cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
763
Views
0
Helpful
6
Replies

PBR - next-hop local interface

nkillgore
Level 1
Level 1

If I set the next-hop in a route map to a local interface, will bad things happen? configs below...

interface Vlan2

description User Subnet

ip address 10.3.3.253 255.255.254.0

ip helper-address 10.77.42.12

no ip redirects

no ip proxy-arp

ip route-cache policy

no ip mroute-cache

interface Vlan32

description Server Subnet

ip address 10.77.43.253 255.255.254.0

no ip redirects

ip route-cache policy

no ip mroute-cache

route-map Hosted_Security permit 10

match ip address Hosted_Security_Internal <-----these addresses are on vlan 2

set ip next-hop 10.77.43.253 <---- this is what I am concerned about

!

route-map Hosted_Security permit 20

match ip address Hosted_Security_External

set ip next-hop 10.77.42.10

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

If you configure a route map for Policy Based Routing and you set the next hop to the IP address of a local interface then the router will attempt to forward the packet to itself. I would say that this was pretty much a bad thing to happen.

HTH

Rick

HTH

Rick

When the router sends the packet back to itself, will it ignore the route-map the second time it decides what to do with it?

I am not clear what the router would do. It is possible that the router would see it and just use normal routing. But it is possible that the router would treat it as a packet that it can not forward and drop the packet. And I am puzzled why you would want to set the next hop to its own interface, which is essentially not a valid configuration. If you want to forward differently than normal routing, that is what PBR is for and it needs a valid next hop. If you really want normal routing for the packet then why use PBR?

HTH

Rick

HTH

Rick

I originally had deny statements in the ACL that were not letting internal traffic be routed via the route map. The 3750 that I am using sends packets that match the deny statements to the CPU, which causes problems.

So, I want the ACL statements to look like this:

deny 10.3.2.0 0.0.0.255 10.0.0.0 0.255.255.255

permit 10.3.2.0 0.0.0.255 any

This makes the packets that are not destined for internal addresses get sent to the new address. It works, but with one host using this rule, the CPU hist ~70% utilization.

The above rules are an attempt to work around that limitation of the 3750. I am under a little bit of a time crunch, and I'm open to any suggestions on a better way to achieve this. I am attempting to change the default next-hop for only one vlan.

I dont have access to test lab, but if I remember correctly you can skip the "SET" clause in the route map permit statement and it should pass the traffic normally without any modification, so the permit statement 10 can only have the "MATCH" clause and that should do the job.

Than again, test it in a Lab or on GNS atleast.

Manish

The additional information is helpful. You can achieve what you want by having the first instance of the route map do the match and not have a set statement. That traffic will be routed normally. Then the second instance in the route map will policy route the desired traffic.

The config that you posted does a set IP next-hop. If what you want to change is really the default routing for the traffic that would be a slightly different set command.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick
Review Cisco Networking for a $25 gift card