Re: PBR - keyword default

filip00011 · ‎05-16-2018

I understand the difference between:

set ip next-hop

set ip default next-hop

I tried both in my config and there is no difference. how come?

The ultimate outcome is that the PBR always route the packets towards 192.168.11.254

LOOK FOR BOLD TEXT IN CONFIG

D1-3925#show run
Building configuration...

Current configuration : 6603 bytes
!
! Last configuration change at 18:53:19 CHI Wed May 16 2018 by filip
! NVRAM config last updated at 18:53:20 CHI Wed May 16 2018 by filip
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
no service password-encryption
!
hostname D1-3925
!
boot-start-marker
boot system flash0://c3900-universalk9-mz.SPA.157-3.M.bin
boot-end-marker
!
!
enable secret 5 $1$is11$C6PyOcFWyIFtySiaCKw2R0
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
clock timezone CHI -6 0
!
!
!
!
!
!
!
!
!
!
!
ip vrf comcast
rd 1:1
route-replicate from vrf global unicast ospf 10
!
!
!
!
ip domain name gt51.com
ip name-server 8.8.8.8
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid C3900-SPE100/K9 sn FOC143327Z8
!
!
archive
path tftp://192.168.10.92/CISCO/D01-3925/$h-$t
write-memory
username filip secret 5 $1$7lMy$.A9cfBaOG8vz0k1MQyZOf/
!
redundancy
!
!
!
!
!
!
class-map match-any VLAN10
match access-group name qos
class-map match-any VLAN200
match access-group name VLAN200
class-map match-any filip2
match access-group name qos
class-map match-all Filip
match access-group name QoS-Filip
class-map match-any Filip2
!
policy-map CHILD
class VLAN10
priority 35000
class VLAN200
bandwidth 110000
policy-map PARENT
class class-default
shape average 180000000
police 150000000
service-policy CHILD
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.168.168.1 255.255.255.255
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F10:84C::2/64
ipv6 enable
tunnel source 24.14.91.206
tunnel mode ipv6ip
tunnel destination 184.105.253.14
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description COMCAST
ip vrf forwarding comcast
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address dhcp
!
interface GigabitEthernet0/1
description TO-ASA5506
ip address 10.168.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map GLOBAL_TO_VRF
ip ospf hello-interval 1
duplex auto
speed auto
ipv6 address 2001:470:C3D9:12::1/64
ipv6 ospf 10 area 0
!
interface GigabitEthernet0/2
ip dhcp relay information trusted
ip address 192.168.11.1 255.255.255.0
ip helper-address 192.168.200.20
ip nat inside
ip virtual-reassembly in
ip policy route-map COMCAST
duplex auto
speed auto
!
interface FastEthernet0/0/0
description TO-ASA5540
switchport access vlan 101
switchport mode access
no ip address
!
interface FastEthernet0/0/1
switchport access vlan 9
switchport mode access
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
description ATT
switchport access vlan 50
switchport mode access
no ip address
!
interface Vlan1
no ip address
!
interface Vlan9
ip address 192.168.9.1 255.255.255.0
!
interface Vlan50
ip address 68.72.16.65 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface Vlan101
ip address 10.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map GLOBAL_TO_VRF
ip ospf hello-interval 1
ip ospf cost 10
!
router ospf 10
network 10.168.12.0 0.0.0.255 area 0
network 10.168.16.0 0.0.0.255 area 0
network 10.168.168.1 0.0.0.0 area 0
network 192.168.11.0 0.0.0.255 area 0
default-information originate
!
ip forward-protocol sdns
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list nat interface Vlan50 overload
ip nat inside source list nat-deset interface GigabitEthernet0/0 overload
ip nat inside source list nat-deset interface GigabitEthernet0/0 vrf comcast overload
ip nat inside source static tcp 192.168.200.12 80 68.72.16.65 80 extendable
ip nat inside source static tcp 192.168.200.19 8010 68.72.16.65 8010 extendable
ip nat inside source static 10.168.12.8 68.72.16.66
ip route profile
ip route 0.0.0.0 0.0.0.0 68.72.16.70
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list standard nat-deset
permit 192.168.10.0 0.0.0.255
ip access-list standard nat-dveste
permit 192.168.200.0 0.0.0.255
!
ip access-list extended PBR
deny ip 192.168.11.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.11.0 0.0.0.255 172.30.0.0 0.0.255.255
permit ip 192.168.11.0 0.0.0.255 any
ip access-list extended PBR2
deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.10.0 0.0.0.255 172.30.0.0 0.0.255.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended QoS-Filip
permit ip any 192.168.10.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended VLAN200
permit ip any 192.168.200.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 any
ip access-list extended nat
deny ip host 192.168.200.200 192.168.201.0 0.0.0.255
permit ip host 10.168.168.10 any
permit ip 192.168.200.0 0.0.0.255 any
permit ip 192.168.11.0 0.0.0.255 any
permit ip 172.30.20.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
permit ip 10.168.12.0 0.0.0.255 any
!
logging trap debugging
logging source-interface Loopback0
logging host 192.168.5.195
logging host 192.168.5.195 vrf comcast
ipv6 route ::/0 Tunnel0
ipv6 router ospf 10
router-id 10.10.168.1
default-information originate
!
!
nls resp-timeout 1
cpd cr-id 1
route-map COMCAST permit 10
match ip address PBR
set ip default next-hop 192.168.11.254
!
route-map GLOBAL_TO_VRF permit 10
match ip address PBR2
set vrf comcast
!
!
snmp-server community cacti@2 RO
snmp-server host 192.168.5.231 version 2c cacti@2
access-list 99 permit 192.168.10.92
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp master
ntp server 0.north-america.pool.ntp.org
!
end

