Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
5
Helpful
2
Replies

Policy Based Routing - 3650

matthewceroni
Level 1
Level 1

‎03-24-2013 12:44 PM - edited ‎03-07-2019 12:27 PM

I am trying to setup a PBR to route only specific traffic through a new ASA that I am attempting to build out.

All 2960 switches connect up to a 3560 that has a SVI for each VLAN (with intervlan routing). The default route set on the 3560 is 172.16.254.1 (the old ASA).

For VLAN 102 I want to send all traffic not destined for 192.168.2.0/24, 192.168.21.0/24, 10.0.0.0/8, 192.168.7.0/24, 192.168.5.0/24, 192.168.4.0/24, 192.168.3.0/24 through the new ASA. So for all destinations not listed above the new default gateway or next hop should be 192.168.100.2, otherwise stick with the default gateway set in the standard IP route table (172.16.254.1).

Where I am getting confused is on the permit/deny in the ACL and on the route-map itself.

Also not sure about the ip next-hop and default next-hop. Don't both of those apply to the match clause? Or is the default next-hop the default if the match clause doesn't match? I took that approach and therefore I defined my extended ACL as such:

     10 deny ip any 192.168.2.0 0.0.0.255

     20 deny ip any 192.168.21.0 0.0.0.255 (and so forth)

Then I created my route map as such:

route-map newasa, permit, sequence 10

     Match clauses:

          ip address (access-lists): 110

     Set clauses

          ip next-hop 192.168.100.2

My assumptoin was that since the ACL was deny that that was like negation, so the match clause wouldn't match the address ranges I listed and would therefore not apply the next-hop and instead use the default gateway set in the standard IP route table. Anything else outside of the ranges in the ACL would match and therefore the next-hop would be 192.168.100.2. But that still seems to route everything through the default of 172.16.254.1.

Thanks

Labels:
0 Helpful
2 Replies 2

cadet alain
VIP Alumni
VIP Alumni

‎03-24-2013 01:00 PM

Hi,

can you try this:

modify your ACL 110 changing deny for permit

route-map newasa permit 10

match ip address 110

set ip default next-hop 192.168.100.2

route-map newasa permit 20

set ip default next-hop 192.168.100.2

Note: this will only work if you have no more specific routes for the destination subnets and I have not tested it but it should be working

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

matthewceroni
Level 1
Level 1
In response to cadet alain

‎03-24-2013 01:21 PM

Couple of things here.

Should the default next-hop differ? What I think you are trying to define is anything that matches the ACL (so the IP ranges I listed above) set the default next hop to 172.16.154.1 (which is the current ASA that I want that traffic to go through). Else, go through 192.168.100.2.

I tried what you had above, but when I apply to the interface I get Route-map newasa not supported for Policy Based Routing. Some research on this seems to indicate that I have specified an unsupported command for route map.

0 Helpful
Customers Also Viewed These Support Documents