Solved: how to use ACL to redirect the traffic ?

dannan lin · ‎08-08-2012

hi guys :

i have following scenario

very simple, 4 routers runing ospf , i want to allow PC0 visit web server through the top route and other traffic (i.e. DNS） from bottom route.

OSPF at R0 by default is running load balance betweeb R1 and R2, so the packet from pc0 would be sent to R1 abd R2 respectively.

i know it can be done by using route map but i am just wondering if it can use simple access-lists to achieve the same goal?

have a nice day.

any help is appreciated.

Karsten Iwen · ‎08-08-2012

You can't do that with only ACLs because you only drop the traffic, but you don't send it the other way. The most common solution to this is policy-based routing (PBR) where you also use an ACL to specify which traffic to send which way.

You could also look at Performance-routing. But that's much more complicated to implement:

http://www.cisco.com/en/US/partner/products/ps8787/products_ios_protocol_option_home.html

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

John Blakley · ‎08-08-2012

Like Karsten stated, you can't do this with an acl. You'd need to use pbr to make any routing decisions based on protocol. You could create an acl that matches only dns, and then one to match http:

access-list 101 permit tcp any any eq 80

access-list 102 permit udp any any eq 53

route-map RouteDifferent permit 10

match ip address 101

set ip next-hop

route-map RouteDifferent permit 20

match ip address 102

set ip next-hop

int

ip policy route-map RouteDifferent

Whatever is denied by the routing policy (there's an implicit deny at the end like an acl) will get routed via the normal routing table. (policy routing comes before regular routing from inside -> outside).

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Karsten Iwen · ‎08-08-2012

You can't do that with only ACLs because you only drop the traffic, but you don't send it the other way. The most common solution to this is policy-based routing (PBR) where you also use an ACL to specify which traffic to send which way.

You could also look at Performance-routing. But that's much more complicated to implement:

http://www.cisco.com/en/US/partner/products/ps8787/products_ios_protocol_option_home.html

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

dannan lin · ‎08-13-2012

thanks.

dannan lin · ‎08-13-2012

thanks

John Blakley · ‎08-08-2012

Like Karsten stated, you can't do this with an acl. You'd need to use pbr to make any routing decisions based on protocol. You could create an acl that matches only dns, and then one to match http:

access-list 101 permit tcp any any eq 80

access-list 102 permit udp any any eq 53

route-map RouteDifferent permit 10

match ip address 101

set ip next-hop

route-map RouteDifferent permit 20

match ip address 102

set ip next-hop

int

ip policy route-map RouteDifferent

Whatever is denied by the routing policy (there's an implicit deny at the end like an acl) will get routed via the normal routing table. (policy routing comes before regular routing from inside -> outside).

HTH,

John

HTH, John *** Please rate all useful posts ***

dannan lin · ‎08-13-2012

thanks, J!