cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5211
Views
30
Helpful
11
Replies

Route Map + Static/Default Route

RS19
Level 4
Level 4

In my L3# Switch I have a default route pointing to internet.

ex: 0.0.0.0 0.0.0.0 next hop<x.x.x.x>

 

So by default for any traffic not in the routing table, it will follow the default route.

But would like to know , whether the static/default route can be mapped with any route-map

 

Say if the traffic is only from the source segment 10.100.0.0/16 then only it can use the default route.

Any other source traffic can not use the default route.

 

So is there any way we can map the default route with policy based routing like route-map.

 

 

11 Replies 11

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @RS19 ,

you can use PBR to move from destination based routing = normal unicast routing to something that considers other parameters like source address.

However, PBR is applied on the receiving side of internal interfaces not to the static route

Until the default static route exists in the routing table it can be used by other traffic not matching the criteria in the route-map.

In other words traffic not permitted by PBR is processed by destination based routing and so it can use the static default route to go out defeating the objective of using PBR.

Traffic not matching the route-map of PBR is routed normally it is not dropped.

You could drop it if you would use something like a second block that set ouput interface to null0

 

access-list 11 permit 10.100.0.0 0.0.255.255

 

route-map PBR permit 10

match address 11

set ip next-hop <static-default-route-next-hop>

route-map PBR permit 20

set interface null0

 

However, I would not use this approach. If you want to limit what internal VLANs / IP subnets have access to the internet you can modify the NAT configuration on the router that is towards the internet.

NAT is not supported on switches (unless you are using an high end C6500).

 

Hope to help

Giuseppe

Thanks.

I found the below article.

 

https://www.globalknowledge.com/ca-en/resources/resource-library/articles/static-routing/

 

In this article they mentioned that static route can be associated with route map using keyword tag

 

Will this also wont work

Hello @RS19 ,

I have modified my previous post like I have written there I think that changing the NAT configuration is the right approach to achieve your target.

About the article that you have linked

>>You can also specify a “tag” when configuring a static route. This is done by using the keyword “tag”, like this:


  • Router(config)#ip route 10.2.3.0 255.255.255.0 192.168.1.6 tag 1000

That 1000 is not the name of a route-map it is a route tag that is a 32 bit integer value that can be associated to the static route.

The normal use of associating a route tag with static routes is for redistribution purposes: on the same router you can configure for example redistribution of static routes that match a specific value

route-map STATIC-INTO-OSPF permit 10

match tag 1000

 

router ospf 10

redistribute static subnets route-map STATIC-INTO-OSPF

!

but this is not what you need in my understanding.

 

Hope to help

Giuseppe

 

 

 

 

Thanks Attached is diagram for your reference

 

From the diagram VLAN100 & VLAN101 should be able to reach internet

VLAN200 & VLAN201 do not need to have access to Internet.

Option is to add default route in L3#1 & L3#2 pointing to R#1 & R#2 . In this case all the VLANs will be able to have internet access

Which I would like to avoid

 

1 Option is having ACL in NAT router R#1 & R#2 to allow only networks of VLAN100 & 101

 

Is there any other option to achieve this.

 

Hello @RS19 ,

so the Internet access has to be given to guest access Vlans 100, 101 that must not interact with the enterprise network.

 

I see two options here:

a)   configure NAT on R1, R2 so that only subnets 10.100.100.0/24 and 10.100.101.0/24 are NATted

 

b) the second option is to use a VRF , using VRF lite approach and put  SVIs  interface Vlan 100 , vlan 101 in VRF GUEST and also the links to R1, R2 in VRF GUEST. In this way the guest traffic is inside the VRF it cannot reach the enteprise and the default static route is installed only in the IP routing table of  VRF GUEST. You need to configure it like

ip route vrf GUEST 0.0.0.0 0.0.0.0 <R1-next-hop>

WARNING: with this setup R1 and R2 are dedicated for internet access of VLANs 100,101 no other Vlans see the default route and cannot go to the internet using R1 and R2.

 

Hope to help

Giuseppe

 

Thanks

So for option#2 , I need to configure VRF in all the distribution & Core switches right ?

Is my above understanding is right ?

