06-24-2015 04:04 AM - edited 03-08-2019 12:41 AM
Hi There,
Thanks for reading my post :o)
Our company (Company A) is merging with another (Company B) and we currently have a private link between our data centres so we can access each others servers/services.
Some users from company B are coming to work in our office but instead of using our Internet link via our firewall they need to use company B's Internet link (via B's firewall). The reason for this is that during the transitional period they need to reach services that only B's public IP addresses are allowed for.
To overcome this problem I set up policy based routing which looked like it was working but then when i removed the associated access list it caused a router to melt down!
Before attempting this again I'd like to get a second opinion regarding my configuration. Please could you check out below and give me feedback if you think it has the potential to cause problems? A concern I have is that the policy based routing will override all other routes if I use the ACL statement with destination 'any':
The same configuration has been added at each hop along the way to B's point of entry into their network - just the next hop changed accordingly -
ip local policy route-map B_INTERNET_OUT
route-map B_INTERNET_OUT permit 10
match ip address B_INTERNET
set ip next-hop 10.72.183.129
ip access-list extended B_INTERNET
permit ip 10.122.37.0 0.0.0.255 any
I also tried with a single specific destination route to 8.8.8.8 - this worked fine and directed the traffic via B's firewall without issue whilst leaving all other traffic to use our routing table.
Do I need to make the 'any' route somehow allow all the other routes in the routing table apart from our company's (A) default route be used before resorting to using the PBR default route? how can i do this please?
Many thanks,
Andy
06-24-2015 04:54 AM
Hi Andy,
To overcome this problem I set up policy based routing which looked like it was working but then when i removed the associated access list it caused a router to melt down!
I believe that this has happened because without an existing ACL, the route-map used for PBR became applicable to all traffic indiscriminately. The proper way is always first to remove the command that activates the PBR, only then modify the route-map or the referenced ACL.
A concern I have is that the policy based routing will override all other routes if I use the ACL statement with destination 'any':
In general, PBR always overrides routes in the routing table - that is its purpose. This does not change with the way the ACL is written. What changes is for which packets the routing table entries are overriden. If you have an ACL in the form of permit ip <some source> any then for all packets from the <some source>, regardless of what is their true destination, you're forcing them to go the way you have specified in the route-map.
So I am not quite sure at this point what exactly you are concerned about.
The same configuration has been added at each hop along the way to B's point of entry into their network
Just wondering - would it not have been easier to configure a point-to-point GRE tunnel between the router to which the 10.122.37.0/24 network is connected and some router in the B's network, and configure the PBR just on the router where the 10.122.30.0/24 is connected to forward all packets through that tunnel? In such case, you would need only two routers running PBR - the GRE tunnel endpoints.
ip local policy route-map B_INTERNET_OUT
route-map B_INTERNET_OUT permit 10
match ip address B_INTERNET
set ip next-hop 10.72.183.129
ip access-list extended B_INTERNET
permit ip 10.122.37.0 0.0.0.255 any
I suppose you are aware of that but this PBR configuration does not apply to packets routed through this router but rather only to packets originated by this router. PBR for packets routed through this router is activated in the incoming interface using the ip policy route-map command.
Do I need to make the 'any' route somehow allow all the other routes in the routing table apart from our company's (A) default route be used before resorting to using the PBR default route?
I think you are asking how to make sure that apart from the network 10.122.37.0/24, all other subnets and routes in your network continue to use the normal routing tables. Don't worry, your configuration is already done that way. The ACL affects only packets sourced from 10.122.37.0/24. All other packets sourced from other networks will be routed according to the normal routing table.
Feel welcome to ask further!
Best regards,
Peter
06-24-2015 05:05 AM
Andy
Peter makes some good points, especially about the fact that when you configure ip local policy that it only applies to packets generated by the router itself. I believe that to accomplish what you need you should configure the policy on the inbound interface where the traffic will be received.
