02-18-2010 07:14 AM - edited 03-06-2019 09:45 AM
I have a 3750 which handles all of my central routing to various subnets through out my building. Also, I have two internet connections. My question is, can I use IP Next Hop to direct users out the second internet connection essentially overriding the default gateway for them. By setting IP next hop however, will this cause my internal static routes to stop functioning or will these have a higher priority
02-18-2010 07:36 AM
Hi,
Yes, you can use PBR (policy based routing) to force some traffic use different exist link. PBR will be processed before the routing lookup, so you can force certain traffic use one path and rest traffic use default route. Be aware there are some limitations when using PBR on 3750, please refer the configuration guide for detail configuration
HTH,
Lei Tian
02-18-2010 08:35 AM
So if PBR is processed before the routing lookup is there an easy way that I can tell it to ignore anything going to private subnets (ie 10, 172, 192). This way things aren't sent to the other gateway for internal traffic?
02-18-2010 08:43 AM
You asked right as I posted
Here is an example of a configuration for a policy route to do just that:
ip access-list extended INET2_ACL
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip any any
route-map INET2
match ip address INET2_ACL
set ip next-hop 10.1.1.1
interface vlan 100
ip policy route-map INET2
This of course assumes your internal network is 10.0.0.0/8, and notice the deny is before the permit.
HTH,
Craig
02-18-2010 08:45 AM
Hi,
You need to create a route-map first, within the route-map need to have an ACL to specific the traffic you want to redirect, then you need to set ip next-hop only for the traffic match the ACL.
See the configuration example
route-map test
match ip address test
set ip next-hop x.x.x.x
ip access test
permit x.x.x.x x.x.x.x (the traffic you want to redirect)
HTH,
Lei Tian
02-18-2010 08:35 AM
In addition to what the previous poster linked, make sure you specify that internal traffic should NOT be policy routed, as the policy based route takes precedence over all routing decisions. So if your internal network is 192.168.1.0/24, you need to create a deny statement in the ACL you build for your PBR for that network, otherwise things such as internal DNS servers, printers, etc. the router will send out your second internet pop to reach.
HTH,
Craig
02-18-2010 08:41 AM
Hi Craig,
Deny statement is not supported on 3750' PBR.
Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address.
Thanks,
Lei Tian
02-18-2010 08:44 AM
Ah, good to know! Thanks Lei
02-18-2010 08:56 AM
As a note here is the limitations when using PBR on 3750:
1) sdm prefer routing must be used
2) ip policy must be placed on a routed interface or an svi
3) ip services software is required, the ip policy command is not available on
ip base
4) only unicast traffic applies to the policy
5) you can not have any route-map deny statements, this causes 100% cpu
utilization
6) you can not reference any access-lists that contain deny statements, this
causes 100% cpu utilization
7) you can not use set interface, set default next hop or set default interface
within the route-map
8) you can not use WCCP and PBR on the same interface
They all document on the link I posed. I recommend you go over the document before implement.
HTH,
Lei Tian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide