Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
0
Helpful
9
Replies

Policy Based Routing on Nexus 7k

Go to solution
RYAN PAUL
Level 1
Level 1

‎03-04-2019 09:19 AM - edited ‎03-04-2019 09:24 AM

I just installed a pair of Nexus 7 k's as our network core.  Our default route sends traffic out to an ASA 5545 (10.60.10.30) which uses WCCP to redirect traffic to Websense for web filtering.  As part of a Security ELA we signed with Cisco, we are going to test out the Web Security Appliance. 

 

To start, I would like to send the web traffic from a couple of hosts out our secondary Internet pipe (ASA 5525 - 10.60.10.21) and use WCCP to send the traffic to the WSA. 

 

On the 7k's I've entered the following:

config t
feature pbr
ip access-list PBR-ACL
permit ip 10.60.240.50 255.255.255.255 any
permit ip 10.60.240.62 255.255.255.255 any
permit ip 10.60.240.68 255.255.255.255 any

 

ip policy route-map PBR-Route-Map
route-map PBR-Route-Map permit 10
match ip address PBR-ACL
set ip next-hop 10.60.10.21
!

However, I'm not sure what interface to apply the route map to.  The IT VLAN is vlan 701 and when I apply the route map to that interface, all traffic from IT goes out the VLAN.  Eventually that will be OK, but we don't want to interrupt daily operations.  I thought about applying the route-map to the inbound port channel but I'm not sure if that's the best location.  Can anyone provide some assistance?

Ryan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-04-2019 09:33 AM

Hello,

 

ip policy route-map PBR-Route-Map 
route-map PBR-Route-Map permit 10 
match ip address PBR-ACL

try it
set ip default next-hop 10.60.10.21 
!

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-04-2019 09:33 AM

Hello,

 

ip policy route-map PBR-Route-Map 
route-map PBR-Route-Map permit 10 
match ip address PBR-ACL

try it
set ip default next-hop 10.60.10.21 
!

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
RYAN PAUL
Level 1
Level 1
In response to Jaderson Pessoa

‎03-04-2019 10:24 AM

Hi,

 

Thanks for your response.

 

Wouldn't that set all ip traffic to go to 10.60.10.21 though?  Also, on which interface do I place the route-map?

 

Ryan

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to RYAN PAUL

‎03-04-2019 10:51 AM - edited ‎03-04-2019 10:52 AM

 

If you use "set ip next-hop x.x.x.x" then all traffic is sent to x.x.x.x without checking the IP routing table whereas if you use "set ip default next-hop x.x.x.x" the routing table is checked first and if there is a matching route (but not a default route as that does not count) then that route is used, otherwise traffic is sent to x.x.x.x. 

 

So you would usually use the default next-hop if you wanted traffic between vlans on the switch to be routed via the routing table but other traffic that would use the default route to use your PBR default instead. 

 

You apply your PBR route map to the L3 interface on your switch where the traffic arrives from so if the clients are in vlan 701 you would apply it to the L3 interface for that vlan.

 

Jon

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to RYAN PAUL

‎03-04-2019 11:18 AM

Aplly it on vlan 701.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
RYAN PAUL
Level 1
Level 1
In response to Jaderson Pessoa

‎03-05-2019 04:51 AM

That didn't work.  I applied the following and all traffic on vlan 701 went through 10.60.10.21.  The route-map only specifies that 3 hosts are supposed to go through that gateway while the rest of the traffic should go through the default gateway of 10.60.10.30.  Any other ideas?

0 Helpful

Go to solution
RYAN PAUL
Level 1
Level 1
In response to RYAN PAUL

‎03-05-2019 04:56 AM

I'm using Nexus 7706 with software 7.3(3)D1(1).

 

Here is the config that I used:

IP access list PBR-ACL
     10 permit ip 10.60.240.50 255.255.255.255 any
     20 permit ip 10.60.240.62 255.255.255.255 any
     30 permit ip 10.60.240.68 255.255.255.255 any

route-map PBR-Route-Map permit 10
match ip address PBR-ACL
set ip default next-hop 10.60.10.21

int vlan 701
ip policy route-map PBR-Route-Map

 

Am I missing something?

 

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to RYAN PAUL

‎03-05-2019 07:03 AM - edited ‎03-05-2019 07:05 AM

Hello ryan

 

IP access list PBR-ACL
     10 permit ip 10.60.240.50 255.255.255.255 any 
     20 permit ip 10.60.240.62 255.255.255.255 any 
     30 permit ip 10.60.240.68 255.255.255.255 any

 

extendend acls and standards, use wild mask for configuration.

 

IP access list PBR-ACL
     10 permit ip 10.60.240.50 0.0.0.0 any 
     20 permit ip 10.60.240.62 0.0.0.0 any 
     30 permit ip 10.60.240.68 0.0.0.0 any

 

Now, just the hosts will be allowed to use this PBR

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
RYAN PAUL
Level 1
Level 1
In response to Jaderson Pessoa

‎03-05-2019 08:55 AM

That worked!!!  Thanks to both of you for your help.  

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to RYAN PAUL

‎03-05-2019 08:59 AM

Great,

If possible, mark as heplful all post that was help you.

Thanks in advance.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card