cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3739
Views
0
Helpful
3
Replies

Route-map with ACL

santoshdpawar
Level 1
Level 1

Hi Guys,

I have a PBR with route-map applied on the LAN interface of the router. PBR has below route-map :

R1 :

route-map PBR permit 10

match ip address OFFLOAD

set ip next-hop 172.16.1.5

ACL contents :

ip access-list extended  OFFLOAD

deny tcp 10.0.0.0 0.255.255.255 20.0.0.0  0.0.3.255 eq 14xx

deny ip 10.0.0.0 0.255.255.255 host 30.1.1.1

deny ip 10.0.0.0 0.255.255.255 host 30.1.1.5

permit ip 10.0.0.0 0.255.255.255 any

int fa 0/0

ip add 172.16.1.2 255.255.255.0

stand 1 ip 172.16.1.1

stand 1 preempt

ip policy route-map PBR

R2 :

R2 has same interface config with HSRP with Fa0/0 of R1. The policy is applied to offload traffic from R1 to R2 i.e. keep only denied traffic in ACL on R1 WAN link.

But some how the policy is not working and denied traffic is going via R1 itself. I guess we can't use deny statements in route-map ?

Regards,

Santosh

1 Accepted Solution

Accepted Solutions

Santosh

Thank you for the additional explanation which does help to clear up the issue. Some people do get confused about what happens when the access list in PBR has deny statements, so you are in good company about this. If a packets matches the deny in the access list used in PBR then it just follows the normal routing logic.

Some people assume that if an access list denies a packet that the packet is dropped and not forwarded. This is true if the access list is used on an interface with access-group. But it is not the case with PBR. When used with PBR the deny just says "do not use PBR logic" and the regular routing logic is used. So I would expect that any traffic that is denied in the access list (any host in 10.0.0.0 with destination 30.1.1.1 or 30.1.1.5) will use the outbound connection on R1.

HTH

Rick

HTH

Rick

View solution in original post

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

Santosh

It is possible to use deny statements in an access list used for PBR.

I find your post confusing. You tell us first that:"i.e. keep only denied traffic in ACL on R1 WAN link."

and then you tell us that the fact that denied traffic is going via R1 is reason to believe that PBR is not working.

I am also confused by your addressing. The interface where PBR is applied is in subnet 172.16.1. But the access list is permitting source addresses in 10.0.0.0. Where are the 10.0.0.0 hosts and how do they get to your fa0/0 interface?

HTH

Rick

HTH

Rick

Hi Richard,

Thanks for the reply & sorry for the confusion. I have messed it while drafting. Let me explain it again :

R1 & R2 have HSRP configured with R1 primary and R2 secondary (two different telco's). Network 10.x is behind R1-R2 LAN (defined routing at LAN). The purpose of PBR is to offload some traffic from R1 to R2 (to use standby telco).

PBR is used with route-map wherein an ACL is defined with deny statements. I guess this traffic should go via R1 (follow R1 routing table). The last permit statement should divert traffic to R2 ( LAN interface IP) to follow R2's telco due to set interface statement for sure.

The question is whether the deny statements will follow R1 routing ? As generally we use permit statement and then divert using set interface, IP etc.

Regards,

Santosh

Santosh

Thank you for the additional explanation which does help to clear up the issue. Some people do get confused about what happens when the access list in PBR has deny statements, so you are in good company about this. If a packets matches the deny in the access list used in PBR then it just follows the normal routing logic.

Some people assume that if an access list denies a packet that the packet is dropped and not forwarded. This is true if the access list is used on an interface with access-group. But it is not the case with PBR. When used with PBR the deny just says "do not use PBR logic" and the regular routing logic is used. So I would expect that any traffic that is denied in the access list (any host in 10.0.0.0 with destination 30.1.1.1 or 30.1.1.5) will use the outbound connection on R1.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco