Policy routing based upon destination address?

alec.waters · ‎08-04-2005

Hi all,

I'm trying to set up some policy based routing; my route-maps match on an ACL and do a "set interface".

If my acl says this:

permit ip source.addr source.mask any

...PBR works as expected. However, if it says this:

permit ip any dest.addr dest.mask

...it doesn't. "show ip access-list" shows matches, but "show route-map" says that no packets were policy routed.

The policy I'm trying to enforce is this:

"If a packet arrives on interface XXX destined for destination.address, ignore what's in the routing table and send it out of interface YYY"

Can I do this with policy routing? Or does ACL matching only work for source addresses?

many thanks,

alec

Harold Ritter · ‎08-04-2005

Are you using NAT in this setup? If so, this could explain why it didn't work with the second ACL. You might want to consult the following document about the NAT order of operation:

http://www.cisco.com/warp/customer/556/5.html

Hope this helps,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

alec.waters · ‎08-04-2005

Hi Harold,

There's no NAT here, I'm afraid - all IP addresses are public. The ACL shows matches, but show route-map says that no packets were policy routed.

I want packets arriving on interface XXX that are _destined_ for destination.net to leave the router via interface YYY - I don't care about the source addresses, just the interface and the destination.

There is already a route in the routing table for destination.net, as it happens to be directly connected. I want to use policy routing to override this route for traffic that enters the router on interface XXX.

Is this possible?

many thanks,

alec

Harold Ritter · ‎08-04-2005

Could you please post your configuration.

Thanks,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

alec.waters · ‎08-05-2005

Hi Harold,

Hmm. I've got it working, although not quite in the way I want. Here's what's going on:

- I have a "primary" Internet connection, called ConnectionA. There is a default route pointing out of this interface.

- I have a network called NetA, consisting of public IP addresses reachable from the Internet via ConnectionA.

- I have a DSL line, called ConnectionB.

- I have a network called NetB, consisting of public IP addresses reachable from the Internet via ConnectionB. I use policy routing based on source address to ensure that hosts on NetB use ConnectionB to access the Internet. This works fine :)

- I have a connection called NetB-2, consisting of private IP addresses. I use policy routing based on source address to ensure that hosts on NetB-2 use ConnectionB to access the Internet; PAT is used to translate these addresses into one of those drawn from NetB. This works fine :)

- All networks and connections are attached to the same router.

What I want to do is have hosts on NetB and NetB-2 access hosts on NetA not directly, but via the Internet. Policy routing based on source address handles the outbound traffic from NetB and NetB-2, and I'm using policy routing based on destination address to handle the return traffic from NetA.

This works fine if the hosts are on NetB. It doesn't work if they're on NetB-2.

What's confusing me is why. NetA should treat return traffic the same, since the traffic from NetB-2 gets natted to use a source address from NetB, and so should get treated in the same way as an ordinary host on NetB.

I guess the router is getting confused because there's a NAT translation in place?

thanks,

alec