Solved: Re: ip policy route-map question

NewComer · ‎02-11-2019

Hello All,

I have a question in regards to PBR. I want to NAT traffic out using a route-map and want to know what to expect once applied to an interface. Configuration below.

access-list 187 permit ip host 10.0.60.40 any log
access-list 187 permit ip host 10.0.60.41 any log

!

route-map MIAMI permit 10
match ip address 187
set ip default next-hop 10.0.12.5 <-- FW will NAT

!

interface TenGigabitEthernet2/3.3060
description MIAMI
encapsulation dot1Q 3060
ip address 10.0.60.1 255.255.255.0
ip policy route-map MIAMI <-- will this block all traffic except 10.0.0.60.40 and .41? or it will allow all traffic to flow and only match .40 and .41 to the next-hop? I have 50+ devices using 10.0.60.x subnet but need .40 and .41 to NAT out.

Jon Marshall · ‎02-11-2019

Any traffic not matched in your PBR configuration is just routed normally so it won't be blocked and it will be routed based on the IP routing table.

Jon

View solution in original post

Jon Marshall · ‎02-11-2019

Any traffic not matched in your PBR configuration is just routed normally so it won't be blocked and it will be routed based on the IP routing table.

Jon

NewComer · ‎02-11-2019

Thanks Jon. This is the answer I was looking for.

Jaderson Pessoa · ‎02-11-2019

access-list 187 permit ip host 10.0.60.40 any log
access-list 187 permit ip host 10.0.60.41 any log

!

route-map MIAMI permit 10
match ip address 187
set ip default next-hop 10.0.12.5 <-- FW will NAT

interface TenGigabitEthernet2/3.3060
description MIAMI

encapsulation dot1Q 3060
ip address 10.0.60.1 255.255.255.0
ip policy route-map MIAMI <-- will this block all traffic except 10.0.0.60.40 and .41? or it will allow all traffic to flow and only match .40 and .41 to the next-hop? I have 50+ devices using 10.0.60.x subnet but need .40 and .41 to NAT out.

If there arent explicit route in your routing table to reach address in acl 187, they will use your PBR because you are using set ip default next-hop 10.0.12.5

But, the address in acl 187 is directly connect on interface TenGigabitEthernet2/3.3060,your PBR wont be used.

more information: https://books.google.com.br/books?id=z5f4BQAAQBAJ&pg=PA309&dq=PBR+set+ip+default&hl=pt-BR&sa=X&ved=0ahUKEwimxPTNwrTgAhUTAtQKHTTaAikQ6AEIQzAD#v=onepage&q=PBR%20set%20ip%20default&f=false

Jaderson Pessoa
*** Rate All Helpful Responses ***

Jon Marshall · ‎02-11-2019

Why will PBR not be used for those IPs ?

Jon

Jaderson Pessoa · ‎02-11-2019

If there arent any explicit route in your routing table to reach address in acl 187, they will use your PBR because you are using set ip default next-hop 10.0.12.5

But, the address in acl 187 is directly connect on interface TenGigabitEthernet2/3.3060,your PBR wont be used.

If you need use it, remove default word

Jaderson Pessoa
*** Rate All Helpful Responses ***

Jon Marshall · ‎02-11-2019

It does not matter if the IPs are in the same IP subnet as the interface IP, all that matters is that the PBR is applied to the incoming interface for the traffic.

Unless I am misunderstanding you ?

Jon

Jaderson Pessoa · ‎02-11-2019

you has wrong. sorry.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Jon Marshall · ‎02-11-2019

Sorry, don't follow, are you saying what I put was wrong ?

Jon

Jon Marshall · ‎02-11-2019

Just to clarify in case you think it was wrong.

You are getting confused between source and destination IPs in the acl and you are not really understanding how PBR works.

Jon