Policy Based routing for more specific host

mubi.malik · ‎11-08-2017

Hi Everyone,

i have a network that looks somehow like attached. I have multiple hosts connected to Core switch and core switch is by default forwarding all traffic to R2. static route for that is already there in switch which we can not change.

I want that only one client's traffic to be sent to R1. the host IP is 192.168.4.100. we don't want that any other host of 192.168 subnet should talk to R1 except 192.168.4.100.

I'm trying below configuration on simulation but when i implement it, it sends all traffic to R1.

ip access-list extended test
deny ip 192.168.0.0 0.0.255.255 any
permit ip host 192.168.4.100 any

permit ip any any

route-map net_access permit 10
match ip address test
set ip next-hop 192.168.1.245

int gi 1/1 (Interface going to R1 & R2) - Please confirm which interface i should use. either SVI of each VLAN, Incoming trunk/access or outgoing trunk/access

ip policy route-map net_access

Francesco Molino · ‎11-08-2017

Hi
In your acl for pbr you can remove all deny statements and keep only the permit from the specific host to any.
Then your pbr has to be applied on the svi (gateway of your hosts) in your case it's gonna be the svi with ip 192.168.4.254.
In that particular subnet all hosts except 192.168.4.100 will user the default route.
For all other subnets, nothing has to be done.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

paul driver · ‎11-09-2017

Hello

ip access-list extended test
permit ip host 192.168.4.100 any

route-map net_access permit 10
match ip address test
set ip next-hop 192.168.1.245

Int xx
description LAn interface
ip policy route-map net_acces

and/or

Int xx
description IP Host 100
ip policy route-map net_access <--- only applicable if not applied to lan interface
switchport protected

int x/x
description port to R1
switchport protected

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mikejensen83 · ‎07-01-2020

With PBR do I need a reverse route for the return traffic?

For example I want traffic from host 10.245.20.39 destined to 173.219.143.100 to have a next hop of 4.30.164.150, and then I need reply traffic from 173.219.143.100 to take a specific route to make it back to 10.245.20.39. To do this can I have two lines in the ACL used to identify the traffic used for the PBR?

Is there a way to make a default PBR for only one host? If I wanted 10.245.20.39 going to any non RFC1918 IP (public internet) go to a specific next hop can I do that and still have host 10.245.20.39 follow the normal routing table for all RFC1918 IP's?

Thank you.

Francesco Molino · ‎07-01-2020

Return route isn't mandatory depending on your design.
When the internal host goes over a specific public IP, it gets natted on this up so remote public service will return to that router. Then you'll need for sure a route from the next hop router to return to your internal host.

You can have a PBR for only 1 host communicating with non rfc1918 addresses.
You're acl should deny all rfc1918 and allow anything else. This way it will work. What's your config which isn't working?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question