Thanks all, The solution of

andy roles · ‎06-24-2015

Hi There,

Thanks for reading my post :o)

Our company (Company A) is merging with another (Company B) and we currently have a private link between our data centres so we can access each others servers/services.

Some users from company B are coming to work in our office but instead of using our Internet link via our firewall they need to use company B's Internet link (via B's firewall). The reason for this is that during the transitional period they need to reach services that only B's public IP addresses are allowed for.

To overcome this problem I set up policy based routing which looked like it was working but then when i removed the associated access list it caused a router to melt down!

Before attempting this again I'd like to get a second opinion regarding my configuration. Please could you check out below and give me feedback if you think it has the potential to cause problems? A concern I have is that the policy based routing will override all other routes if I use the ACL statement with destination 'any':

The same configuration has been added at each hop along the way to B's point of entry into their network - just the next hop changed accordingly -

ip local policy route-map B_INTERNET_OUT

route-map B_INTERNET_OUT permit 10
match ip address B_INTERNET
set ip next-hop 10.72.183.129

ip access-list extended B_INTERNET
permit ip 10.122.37.0 0.0.0.255 any

I also tried with a single specific destination route to 8.8.8.8 - this worked fine and directed the traffic via B's firewall without issue whilst leaving all other traffic to use our routing table.

Do I need to make the 'any' route somehow allow all the other routes in the routing table apart from our company's (A) default route be used before resorting to using the PBR default route? how can i do this please?

Many thanks,

Andy

Peter Paluch · ‎06-24-2015

Hi Andy,

To overcome this problem I set up policy based routing which looked like it was working but then when i removed the associated access list it caused a router to melt down!

I believe that this has happened because without an existing ACL, the route-map used for PBR became applicable to all traffic indiscriminately. The proper way is always first to remove the command that activates the PBR, only then modify the route-map or the referenced ACL.

A concern I have is that the policy based routing will override all other routes if I use the ACL statement with destination 'any':

In general, PBR always overrides routes in the routing table - that is its purpose. This does not change with the way the ACL is written. What changes is for which packets the routing table entries are overriden. If you have an ACL in the form of permit ip <some source> any then for all packets from the <some source>, regardless of what is their true destination, you're forcing them to go the way you have specified in the route-map.

So I am not quite sure at this point what exactly you are concerned about.

The same configuration has been added at each hop along the way to B's point of entry into their network

Just wondering - would it not have been easier to configure a point-to-point GRE tunnel between the router to which the 10.122.37.0/24 network is connected and some router in the B's network, and configure the PBR just on the router where the 10.122.30.0/24 is connected to forward all packets through that tunnel? In such case, you would need only two routers running PBR - the GRE tunnel endpoints.

ip local policy route-map B_INTERNET_OUT

route-map B_INTERNET_OUT permit 10
 match ip address B_INTERNET
 set ip next-hop 10.72.183.129

ip access-list extended B_INTERNET
 permit ip 10.122.37.0 0.0.0.255 any

I suppose you are aware of that but this PBR configuration does not apply to packets routed through this router but rather only to packets originated by this router. PBR for packets routed through this router is activated in the incoming interface using the ip policy route-map command.

Do I need to make the 'any' route somehow allow all the other routes in the routing table apart from our company's (A) default route be used before resorting to using the PBR default route?

I think you are asking how to make sure that apart from the network 10.122.37.0/24, all other subnets and routes in your network continue to use the normal routing tables. Don't worry, your configuration is already done that way. The ACL affects only packets sourced from 10.122.37.0/24. All other packets sourced from other networks will be routed according to the normal routing table.

Feel welcome to ask further!

Best regards,
Peter

Richard Burts · ‎06-24-2015

Andy

Peter makes some good points, especially about the fact that when you configure ip local policy that it only applies to packets generated by the router itself. I believe that to accomplish what you need you should configure the policy on the inbound interface where the traffic will be received.

If I am understanding your situation correctly I believe that you would achieve the results better if you use set ip default next-hop instead of set ip next-hop. When you set ip next-hop then PBR will route all the packets that are permitted by the access list. But if you set ip default next-hop then PBR will allow normal routing for packets that have a match in the routing table and only do the special routing for packets that are forwarded using the default route (which would be the traffic going to the Internet if I am correctly understanding your environment. See this link for more detail.

http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html

HTH

Rick

HTH

Rick

andy roles · ‎06-24-2015

Hi Rick,

Thanks for your response also.

