11-02-2020 12:41 PM
At our DR branch we have two ISPs running currently. I am trying to get all the Zerto traffic to go on one ISP and everything else to go to the other. I have attached the Packet Tracer picture to see the topology. I have never done PBR before but talking with Cisco has lead me down this path, unfortunetly the engineer I have is unable or unwilling to help me with the actual configuration so I'm trying to watch some free CBT Nuggets to see what I can do. This is what I have so far:
Create ACL
#IP access-List Extended Match-Zerto-ACL
#permit ip 10.100.10.131 255.255.255.255 any
#permit ip 10.100.10.132 255.255.255.255 any
#permit ip 10.100.10.133 255.255.255.255 any
#permit ip 10.100.10.134 255.255.255.255 any
#exit
If I am correct this creates the list of allowed IPs to apply to the PBR, this would be our Zerto server and the Z-VRAs that we have on each ESX server. I am unsure here if I want IP, UDP, or TCP. To be safe I guess I could go back and permit each one for all three. This is my first question.
Then create the Route Map
#route-map Zerto-QX permit 10
#match ip address Match-Zerto-ACL
#set ip next hop 10.213.0.199
#exit
This one seems simple enough. I think this is all I need to add on this one. If not please let me know.
Then apply the PBR to an interface.
#int gig0/0/0
#ip policy route map Zerto-QX
#end
This is my second question. As we have a single in and out on this router to a switch I am unsure if it would work as I know you are supposed to apply to the closest interface to the device. I supposed I would just have to apply this to the only interface we have and see what happens.
Could anyone give a little advice on any of this?
11-02-2020 04:12 PM
Hello
At our DR branch we have two ISPs running currently. I am trying to get all the Zerto traffic to go on one ISP and everything else to go to the other.
Your configuration looks okay however you could specify, but you don’t have too "host" in the acl when you wish for a certain device to be called and when you apply PBR you usually apply the policy on the L3 interface of traffic originating from that interface that you want to policy route, but looking at your topology I cannot see what device or interface this will be, but you do have the correct syntax to policy route those hosts
example of alternative acl:
ip access-list extended PBR-ACL
permit ip host 10.100.10.131 any
permit ip host 10.100.10.132 any
permit ip host 10.100.10.133 any
permit ip host 10.100.10.134 any
11-02-2020 05:58 PM
So what you are saying is that the ACL that you have would allow TCP and UDP? The layer 3 device is the Cyn Rtr, On the way in they usually bypass it but on the way out the computers always hit that router. So I guess I just enable it on that single interface?
11-03-2020 12:09 PM
Hello
Yes Ip = udp & tcp
As for where to apply it the polciy do you have a simplified topology showing both the ISP rtrs and your site rtr and an subnets
11-04-2020 05:49 AM
11-04-2020 11:55 AM
Hello
It looks like the rtr and the ISPs are in the same subnet, and you dont have any internal Lan interface which is very unusual, is this a production topology or a lab?
11-04-2020 12:20 PM
This is a production topology I inherited. It is very unusually and the only one of our branches that are configured that way. I had never seen a setup like that before starting here either.
11-04-2020 03:39 PM
Hello
Can you post the config of the rtr in a file and attach it to this post please.
11-05-2020 05:23 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide