04-11-2017 04:37 PM - edited 03-05-2019 08:20 AM
Hi Guys,
I am using the route-map command to direct certain traffic through a tunnel based on the traffic's source IP.
Now I would like to take that traffic but redirect traffic destined for 'Netflix' down the default route. I would like all other traffic to stick to the route-map.
I have tried to put a second route-map command with a higher priority in front of the existing but I don't think I can route-map based on destination IP. Also the interested interface only seems to accept one policy route profile at a time.
Has anyone got any good ideas on how to achieve this? Here is some of my config.
interface Tunnel4
ip address 169.254.40.2 255.255.255.252
ip mtu 1398
ip virtual-reassembly
ip tcp adjust-mss 1358
tunnel source Dialer0
tunnel destination xxx.xxx.136.210
tunnel protection ipsec profile ipsec_paul_profile
interface Vlan1
ip address 172.22.21.254 255.255.254.0
ip nat inside
ip virtual-reassembly
ip policy route-map paul
access-list 52 permit 172.22.20.4
access-list 52 permit 172.22.20.3
access-list 52 permit 172.22.21.111
route-map paul permit 52
match ip address 52
set ip next-hop 169.254.40.1
ip access-list standard netflix_range
permit 108.175.32.0 0.0.15.255
Solved! Go to Solution.
04-11-2017 05:02 PM
Hi
You could use extended ACL
ip access-list standard PRIVATE-NETS
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255
ip access-list standard TRAFFIC-TO-NETFLIX
permit ip any 108.175.32.0 0.0.15.255
route-map paul permit 50 <--- To avoid any problem with internal services
match ip address PRIVATE-NETS
route-map paul permit 51
match ip address TRAFFIC-TO-NETFLIX
set ip next-hop <IP next hop>
route-map paul permit 100 <--- To avoid any blocking with the rest of the traffic.
Hope it is useful
:-)
04-11-2017 05:02 PM
Hi
You could use extended ACL
ip access-list standard PRIVATE-NETS
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255
ip access-list standard TRAFFIC-TO-NETFLIX
permit ip any 108.175.32.0 0.0.15.255
route-map paul permit 50 <--- To avoid any problem with internal services
match ip address PRIVATE-NETS
route-map paul permit 51
match ip address TRAFFIC-TO-NETFLIX
set ip next-hop <IP next hop>
route-map paul permit 100 <--- To avoid any blocking with the rest of the traffic.
Hope it is useful
:-)
04-11-2017 05:25 PM
Thanks. So just to confirm 'route-map paul permit 51'. Will the policy still work even though destination traffic is specified instead of source traffic?
04-11-2017 05:38 PM
Hi
Please correct me, Im assuming you want to manipulate the traffic to Netflix public range, am I right?
Regards
04-11-2017 05:43 PM
Yes that is correct Julio, thanks :)
04-11-2017 06:03 PM
Hi
Thank you, so we are good, it should help you, any will represent any source in your internal network and 108.175.32.0 0.0.15.255 will be your destination
permit ip any 108.175.32.0 0.0.15.255
take in consideration the following command lines, I have included these lines in order to avoid any connectivity problem with private IP ranges that usually are used on company infrastructures. This route-map just is going to match but it will not set any change.
ip access-list standard PRIVATE-NETS
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255
route-map paul permit 50
match ip address PRIVATE-NETS
04-11-2017 06:22 PM
Ah yes, you mean extended access list?
04-11-2017 06:42 PM
That is correct, I recommend to use extended ACL if you are going to manipulate traffic through PBR
:-)
04-11-2017 07:00 PM
Thanks for your help :)
04-11-2017 07:07 PM
You are welcome
Have a great day
:-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide