Solved: You are welcome :-)

Paul Smith · ‎04-11-2017

Hi Guys,

I am using the route-map command to direct certain traffic through a tunnel based on the traffic's source IP.

Now I would like to take that traffic but redirect traffic destined for 'Netflix' down the default route. I would like all other traffic to stick to the route-map.

I have tried to put a second route-map command with a higher priority in front of the existing but I don't think I can route-map based on destination IP. Also the interested interface only seems to accept one policy route profile at a time.

Has anyone got any good ideas on how to achieve this? Here is some of my config.

interface Tunnel4
ip address 169.254.40.2 255.255.255.252
ip mtu 1398
ip virtual-reassembly
ip tcp adjust-mss 1358
tunnel source Dialer0
tunnel destination xxx.xxx.136.210
tunnel protection ipsec profile ipsec_paul_profile

interface Vlan1
ip address 172.22.21.254 255.255.254.0
ip nat inside
ip virtual-reassembly
ip policy route-map paul

access-list 52 permit 172.22.20.4
access-list 52 permit 172.22.20.3
access-list 52 permit 172.22.21.111

route-map paul permit 52
match ip address 52
set ip next-hop 169.254.40.1

ip access-list standard netflix_range
permit 108.175.32.0 0.0.15.255

Julio E. Moisa · ‎04-11-2017

Hi

You could use extended ACL

ip access-list standard PRIVATE-NETS
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255

ip access-list standard TRAFFIC-TO-NETFLIX
permit ip any 108.175.32.0 0.0.15.255

route-map paul permit 50 <--- To avoid any problem with internal services
match ip address PRIVATE-NETS

route-map paul permit 51
match ip address TRAFFIC-TO-NETFLIX
set ip next-hop <IP next hop>

route-map paul permit 100 <--- To avoid any blocking with the rest of the traffic.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎04-11-2017

Hi

You could use extended ACL

ip access-list standard PRIVATE-NETS
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255

ip access-list standard TRAFFIC-TO-NETFLIX
permit ip any 108.175.32.0 0.0.15.255

route-map paul permit 50 <--- To avoid any problem with internal services
match ip address PRIVATE-NETS

route-map paul permit 51
match ip address TRAFFIC-TO-NETFLIX
set ip next-hop <IP next hop>

route-map paul permit 100 <--- To avoid any blocking with the rest of the traffic.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Paul Smith · ‎04-11-2017

Thanks. So just to confirm 'route-map paul permit 51'. Will the policy still work even though destination traffic is specified instead of source traffic?

Julio E. Moisa · ‎04-11-2017

Hi

Please correct me, Im assuming you want to manipulate the traffic to Netflix public range, am I right?

Regards

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Paul Smith · ‎04-11-2017

Yes that is correct Julio, thanks :)

Julio E. Moisa · ‎04-11-2017

Hi

Thank you, so we are good, it should help you, any will represent any source in your internal network and 108.175.32.0 0.0.15.255 will be your destination

permit ip any 108.175.32.0 0.0.15.255

take in consideration the following command lines, I have included these lines in order to avoid any connectivity problem with private IP ranges that usually are used on company infrastructures. This route-map just is going to match but it will not set any change.

ip access-list standard PRIVATE-NETS
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255

route-map paul permit 50
match ip address PRIVATE-NETS

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Paul Smith · ‎04-11-2017

Ah yes, you mean extended access list?

Julio E. Moisa · ‎04-11-2017

That is correct, I recommend to use extended ACL if you are going to manipulate traffic through PBR

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Paul Smith · ‎04-11-2017

Thanks for your help :)

Julio E. Moisa · ‎04-11-2017

You are welcome

Have a great day

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Policy Based Routing - Making Exceptions