10-22-2014 09:45 AM - edited 03-05-2019 12:01 AM
Hello all!,
I'm an CCNA guy but on my job we've got a BGP with two different ISPs: Cogent and Transtelco. The thing is that I'm not such familiar with BGP but we need to implement PBR with our BGP connection.
I attached you a simple diagram for your reference.
My intention is to make possible that one of my LAN subnets, 201.158.105.X /28, go through Transtelco connection but my other subnets go through Cogent.
So, I made some research about this and I found out route-maps solution and so on. Here is a little configuration that I made and I want to know if I'm going for the right way or if I missing something:
_________________________________________________
MyCompany-Router(config)# access-list 100 permit tcp 201.158.105.X 0.0.0.15 201.174.78.X 0.0.0.3
MyCompany-Router(config)# access-list 100 permit ip 201.158.105.X 0.0.0.15 201.174.78.X 0.0.0.3
MyCompany-Router(config)# access-list 100 permit udp 201.158.105.X 0.0.0.15 201.174.78.X 0.0.0.3
MyCompany-Router(config)# route-map Transtelco-Clients 10
MyCompany-Router(config-route-map)# match ip address 100
MyCompany-Router(config-route-map)# set ip next hop 201.174.78.X
MyCompany-Router(config)# int Gi0/0/0
MyCompany-Router(config-if)# ip policy route-map Transtelco-Clients
_________________________________________________
I hope you experts can help me to figure it out and this can help me to get my CCNP certification along the next year.
Thanks in advance,
Ricardo Zamora.
Solved! Go to Solution.
10-22-2014 10:10 AM
That looks pretty good, but I think you might want to make simplify your ACL 100 and make it a bit more generic.
Right now, you have it matching TCP, UDP and IP. When you match IP, that includes TCP and UDP packets, so there's no need to have them in there separately.
Also, you're matching a destination of 201.174.78.X/30 which is also the destination of your next hop router. This ACL will work, but will only match traffic that is actually trying to reach your ISP router and will route everything else normally.
If you go with something like this:
access-list 100 permit ip 201.158.105.x 0.0.0.15 any
That will cover all traffic coming from your 201.158.105.x/28 network with any destination and force it to next hop 201.174.78.x.
The route map looks good, it's just the ACL that needs a bit of tweaking.
10-22-2014 10:06 AM
This is almost correct but what about traffic that are not matched by ACL 100.
add following line without any match or set command to your configuration to route other traffic (not matched by ACL 100) normally:
MyCompany-Router(config)# route-map Transtelco-Clients 20
Houtan
10-22-2014 10:21 AM
That "route-map Transtelco-Clients 20" isn't really going to do anything, Houtan.
If Ricardo leaves his route map as-is, anything not matched will be routed normally. The default no-match action for a route map is to deny it, so anything that doesn't hit his "route-map Transtelco-Clients 10" match statement will fall out of the route map and won't be considered for PBR. When this happens, normal routing takes over. By adding "route-map Transtelco-Clients 20", you're matching all packets to the PBR rule but not setting any action... dropping things back to normal routing, but adding unnecessary processing beforehand.
10-23-2014 07:09 AM
Hello Jody,
I was wondering to myself last night if it is possible that the route-map could be for an specific host, let's say: 201.158.105.13/32 instead of an entire subnet. I mean, just to know if it could be a posibility to PBR.
Thanks.
10-23-2014 07:12 AM
Absolutely. PBR is extremely flexible that way. Just change your ACL to something like this:
access-list 100 permit ip host 201.158.105.13 any
This will match only the host in the ACL and let everything else fall to standard routing.
10-22-2014 10:29 AM
Hello Jody & Houtan, thank you first at all.
I will make some labs with this configuration. I'm happy because, I'm not so bad on routing (:
Ciao!.
10-22-2014 10:10 AM
That looks pretty good, but I think you might want to make simplify your ACL 100 and make it a bit more generic.
Right now, you have it matching TCP, UDP and IP. When you match IP, that includes TCP and UDP packets, so there's no need to have them in there separately.
Also, you're matching a destination of 201.174.78.X/30 which is also the destination of your next hop router. This ACL will work, but will only match traffic that is actually trying to reach your ISP router and will route everything else normally.
If you go with something like this:
access-list 100 permit ip 201.158.105.x 0.0.0.15 any
That will cover all traffic coming from your 201.158.105.x/28 network with any destination and force it to next hop 201.174.78.x.
The route map looks good, it's just the ACL that needs a bit of tweaking.
10-22-2014 11:50 AM
Currently, the acl allows for the 201.158.105.0/28 to be policy routed only if the destination is 201.174.78.0/30. Is this what you're wanting? If so, I wouldn't change the acl outside of potentially removing udp and tcp from the acl if you're going to send all ip through it anyway.
If you're wanting to send all traffic from the 201.158.105.0 subnet to the next hop, you should change to what Jody stated. I would caution though that if you're only wanting to send traffic to the next hop when it matches those destination addresses, do not add what Jody has stated because that affects all traffic sourced from that subnet.
*Edit*
I didn't see the attachment before replying. Jody's response will work for what you're wanting to do now that I see the one leg is your ISP.
HTH,
John
10-22-2014 11:54 AM
Hello John,
What I want to do is that all traffic sourced from the subnet 201.158.105.0/28 goes through Transtelco interface of my router.
I hope this explanation could clarify your doubts.
Thanks :).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide