offices with redundant 1 gig point to points in between.  EIGRP manages the paths. 

Baton Rouge which is where my internet connection is located and then New Orleans which routes across the point to points to Baton Rouge and then out to the internet. 

I have two Internet gateways at Baton Rouge: The ASA which is the main internet gateway and a 2811 Router which is used for vpn and specific internet traffic. 

The default gateway on the core switch at Baton Rouge is to the ASA.  The default gateway on the New Orleans Core switch both point to the next hop which is the core switch at Baton Rouge.  Therefore if someone at New Orleans routes to internet it follows the default route.

The issue I have is that I want one of these vlan networks to route a bit differently.  I want this network to route out the 2811 instead of the ASA.

The network I need to route out of the 2811 is the 10.0.87.0/24 network which hangs off the New Orleans Core switch.  The catch is, it cannot talk to any other internal network along the way.  So I need to route it across the point to point over to the Baton Rouge core switch and then have the Baton Rouge core switch route it out of the 2811 for internet access. 

I had this setup at Baton Rouge and it worked great with a route map.  The challenge comes in when I add the extra hop.  Any help would be greatly appreciated.

I have attached a diagram of how it is layed out. 

Labels:
Preview file
190 KB
15365367-Multiple Hop Policy Route.vsd.zip
0 Helpful
6 Replies 6

james.doukas
Level 1
Level 1

‎08-06-2013 07:23 AM

Have you tried using the ip next-hop gateway clause in the route map? Specify the source traffic and then create a clause that makes its next hop gateway the 2811 instead of the ASA.

0 Helpful

Joshua Engels
Level 1
Level 1
In response to james.doukas

‎08-06-2013 08:48 AM

Thanks so  much for the response.  Let me give you guys some more info that might help explain.

So here is my config at New Orleans.  Both Core switches have the following:

ip access-list extended GUEST-TO-2811

permit ip any any

route-map GUEST-TO-2811 permit 10

match ip address GUEST-TO-2811

set ip next-hop 10.0.1.5            <<<<<<  not sure this will work due to WAN hop and test fail so far

interface Vlan87

description ***Demitasse Wireless***

ip address 10.0.87.3 255.255.255.0

ip policy route-map GUEST-TO-2811

standby 87 ip 10.0.87.1

standby 87 timers 1 5

standby 87 priority 201

standby 87 preempt delay minimum 300

standby 87 authentication md5 key-string 7 xxxxxxxxxxx

I am advertising 10.0.87.0 off both new orleans core switches via EIGRP as well so 10.0.1.5 knows how to get there.  The thing is, where do I set the next hop?    Notice on the New Orleans Core routers the statement "set ip next-hop 10.0.1.5" points to the 2811 which is on the other side of the WAN.  Being the 2811 is not directly connected to the core switches in New Orleans, the traffic must pass over the WAN link to get to it.  It must pass over the 172.x.x.x network shown in the diagram.

  My assumption is that the route map will not work because of the hop in between 10.0.87 and 10.0.1.5. 

So there where my understanding is breaking down.

0 Helpful

james.doukas
Level 1
Level 1
In response to Joshua Engels

‎08-06-2013 09:57 AM

Another idea would be to simply put an access list on the interface for 10.0.87.0/24. If you don't have to many other networks, you could simply deny any traffic trying to get to your other networks and permit everything else. Once permited traffic follows the normal default gateway heading towards the Internet, you create a policy to force it to use the 2811 based on its source address on the Baton Rouge router.

0 Helpful

Joshua Engels
Level 1
Level 1
In response to james.doukas

‎08-06-2013 11:59 AM

Thanks James,

I am after exactly what you just spoke of.  The only part that I am struggling with is which interface would I apply the route policy?  Does the policy have to be applied to an interface or am I missing something?

Ive only done it by applying a route map on an inteface and as traffic hits it and matches the ACL.  Is there another way to do this?

In other words I need to somehow match the traffic on the Baton Rouge Core before I can set the next hop.  Trying to figure out the best way to do this.

0 Helpful

ccie12079
Level 1
Level 1

‎08-06-2013 07:50 AM

Your PBR needs to be on both interfaces facing New Orleans in Baton Rouge as well.

Sent from Cisco Technical Support iPad App

0 Helpful

james.doukas
Level 1
Level 1
In response to ccie12079

‎08-06-2013 12:16 PM

Just create an acl and put a match statement in the route map. Something similar to below should work. I'm just using random numbers as an example.

route-map permit 10

  match ip address 150

  set ip next-hop

access-list 150 permit ip 10.0.87.0 0.0.0.255 any

You could then apply the policy to inbound traffic in Baton-Rouge

As ususal, I would test first, not just configure a production environment. Verify you get the results you're looking for before you apply to a production environment.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card