Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1560
Views
0
Helpful
18
Replies

local policy route-map for policy route

Go to solution
julxu
Level 1
Level 1

‎02-26-2015 03:00 AM - edited ‎03-07-2019 10:51 PM

Hi 

 

this is related my previous question:

I want to set policy route on asr1004, that redirect vpn traffic. 

 

my case is:

  asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100

assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.

assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1

assume taget network is 10.200.200.0/24

 

I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24)  to be redirect to10.2.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.2.2.2" on asr1004.

 

Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?

ip local policy route-map vpn-out

access-list 100 permit ip 10.2.2.2 any

route-map vpn-out permit 10
  match ip address 100
  set ip next-hop 10.100.100.100

 

if not, do I have any change to do policy route for this case?

 

any comment will be appreciated

 

Thanks in advance

 

Julxu

 

 

 

 

 

Labels:
0 Helpful
18 Replies 18

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to julxu

‎03-01-2015 01:36 PM

The "default" in the "set ip default next-hop" means use the IP routing table first before using PBR.

It isn't what you want.

You need to track the next hop IP and if it goes down then use another next hop.

See this link for a configuration example for your router -

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-3s/asr1000/iri-xe-3s-asr1000-book/iri-pbr-mult-track.html

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to julxu

‎02-26-2015 09:35 AM

Did you have any luck with your PBR configuration ?

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to julxu

‎02-26-2015 05:25 AM

Is there another VPN device which is in front of the 10.200.200.0/24 network ?

And your VPN device is meant to create a tunnel to the other VPN device ?

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to julxu

‎02-26-2015 04:18 AM

When your route sends traffic to the VPN device it doesn't change the destination IP so your acl 100 matching any traffic to 10.10.2.2 will never be used.

I'm really not sure what you are trying to do but on VPN devices normally you don't need PBR to use the VPN, you simply configure the VPN.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card