Solved: Re: Policy based routing or not

kapydan88 · ‎04-21-2020

Hello for everybody.

We are going to install new ASA in one of the offices - current scheme in attach. But before installing, i would like to make sure that all the new settings are working. For these purposes, i plan to create a test vlan 100 (192.168.100.0 / 24) and use the PBR to install the internal interface of the new asa for nat from this vlan.

Is this correct way use PBR for these purposes?

Basic settings from the router below.

ISR#sh run | s ospf
...
router ospf 1 vrf office
...
redistribute connected subnets
...
default-information originate always
ISR#

ISR#sh run | i 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0 1.2.3.4 external ip of ISR
ip route vrf office 0.0.0.0 0.0.0.0 10.10.20.2 current interface old asa inside for nat
ISR#

paul driver · ‎04-22-2020

Hello

You don’t even need to create a access list as it looks like you wish to policy route all of the new subnet 100 towards the ASA, you could also apply some resiliency to the policy route in case the link to that asa fail or the next hop is unreachable and you wish to failover to the other ASA next hop however in the interim the below config is all what you need to do for basic policy routing

conf t

route-map PBR

set ip next-hop 10.10.10.2


int gig0/0/0.100
ip policy route-map PBR

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Jon Marshall · ‎04-21-2020

I can't work out how the first default route relates to your diagram but in answer to your question yes PBR can be used to test before you go live.

Are you asking for help with the PBR configuration ?

Jon

kapydan88 · ‎04-21-2020

Thanks for answer.

First default route, which without any vrf, there is because, on this router comes a pair of gre tunnels. A default route in the vrf office - for nat in this office.

In this case the procedure should be something like this.

1) Create sub interface on the ISR router

interface GigabitEthernet0/0/0.100
encapsulation dot1Q 100
ip vrf forwarding office
ip address 192.168.100.1 255.255.255.0

2) Create acl

access-list extended vlan100 

permit ip 192.168.100.0 0.0.0.255 any

3) Create PBR and set next hope 10.10.10.2 - inside interface of new ASA.

Jon Marshall · ‎04-21-2020

That should work fine.

Any problems let us know.

Jon

kapydan88 · ‎04-21-2020

and im not sure about need to implement this PBR to the subinterface

interface GigabitEthernet0/0/0.100

ip policy route-map <name>

Jon Marshall · ‎04-22-2020

Yes, you need to create the route map and then apply that route map just as your configuration suggests.

Jon

paul driver · ‎04-22-2020

Hello

You don’t even need to create a access list as it looks like you wish to policy route all of the new subnet 100 towards the ASA, you could also apply some resiliency to the policy route in case the link to that asa fail or the next hop is unreachable and you wish to failover to the other ASA next hop however in the interim the below config is all what you need to do for basic policy routing

conf t

route-map PBR

set ip next-hop 10.10.10.2


int gig0/0/0.100
ip policy route-map PBR

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul