Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2239
Views
0
Helpful
9
Replies

Policy Based Routing - Making Exceptions

Go to solution
Paul Smith
Level 1
Level 1

‎04-11-2017 04:37 PM - edited ‎03-05-2019 08:20 AM

Hi Guys,

I am using the route-map command to direct certain traffic through a tunnel based on the traffic's source IP.

Now I would like to take that traffic but redirect traffic destined for 'Netflix' down the default route. I would like all other traffic to stick to the route-map.

I have tried to put a second route-map command with a higher priority in front of the existing but I don't think I can route-map based on destination IP. Also the interested interface only seems to accept one policy route profile at a time.

Has anyone got any good ideas on how to achieve this? Here is some of my config.

interface Tunnel4
 ip address 169.254.40.2 255.255.255.252
 ip mtu 1398
 ip virtual-reassembly
 ip tcp adjust-mss 1358
 tunnel source Dialer0
 tunnel destination xxx.xxx.136.210
 tunnel protection ipsec profile ipsec_paul_profile

interface Vlan1
ip address 172.22.21.254 255.255.254.0
ip nat inside
ip virtual-reassembly
ip policy route-map paul

access-list 52 permit 172.22.20.4
access-list 52 permit 172.22.20.3
access-list 52 permit 172.22.21.111

route-map paul permit 52
match ip address 52
set ip next-hop 169.254.40.1

ip access-list standard netflix_range
permit 108.175.32.0 0.0.15.255

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎04-11-2017 05:02 PM

Hi

You could use extended ACL

ip access-list standard PRIVATE-NETS
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255

ip access-list standard TRAFFIC-TO-NETFLIX
permit ip any 108.175.32.0 0.0.15.255

route-map paul permit 50       <--- To avoid any problem with internal services
match ip address PRIVATE-NETS

route-map paul permit 51
match ip address TRAFFIC-TO-NETFLIX
set ip next-hop <IP next hop>

route-map paul permit 100     <--- To avoid any blocking with the rest of the traffic.

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎04-11-2017 05:02 PM

Hi

You could use extended ACL

ip access-list standard PRIVATE-NETS
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255

ip access-list standard TRAFFIC-TO-NETFLIX
permit ip any 108.175.32.0 0.0.15.255

route-map paul permit 50       <--- To avoid any problem with internal services
match ip address PRIVATE-NETS

route-map paul permit 51
match ip address TRAFFIC-TO-NETFLIX
set ip next-hop <IP next hop>

route-map paul permit 100     <--- To avoid any blocking with the rest of the traffic.

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Paul Smith
Level 1
Level 1
In response to Julio E. Moisa

‎04-11-2017 05:25 PM

Thanks. So just to confirm 'route-map paul permit 51'. Will the policy still work even though destination traffic is specified instead of source traffic?

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Paul Smith

‎04-11-2017 05:38 PM

Hi

Please correct me, Im assuming you want to manipulate the traffic to Netflix public range, am I right?

Regards




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Paul Smith
Level 1
Level 1
In response to Julio E. Moisa

‎04-11-2017 05:43 PM

Yes that is correct Julio, thanks :)

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Paul Smith

‎04-11-2017 06:03 PM

Hi

Thank you, so we are good, it should help you, any will represent any source in your internal network and 108.175.32.0 0.0.15.255 will be your destination

permit ip any 108.175.32.0 0.0.15.255

take in consideration the following command lines, I have included these lines in order to avoid any connectivity problem with private IP ranges that usually are used on company infrastructures. This route-map just is going to match but it will not set any change.

ip access-list standard PRIVATE-NETS
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255

route-map paul permit 50      
match ip address PRIVATE-NETS




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Paul Smith
Level 1
Level 1
In response to Julio E. Moisa

‎04-11-2017 06:22 PM

Ah yes, you mean extended access list?

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Paul Smith

‎04-11-2017 06:42 PM

That is correct, I recommend to use extended ACL if you are going to manipulate traffic through PBR

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Paul Smith
Level 1
Level 1
In response to Julio E. Moisa

‎04-11-2017 07:00 PM

Thanks for your help :)

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Paul Smith

‎04-11-2017 07:07 PM

You are welcome 

Have a great day

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Top