I've just added to the post to peter - I think i left a bit of ambiguity which i have tried to straighten out. to save cluttering the post I haven't reiterated here but I would really appreciate your views if you could check out the clarification i added.

Kind regards,

Andy

Shaik Moinuddin · ‎11-09-2015

Hi,

interface GigabitEthernet0/0/0
ip policy route-map KNSGTN_INTERNET_OUT

route-map KNSGTN_INTERNET_OUT permit 10
match ip address 100
set ip default next-hop 10.72.183.129
route-map KNSGTN_INTERNET_OUT permit 20
match ip add 110
set ip next-hop 10.72.183.129

ip access-list extended 100
permit ip 10.122.37.0 0.0.0.255 10.122.0.0 0.0.127.255
ip access-list extented 110
permit ip 10.122.37.0 0.0.0.255 any

hope it will be helpful...
regards,

Moin

andy roles · ‎06-24-2015

Hi Rick.

I'll check out the link.

the use of the routing table is what i want but not sure how this will work unless perhaps i can use multiple clauses to specify outcome..

Cheers,

andy roles · ‎06-24-2015

Hi Rick,

I've added a deny statement - do you think this would work?

ip local policy route-map B_INTERNET_OUT

route-map B_INTERNET_OUT permit 10
match ip address B_INTERNET
set ip next-hop 10.72.183.129

ip access-list extended B_INTERNET

deny ip 10.122.37.0 0.0.255 10.122.0.0 0.0.127.255
permit ip 10.122.37.0 0.0.0.255 any

thank you,

Andy

ip local policy route-map B_INTERNET_OUT

route-map B_INTERNET_OUT permit 10
match ip address B_INTERNET
set ip next-hop 10.72.183.129

ip access-list extended B_INTERNET
permit ip 10.122.37.0 0.0.0.255 any

- See more at: https://supportforums.cisco.com/discussion/12541486/policy-based-routing-and-changing-default-route-internet-only-one-subnet#comment-10596266

andy roles · ‎06-25-2015

Thanks all,

The solution of using the 'set ip default next-hop x.x.x.x' command worked perfectly.

interface GigabitEthernet0/0/0
ip policy route-map KNSGTN_INTERNET_OUT

route-map KNSGTN_INTERNET_OUT permit 10
match ip address KNSGTN_INTERNET
set ip default next-hop 10.72.183.129

ip access-list extended KNSGTN_INTERNET
permit ip 10.122.37.0 0.0.0.255 any

cheers,

Andy

Richard Burts · ‎06-25-2015

Andy

Glad to know that the set ip default next-hop did work for you. Thanks for posting back to the forum to confirm that. It may help other readers in the forum to know that this solution did work. And thanks for the ratings.

HTH

Rick

HTH

Rick

andy roles · ‎06-24-2015

Hi Peter,

Thanks for your response.

Apologies - I don't think i outlined the problem as clearly as i could have.

Essentially I want all users on the 10.122.37.0/24 network to use the ordinary local internal routing table unless they are making a connection to the Internet. For that particular scenario I would like the traffic to take a specific path to the gateway for Company B (their firewall). Once the traffic is in their network it will be routed to the Internet as desired.

I think i may have a solution to this now however:

What I'm wondering is - if I specify 'deny statements' in the access-list for the route-map for all the company 'A' internal traffic (10.122.0.0/17) then will this mean that the PBR isn't applied for this internal traffic? (this is what I want). If so then would an allow statement for all other traffic (placed below the local traffic deny statement) result in the route-map being applied for everything else? (i.e. all other traffic). Do you think this would work? i.e. would this result in local traffic being ignored by the route-map and non-local (public) traffic being controlled by the rout-map. i.e being sent to the defined next hops?

Thank you,

Andy

David_Beldi · ‎10-26-2017

Hello peter, you seem to be very knowledgeable about policy based routing, could you please help me, with my problem?

Cheers David

Policy Based Routing and Changing the Default Route to the Internet for only one Subnet