cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5435
Views
39
Helpful
6
Replies

Extended access list/route map question

Ableton34
Level 1
Level 1

Hi all,

Quick question on using an extended access list with PBR:

My aim is to allow only traffic from certain subnets in our network access to a server in the core using a particular route using policy based routing.

All other requests to the server from other subnets need to be allowed regardless of the route but not be forced to use the same route.

 

example config is:

ip access-list extended (extended access-list name)
permit (address/mask of server) (subnet 1) 0.0.0.255
permit (address/mask of server) (subnet 2) 0.0.0.255


route-map (name of route map) (sequence number)
match ip address (extended access-list name)
set ip next-hop (address of next hop required route)


interface (server connecting interface)
ip policy route-map (name of route map)

 

My question is, do i need a further line of config in the extended access list in order to permit any other traffic to it, will there be an implicit deny if i just add the above so that the only traffic that can access that server will be the ones permitted and using the route map?

 

thanks all

 

 

 

1 Accepted Solution

Accepted Solutions

You are correct, you don't need a second entry in your route map when using PBR because anything not matched in your first entry will be simply be routed using the IP routing table.

So your acl just needs to match the traffic you want to be policy routed.

Jon

View solution in original post

6 Replies 6

You don't need any further config in ACL however you need to update the route-map config as below. Second sequence number does what you needed.

 

!

route-map (name of route map) permit (sequence number1)

match ip address (extended access-list name)

set ip next-hop (address of next hop required route)

!

route-map (name of route map) permit (sequence number2)

!

Thanks for the reply,

 

Not sure I fully understand. What do I need a 2nd route map for? Surely i only need 1 to tell the switch where to route the selected subnet traffic?

Route-map will be one, but with two sequence numbers i.e. first sequence is for seting next-hop ip and second sequence is for allowing everything else.

You are correct, you don't need a second entry in your route map when using PBR because anything not matched in your first entry will be simply be routed using the IP routing table.

So your acl just needs to match the traffic you want to be policy routed.

Jon

Thanks as always Jon

 

Steve

Steve

No problem and the rest of this post is not directed at you so please just ignore.

This post was a relatively straightforward question about PBR and for some reason every post in this thread has been rated multiple times.

My answer certainly didn't merit 5 ratings and neither did any of the others as far as I can see.

If you want to rate Vivek's post multiple times then that is fine by me but can you please just leave my posts alone as this is not the way I want to get points on this site.

Jon