Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5477
Views
39
Helpful
6
Replies

Extended access list/route map question

Go to solution
Ableton34
Level 1
Level 1

‎05-27-2015 01:44 AM - edited ‎03-08-2019 12:12 AM

Hi all,

Quick question on using an extended access list with PBR:

My aim is to allow only traffic from certain subnets in our network access to a server in the core using a particular route using policy based routing.

All other requests to the server from other subnets need to be allowed regardless of the route but not be forced to use the same route.

 

example config is:

ip access-list extended (extended access-list name)
permit (address/mask of server) (subnet 1) 0.0.0.255
permit (address/mask of server) (subnet 2) 0.0.0.255


route-map (name of route map) (sequence number)
match ip address (extended access-list name)
set ip next-hop (address of next hop required route)


interface (server connecting interface)
ip policy route-map (name of route map)

 

My question is, do i need a further line of config in the extended access list in order to permit any other traffic to it, will there be an implicit deny if i just add the above so that the only traffic that can access that server will be the ones permitted and using the route map?

 

thanks all

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Ableton34

‎05-27-2015 08:16 AM

You are correct, you don't need a second entry in your route map when using PBR because anything not matched in your first entry will be simply be routed using the IP routing table.

So your acl just needs to match the traffic you want to be policy routed.

Jon

View solution in original post

6 Replies 6

Go to solution
vivek srivastava
Level 7
Level 7

‎05-27-2015 01:55 AM

You don't need any further config in ACL however you need to update the route-map config as below. Second sequence number does what you needed.

 

!

route-map (name of route map) permit (sequence number1)

match ip address (extended access-list name)

set ip next-hop (address of next hop required route)

!

route-map (name of route map) permit (sequence number2)

!

Go to solution
Ableton34
Level 1
Level 1
In response to vivek srivastava

‎05-27-2015 02:23 AM

Thanks for the reply,

 

Not sure I fully understand. What do I need a 2nd route map for? Surely i only need 1 to tell the switch where to route the selected subnet traffic?

0 Helpful

Go to solution
vivek srivastava
Level 7
Level 7
In response to Ableton34

‎05-27-2015 02:52 AM

Route-map will be one, but with two sequence numbers i.e. first sequence is for seting next-hop ip and second sequence is for allowing everything else.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Ableton34

‎05-27-2015 08:16 AM

You are correct, you don't need a second entry in your route map when using PBR because anything not matched in your first entry will be simply be routed using the IP routing table.

So your acl just needs to match the traffic you want to be policy routed.

Jon

Go to solution
Ableton34
Level 1
Level 1
In response to Jon Marshall

‎05-29-2015 02:56 AM

Thanks as always Jon

 

Steve

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Ableton34

‎05-29-2015 05:19 AM

Steve

No problem and the rest of this post is not directed at you so please just ignore.

This post was a relatively straightforward question about PBR and for some reason every post in this thread has been rated multiple times.

My answer certainly didn't merit 5 ratings and neither did any of the others as far as I can see.

If you want to rate Vivek's post multiple times then that is fine by me but can you please just leave my posts alone as this is not the way I want to get points on this site.

Jon

0 Helpful
Customers Also Viewed These Support Documents