Solved: Policy Based Routing question

Craddockc · ‎06-25-2014

Hello community,

I have a static default route that sends all traffic on my network destined for the internet to our UTM device. This is a typical default route of 0.0.0.0 0.0.0.0 (next hop IP). However, I was wondering if there was a way through PBR to send traffic from a specific vlan (or ip subnet) to a different next hop IP than that of the UTM if there is no route in the routing table. I want all but one of my vlans to go to the UTM as a default route except for the one vlan (vlan 1) if there is no route in the routing table. I would also like to maintain inter vlan routing between these vlans as well. Is this possible with PBR? If so, how would the syntax go?

Would this work?

DLS1(config)#ip access-list extended PBR

DLS1(config-ext-nacl)#permit ip 10.10.0.0 0.0.255.255 0.0.0.0 0.0.0.0

DLS1(config)#route-map VLAN1

DLS1(config-route-map)#match ip address PBR

DLS1(config-route-map)#set ip next-hop 10.10.1.36

DLS1(config)#int vlan 1

DLS1(config-if)#ip policy route-map VLAN1

Thanks.

Chris.

Reza Sharifi · ‎06-25-2014

Chris,

PBR static routes have higher priority over static routes in the routing table. So, that should not be an issue.

Question:

So, vlan1 and other vlans need to access Internet using different default gateways?

HTH

View solution in original post

Reza Sharifi · ‎06-25-2014

Hi,

Try this link and test with IP default next-hop command.

http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html#casethree

HTH

Craddockc · ‎06-25-2014

Reza,

Thank you for this. This is very close to what I need I think. To clarify what Im saying is that on vlan 1, if there is no route in the routing table for the destination I want to policy route the traffic to a specific next hop. Although I am not sure that the static default route in the RT will override the PBR entry. I do not want that. Also, I am not sure how to specify the destination address as the destination address is "the internet." My default route in the RT just ships all that traffic to my Fortigate appliance and that handles all the traffic from there. How would I specify the destination network in this case?

Reza Sharifi · ‎06-25-2014

Chris,

PBR static routes have higher priority over static routes in the routing table. So, that should not be an issue.

Question:

So, vlan1 and other vlans need to access Internet using different default gateways?

HTH

Craddockc · ‎06-25-2014

Reza,

Yes in a fashion. We are currently cutting over to a new firewall, the new firewall will be the internet gateway for all vlans except vlan 1, whereas the old firewall (TMG server) will continue to be the firewall for vlan1 due to web publishing purposes etc. I think I figured it out though. on the vlan 1 SVI:

DLS1(config)#route-map VLAN1

DLS1(config-route-map)#set ip default next-hop 10.10.1.36

DLS1(config)#int vlan 1

DLS1(config-if)#ip policy route-map VLAN1

I wont set a match clause so itll apply to all traffic on VLAN 1. Now this statement basically says "If there is no specific match for this traffic in the routing table then ship it to 10.10.1.36. right? nd all other vlans will continue with business as usual with the 0.0.0.0 0.0.0.0 10.1.1.1 (the new firewall) in the regular routing table. Is this accurate?