Hello @RS19 ,

your understanding is correct you would need also to provide a routed link using an SVI for example in VRF GUEST from each distribution to the core switch. Because in VRF lite you need an end to end logical path in VRF to have a working connectivity.

 

At this point I would go with option 1 that has the advantage of fewer devices to be configured ( NAT on R1, R2).

 

Hope to help

Giuseppe

 

I am also thinking about the below option to use route-map.

There will be no default route in the Core switches.

I will be configuring route map to check for source subnet.

 

If source subnet belongs VLAN100,101 the next hop will be R#1. Will this be possible

 

The only think i am worried about this is how the fail over will happen

 

Primary traffic flow should be via R#1(Internet 1)

In case of Internet#1 failure or R#1 failure, then only the traffic should  flow via Internet#2 via R#2

Hello @RS19 ,

 

>> If source subnet belongs VLAN100,101 the next hop will be R#1. Will this be possible

This is possible with PBR on the core switches , but how traffic will reach the core switches? Have you got a static default route on distribution

 

>>

The only think i am worried about this is how the fail over will happen

 

Primary traffic flow should be via R#1(Internet 1)

In case of Internet#1 failure or R#1 failure, then only the traffic should flow via Internet#2 via R#2

 

In theory this is possible using set ip next-hop R1 verify-availability . I am not sure you can fallback to R2.

Also the ip next-hop verify-availability can be supported or not on your core switch depending on platform / version.

If I correctly remember two different versions of this feature exists.

The first one without using an IP SLA the second one likely tracking an IP SLA to the next-hop.

 

Hope to help

Giuseppe

 

Thanks

>> If source subnet belongs VLAN100,101 the next hop will be R#1. Will this be possible

This is possible with PBR on the core switches , but how traffic will reach the core switches? Have you got a static default route on distribution

(Answer) - OSPF is running between the distribution & core switch. So reachability is there.

 

Due to some internal restrictions I am not able to add default route in Core switches. So i need to achieve this without adding default route.

 

I need to achieve the below by route-map or any other feature.

1) Primary traffic flow will be via L3#1(Core Switch) ->R#1 router

2) Backup traffic flow will be via L3#2(Core Switch) ->R#2 router

 

a) On L3#1(Core Switch) - There will be route-map

Match source IP segment from VLAN100/101 next hop will be R#1

 - The above will work for traffic received on L3#1 via OSPF

 

b) If the traffic is received on L3#2(Core Switch) how will it forward to L3#1

- By route-map. 

Match source IP segment from VLAN100/101 next hop will be L3#1

 

Not sure if B will work. Cause not sure where to apply the route-map

 

What is the best way to achieve this, without using default route in Core switches ? 

 

Hello @RS19 ,

>> Due to some internal restrictions I am not able to add default route in Core switches. So i need to achieve this without adding default route.

But you will need to inject in OSPF a default route for use at distribution layer using

router ospf 10

default-information originate always metric 50 route-map check-R

 

You can use a lower seed metric on Core1 like 50 and a higher seed metric 1000 on Core2.

But until Core1 is alive it would send out the default route.

It would be better to add  a route-map that checks if R1 is alive in some way.

 

>>

I need to achieve the below by route-map or any other feature.

1) Primary traffic flow will be via L3#1(Core Switch) ->R#1 router

2) Backup traffic flow will be via L3#2(Core Switch) ->R#2 router

 

a) On L3#1(Core Switch) - There will be route-map

Match source IP segment from VLAN100/101 next hop will be R#1

- The above will work for traffic received on L3#1 via OSPF

 

The PBR works on inbound traffic so this route-map has to be applied on OSPF interfaces to distribution.

 

>> b) If the traffic is received on L3#2(Core Switch) how will it forward to L3#1

- By route-map.

Match source IP segment from VLAN100/101 next hop will be L3#1

 

I am afraid that at this point if traffic hits Core2 would mean that Core1 is dead or it has lost its connection to R1 so if traffic from Vlan 100,101 hits core2 it should be redirected to R2.

This is my opinion. This is valid if you generate a better default route on Core1 as explained above.

 

Hope to help

Giuseppe

 

Review Cisco Networking for a $25 gift card