D1-3925#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 68.72.16.70 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 68.72.16.70
10.0.0.0/8 is variably subnetted, 27 subnets, 2 masks
O 10.168.1.0/24 [110/11] via 10.168.16.13, 1w1d, Vlan101
O 10.168.2.0/24 [110/12] via 10.168.16.13, 6d19h, Vlan101
O 10.168.3.0/24 [110/13] via 10.168.16.13, 20:50:57, Vlan101
O 10.168.4.0/24 [110/14] via 10.168.16.13, 20:50:57, Vlan101
O 10.168.5.0/24 [110/15] via 10.168.12.8, 21:04:32, GigabitEthernet0/1
O 10.168.6.0/24 [110/77] via 10.168.16.13, 6d19h, Vlan101
O 10.168.7.0/24 [110/12] via 10.168.16.13, 6d19h, Vlan101
O 10.168.8.0/24 [110/12] via 10.168.16.13, 6d19h, Vlan101
O 10.168.9.0/24 [110/13] via 10.168.16.13, 6d19h, Vlan101
C 10.168.12.0/24 is directly connected, GigabitEthernet0/1
L 10.168.12.1/32 is directly connected, GigabitEthernet0/1
O 10.168.13.0/24 [110/2] via 10.168.12.8, 21:08:48, GigabitEthernet0/1
O 10.168.14.0/24 [110/3] via 10.168.12.8, 21:04:32, GigabitEthernet0/1
O 10.168.15.0/24 [110/4] via 10.168.12.8, 20:58:27, GigabitEthernet0/1
C 10.168.16.0/24 is directly connected, Vlan101
L 10.168.16.1/32 is directly connected, Vlan101
O 10.168.17.0/24 [110/29] via 10.168.12.8, 20:58:27, GigabitEthernet0/1
C 10.168.168.1/32 is directly connected, Loopback0
O 10.168.168.2/32 [110/15] via 10.168.16.13, 20:50:57, Vlan101
O 10.168.168.3/32 [110/14] via 10.168.16.13, 20:50:57, Vlan101
O 10.168.168.4/32 [110/13] via 10.168.16.13, 6d19h, Vlan101
O 10.168.168.5/32 [110/12] via 10.168.16.13, 6d19h, Vlan101
O 10.168.168.6/32 [110/13] via 10.168.16.13, 6d19h, Vlan101
O 10.168.168.7/32 [110/13] via 10.168.16.13, 6d19h, Vlan101
O 10.168.168.9/32 [110/3] via 10.168.12.8, 21:08:48, GigabitEthernet0/1
O 10.168.168.10/32
[110/4] via 10.168.12.8, 21:04:32, GigabitEthernet0/1
O 10.168.168.14/32
[110/5] via 10.168.12.8, 20:58:27, GigabitEthernet0/1
68.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 68.72.16.64/29 is directly connected, Vlan50
L 68.72.16.65/32 is directly connected, Vlan50
L 68.72.16.66/32 is directly connected, Vlan50
172.30.0.0/24 is subnetted, 1 subnets
O 172.30.20.0 [110/11] via 10.168.12.8, 21:08:48, GigabitEthernet0/1
O 192.168.5.0/24 [110/5] via 10.168.12.8, 20:58:27, GigabitEthernet0/1
O 192.168.10.0/24 [110/5] via 10.168.12.8, 20:58:27, GigabitEthernet0/1
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet0/2
L 192.168.11.1/32 is directly connected, GigabitEthernet0/2
O 192.168.200.0/24 [110/5] via 10.168.12.8, 20:58:27, GigabitEthernet0/1

~chris · ‎05-17-2018

with the keyword "default" the router will check first, if the destination network exists in your routing-table. If it exists, it will be routed without PBR. If it doesn't exist it will be routed via PBR to your defined next-hop.