I appreciate the effort to supply creative alternative solutions. But I believe that this is a bad suggestion. If you redirect traffic to the interface then when the router attempts to forward the packet out the interface it will have to arp for every destination. It will greatly increase the size of the arp table and increase the cpu effort to maintain the arp table.

This is essentially the same result as configure ip route 0.0.0.0 0.0.0.0 Gi0/2

And I hope that there is a common understanding that this configuration causes problems.

HTH

Rick

Hello. I fully understand this already. And I'm also of the school of thought that the next hop should be used where possible (hence the 'for examples sake')
I'd like to say though, what if I had a router and I simply had ip route 0.0.0.0 0.0.0.0 gi0/2. Are you trying to say that the router will be overwhelmed or will be struggling for CPU a whole bunch more just managing the arp table if I had a default route out via an interface. I'm sorry but if a router starts being saturated because of this then I'd seriously look at getting some other router if it was to cause problems. A router should be scaled enough to cope with a simple default route, and however many arp entries there were to be with the necessary 'grunt' required.

I was not in disagreement with you. I was just providing an example of a clear config that is broken in to distinct sections/steps that would be required for similar config in order to implement pbr.

Thanks

Sent from Cisco Technical Support iPhone App

Hello

I assume in PBR,  The  router uses the same process as it would with a statically assigned route to an interface instead of the next-hop ip address.

( As stated)

Directing a route out of the next hop interface can cause excess traffic and memory starvation.

In this case the router will assume any smtp traffic is directly connected and therefore  arp for mac address to forward the packets

If this is correct then it would be best to specify the next hop ip address with some verification the ip is available

.

route-map PBR_FOR_LAN permit 10

match ip address ANY_TO_PORT25

set ip next-hop x.x.x.x

set ip next-hop verify-availability

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Hello p driver. I already know this and has been stated before. So thanks.

In your config you have

set ip next-hop verify-availability 

Is this necessary config, even though this 'type' of traffic can only 'work' one way?

For the sake of completeness:

R1:

Gi0/0 - LAN

Gi0/1 - ISP (BLOCKING)

Gi0/2 - ISP (ALLOWING)

ip access-list extended ANY_TO_PORT25

permit tcp any any eq smtp

!

route-map PBR_FOR_LAN permit 10

match ip address ANY_TO_PORT25

set ip next-hop X.X.X.X [ YOUR NEXT HOP IP HERE]

!

interface GigabitEthernet0/0

ip policy route-map PBR_FOR_LAN

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Hello Bilal,

Is this necessary config, even though this 'type' of traffic can only 'work' one way? - I dont see it like that, I see this command as checking the the next hop address is availbale and if it isnt then the router wont try to policy route to it, without this command, I assume the router will try to arp to this address if it is not reachable.

res

Paul

.

Please don't forget to rate any posts that have been helpful.

Thanks.

I have comments on a couple parts of this thread.

- as far as the suggestion of using set interface rather than set next hop - why would you on purpose do something that would make the router work harder? Whether it would bring a router to its knees or not, why would you choose an inefficient solution?

I believe that those of us who know more about Cisco networking and answer a lot of questions have some responsibility to help differentiate between good solutions and solutions, that while they might work, are things that are not good choices. The response suggesting this did acknowledge that set next-hop was better but then presented set interface as being almost as good.

- as far as verify-availability is concerned, no it is not required. But it is a good suggestion, especially when sending traffic out an Ethernet interface. Even when next hop is specified in the set statement that does not mean that the router at the next hop is receiving traffic. There are scenarios where the router at the next hop is experiencing problems (or even is shut down) but the router with PBR would continue forwarding traffic toward that next hop and the traffic would not get delivered. verify-availability is the way to prevent that issue.

I did not suggest verify-availability in my response because I was concentrating on keeping it simple for someone who has not used PBR before. But since Paul brought it up as a suggestion I would agree that it a very helpful option.

HTH

Rick

Hello Paul, Thanks for explaining that.

I appreciate your answer Rick - and I do understand this, so thanks for explaining.

Please see my first initial post in this thread.

You can also do this via 'set ip next-hop' better of the two as Rick mentioned

Anyhow, despite this, It's funny how those of you "who know more about Cisco networking" - mature people (probably much more older than I) can't appreciate and probably ignored the fact that it was simply an 'example' to illustrate the stages involved with PBR [hindsight a mistake]. Even further, my later post of specifying the better of the two examples - for the sake of completeness, and comments subsequent to this, just shows the type of intent towards an individual. I'm no longer entertaining any comments off topic from you.

Hi Bilal,

I think you're overreacting here and I hope once settled down you'll realize that Paul's remark was by no way insulting but that he was refering to best practice and explained it for the OP's sake not to demean you by any means.

Regards.

Alain

Don't forget to rate helpful posts.

Sure - I appreciated Paul's answer as he explained and answered my Q, it was not him i was referring to. And also don't have anything against anyone! thanks Alain :-)

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Bilal

When I talk about those of us who know more about Cisco networking and answer a lot of questions I was including you in that group. It appears that you feel that I insulted you. That was certainly not my intention and I am sorry that you took it that way.

You seem to know a lot about Cisco networking and you certainly answer a lot of questions. I believe that this means that we should be held to a higher standard in our answers than some novice who responds to a question. I have done my share of posting things that were not right or not a good choice. Frequently someone will call me on them. It has made me a better network engineer and a better responder in these forums. I would do no less for you.

I do not want to beat a dead horse, but I would point out another reason why I believe that set interface or ip route 0.0.00 0.0.0.0 Gig0/2 are not good options to use. Both of these depend on something to work that may well be outside of your control. For either of these to work it requires that the next hop router has enabled proxy arp. When the router sends traffic to the interface it will arp for the destination address. If the next hop router has enabled proxy arp then the traffic is forwarded and the feature works. But increasingly service providers and many enterprises are disabling proxy arp. In the scenario we are discussing if the router sends the arp but the next hop router does not enable proxy arp then the next hop router will not respond. The router will then drop the traffic. The feature does not work - and the symptoms are difficult to troubleshoot because they are not obvious.

HTH

Rick

My apologies Rick - and thank you the explanation and for your response. Im in agreement with you.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Bilal

I am glad that we are in agreement. I do appreciate your level of activity in the forums and your efforts to provide good answers. I look forward to your continuing participation in the forums.

HTH

Rick