If I am understanding your situation correctly I believe that you would achieve the results better if you use set ip default next-hop instead of set ip next-hop. When you set ip next-hop then PBR will route all the packets that are permitted by the access list. But if you set ip default next-hop then PBR will allow normal routing for packets that have a match in the routing table and only do the special routing for packets that are forwarded using the default route (which would be the traffic going to the Internet if I am correctly understanding your environment. See this link for more detail.
http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html
HTH
Rick
06-24-2015 06:26 AM
Hi Rick,
Thanks for your response also.
I've just added to the post to peter - I think i left a bit of ambiguity which i have tried to straighten out. to save cluttering the post I haven't reiterated here but I would really appreciate your views if you could check out the clarification i added.
Kind regards,
Andy
11-09-2015 11:13 AM
Hi,
interface GigabitEthernet0/0/0
ip policy route-map KNSGTN_INTERNET_OUT
route-map KNSGTN_INTERNET_OUT permit 10
match ip address 100
set ip default next-hop 10.72.183.129
route-map KNSGTN_INTERNET_OUT permit 20
match ip add 110
set ip next-hop 10.72.183.129
ip access-list extended 100
permit ip 10.122.37.0 0.0.0.255 10.122.0.0 0.0.127.255
ip access-list extented 110
permit ip 10.122.37.0 0.0.0.255 any
hope it will be helpful...
regards,
Moin
06-24-2015 06:32 AM
Hi Rick.
I'll check out the link.
the use of the routing table is what i want but not sure how this will work unless perhaps i can use multiple clauses to specify outcome..
Cheers,
06-24-2015 07:01 AM
Hi Rick,
I've added a deny statement - do you think this would work?
ip local policy route-map B_INTERNET_OUT
route-map B_INTERNET_OUT permit 10
match ip address B_INTERNET
set ip next-hop 10.72.183.129
ip access-list extended B_INTERNET
deny ip 10.122.37.0 0.0.255 10.122.0.0 0.0.127.255
permit ip 10.122.37.0 0.0.0.255 any
thank you,
Andy
ip local policy route-map B_INTERNET_OUT
route-map B_INTERNET_OUT permit 10
match ip address B_INTERNET
set ip next-hop 10.72.183.129
ip access-list extended B_INTERNET
permit ip 10.122.37.0 0.0.0.255 any
06-25-2015 03:40 AM
Thanks all,
The solution of using the 'set ip default next-hop x.x.x.x' command worked perfectly.
interface GigabitEthernet0/0/0
ip policy route-map KNSGTN_INTERNET_OUT
route-map KNSGTN_INTERNET_OUT permit 10
match ip address KNSGTN_INTERNET
set ip default next-hop 10.72.183.129
ip access-list extended KNSGTN_INTERNET
permit ip 10.122.37.0 0.0.0.255 any
cheers,
Andy
06-25-2015 04:18 AM
Andy
Glad to know that the set ip default next-hop did work for you. Thanks for posting back to the forum to confirm that. It may help other readers in the forum to know that this solution did work. And thanks for the ratings.
HTH
Rick
06-24-2015 06:22 AM
Hi Peter,
Thanks for your response.
Apologies - I don't think i outlined the problem as clearly as i could have.
Essentially I want all users on the 10.122.37.0/24 network to use the ordinary local internal routing table unless they are making a connection to the Internet. For that particular scenario I would like the traffic to take a specific path to the gateway for Company B (their firewall). Once the traffic is in their network it will be routed to the Internet as desired.
I think i may have a solution to this now however:
What I'm wondering is - if I specify 'deny statements' in the access-list for the route-map for all the company 'A' internal traffic (10.122.0.0/17) then will this mean that the PBR isn't applied for this internal traffic? (this is what I want). If so then would an allow statement for all other traffic (placed below the local traffic deny statement) result in the route-map being applied for everything else? (i.e. all other traffic). Do you think this would work? i.e. would this result in local traffic being ignored by the route-map and non-local (public) traffic being controlled by the rout-map. i.e being sent to the defined next hops?
Thank you,
Andy
10-26-2017 03:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide