Policy Routing multiple default routes

scott.hammond · ‎03-01-2011

6513 with sup 720's on Version 12.2(18)SXE2

I have a default route but I want to start using a second internet pipe, for certain segments.

Essentially I would like particular SVI's to use default route A and the rest of the SVI's to use default route B. I have tried various flavors of route maps and cant seem to get it working...I can next-hop it easily enough but that locks me out of any internal network..

I do not want to load balance.

Any thoughts?

IAN WHITMORE · ‎03-02-2011

Can you show us what you have tried? It should be possible just adding the right route-map to the SVIs in question and leaving a default route for the rest.

Regards,

Ian

scott.hammond · ‎03-02-2011

Config below with the "or" as other things I tried on those items

interface Vlan110 <-----the SVI to the new internet pipe I want to use...firewall is 10.60.110.2
description pix 525 web
ip address 10.60.110.3 255.255.255.0
ip route-cache flow

interface Vlan154
ip address 10.60.54.3 255.255.255.0
ip helper-address 10.60.6.119
ip policy route-map www
standby ip 10.60.54.1
standby priority 110
standby preempt

route-map www permit 10
match ip address www
set default interface Vlan110 <--this didnt work, used the default route

or

set ip next-hop 10.60.110.2 <-- this sends me out the new pipe but locks me down from internal networks

ip access-list extended www
permit ip host 10.60.54.69 any

or

permit ip host 10.60.54.69 host 0.0.0.0 <--this never had a hit

ip route 0.0.0.0 0.0.0.0 10.60.1.9

IAN WHITMORE · ‎03-02-2011

Try this:

route-map www permit 10
match ip address www

set ip next-hop 10.60.110.2

route-map www permit 20

Regards,

Ian

scott.hammond · ‎03-02-2011

yeah thats basically what I had before, only with out the trailing "route-map www permit 20"

that matches all traffic from my test host and sets the next hop as the firewall. So it sends 100% of the traffic from my host to the firewall, and it passes the www traffic just fine but it drops any of the internal traffic...as it should.

So I suppose I could do some ugly summarizations and match internal traffic, keeping it inside and then next hop the rest.

could that be as easy as

ip access-list extended www
deny ip host 10.60.54.69 10.0.0.0 255.0.0.0

deny ip host 10.60.54.69 192.168.0.0 255.255.0.0

permit ip host 10.60.54.69 any

I wonder if that would work

IAN WHITMORE · ‎03-02-2011

It should (except don't foget to use wildcard masks). The deny statements just tell it not to policy route that traffic.

Regards,

Ian

cadet alain · ‎03-02-2011

Hi,

in the route-map used for PBR if you match a permit statement in ACL then you policy route and otherwise you route according to routing table.

So there is no need for deny statements because all that is not explictly permitted will not be policy routed.

Regards.

Alain.

Don't forget to rate helpful posts.

scott.hammond · ‎03-02-2011

yeah I know, but I have to work it backwards right....

I cant write a permit statment for every segment on the internet, so I will deny internal networks and then permit any.

Or at least I will try, rewriting the acl now

scott.hammond · ‎03-02-2011

ip access-list exten www
deny ip host 10.60.54.69 10.0.0.0 0.255.255.255
deny ip host 10.60.54.69 128.0.0.0 0.255.255.255
deny ip host 10.60.54.69 192.168.0.0 0.0.255.255
permit ip host 10.60.54.69 any

worked perfectly!!!

(yes we have some 128 addy's internal, dont ask)

thanks for getting me in the right direction guys!

IAN WHITMORE · ‎03-02-2011

No worries man. Glad we hepled.

Regards,

Ian

IAN WHITMORE · ‎03-02-2011

Back to basics Ian (talking to myself). Thanks Alain for correcting me.