02-11-2019 10:48 AM - edited 03-08-2019 05:18 PM
Hello All,
I have a question in regards to PBR. I want to NAT traffic out using a route-map and want to know what to expect once applied to an interface. Configuration below.
access-list 187 permit ip host 10.0.60.40 any log
access-list 187 permit ip host 10.0.60.41 any log
!
route-map MIAMI permit 10
match ip address 187
set ip default next-hop 10.0.12.5 <-- FW will NAT
!
interface TenGigabitEthernet2/3.3060
description MIAMI
encapsulation dot1Q 3060
ip address 10.0.60.1 255.255.255.0
ip policy route-map MIAMI <-- will this block all traffic except 10.0.0.60.40 and .41? or it will allow all traffic to flow and only match .40 and .41 to the next-hop? I have 50+ devices using 10.0.60.x subnet but need .40 and .41 to NAT out.
Solved! Go to Solution.
02-11-2019 11:05 AM
Any traffic not matched in your PBR configuration is just routed normally so it won't be blocked and it will be routed based on the IP routing table.
Jon
02-11-2019 11:05 AM
Any traffic not matched in your PBR configuration is just routed normally so it won't be blocked and it will be routed based on the IP routing table.
Jon
02-11-2019 12:42 PM - edited 02-11-2019 12:43 PM
Thanks Jon. This is the answer I was looking for.
02-11-2019 12:26 PM - edited 02-11-2019 12:32 PM
access-list 187 permit ip host 10.0.60.40 any log
access-list 187 permit ip host 10.0.60.41 any log
!
route-map MIAMI permit 10
match ip address 187
set ip default next-hop 10.0.12.5 <-- FW will NAT
interface TenGigabitEthernet2/3.3060
description MIAMI
encapsulation dot1Q 3060
ip address 10.0.60.1 255.255.255.0
ip policy route-map MIAMI <-- will this block all traffic except 10.0.0.60.40 and .41? or it will allow all traffic to flow and only match .40 and .41 to the next-hop? I have 50+ devices using 10.0.60.x subnet but need .40 and .41 to NAT out.
If there arent explicit route in your routing table to reach address in acl 187, they will use your PBR because you are using set ip default next-hop 10.0.12.5
But, the address in acl 187 is directly connect on interface TenGigabitEthernet2/3.3060,your PBR wont be used.
02-11-2019 12:37 PM
Why will PBR not be used for those IPs ?
Jon
02-11-2019 12:40 PM - edited 02-11-2019 12:43 PM
If there arent any explicit route in your routing table to reach address in acl 187, they will use your PBR because you are using set ip default next-hop 10.0.12.5
But, the address in acl 187 is directly connect on interface TenGigabitEthernet2/3.3060,your PBR wont be used.
If you need use it, remove default word
02-11-2019 12:43 PM
It does not matter if the IPs are in the same IP subnet as the interface IP, all that matters is that the PBR is applied to the incoming interface for the traffic.
Unless I am misunderstanding you ?
Jon
02-11-2019 12:47 PM
02-11-2019 12:48 PM
Sorry, don't follow, are you saying what I put was wrong ?
Jon
02-11-2019 12:57 PM
Just to clarify in case you think it was wrong.
You are getting confused between source and destination IPs in the acl and you are not really understanding how PBR works.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide