Hello Giuseppe
What about if the next hop is unavailable? Without any verification wouldn't the router just keep on trying to PBR to these next hop addresses thus causing unwarranted arps?

Res
Paul


Sent from Cisco Technical Support iPad App

Hello Paul,

if next-hop is not available and the device is not able to detect it and it has still information to perform packet rewrite traffic will be sent out with a destination MAC address that is not reachable anymore

When the ARP entry will expire the device will try to resolve again the next-hop and this time the device understands next-hop is not available anymore.

So the big issue here without next-hop verification methods, is traffic blackholing, the ARP activity when it will happen is the only fix available to the device

Manual clear of ARP table may be the first option in a case like this.

Modern IOS and platforms allows for neighbor validation in different ways and you are right if available these methods should be used.

Hope to help

Giuseppe

Hello Giuseppe

Thanks for the "verification" - lol

Res
Paul

Sent from Cisco Technical Support iPad App

So in this example, if the traffic matches the first route-map (route-map FILTER permit 10) then the traffic will be routed using the standard destination based routing using the IP routing table otherwise the traffic will go on to the next route-map (route-map FILTER permit 11).  Am I correct here?

So in the example below, if it matches instance 10 --> access-list 43 --> 10.223.241.108, checking will stop and the traffic will just be allowed through (with no next-hop changes).  Am I correct here?

!

Interface Gig1/0/0

ip address 10.0.1.254 255.255.255.0

ip policy route-map FILTER

!

!

route-map FILTER permit 10

match ip address 43

!

route-mape FILTER permit 11

match ip address 45

!

route-map FILTER permit 12

match ip address 51

set ip next-hop 10.223.250.133

!

access-list 43 permit 10.223.241.108

access-list 43 permit 172.30.231.31

!

ip access-list standard 45

permit 172.26.65.253

permit 172.18.150.36

permit 10.223.248.63

!

access-list 51 permit 10.113.48.1

!

Hello, just to go back to your original post.... and to explain what this configuration is doing... (please correct me if im wrong)

Interface Gig1/0/0

  ip address 10.0.1.254 255.255.255.0

  ip policy route-map FILTER

=====================================================================

This is a policy applied on an interface - PBR policy based routing as mentioned already

Policy is defined by the route-map FILTER

=====================================================================

!

!

route-map FILTER permit 10

  match ip address 43

=====================================================================

Entry 10 is matching access list 43, but has no action set - no action taken and traffic is

processed as normal

=====================================================================

!

route-map FILTER permit 11

  match ip address 45

=====================================================================

Entry 11 is matching access list 45, but has no action set - no action taken and traffic is

processed as normal

=====================================================================

!

route-map FILTER permit 12

  match ip address 51

  set ip next-hop 10.223.250.133

=====================================================================

Entry 12 is matching access list 51, so anything that matches ip address 10.113.48.1

its next hop will be set to 10.223.250.133

=====================================================================

!

route-map FILTER permit 13

  match ip address 55

  set ip next-hop 10.223.8.150

=====================================================================

Entry 13 is matching access list extended access list which is a bit more complex

Please bare in mind that this is for policy based routing, not ACL permit deny as such

'Deny' means - do not perform policy based routing on this type of traffic

'Permit' means- perform policy based routing on this type of traffic:

1. deny any traffic from the 172.16.0.0 RFC 1918 range that is eq to www 443 8080 - do NOT perfom PBR
2. deny any traffic from the 10.0.0.0 RFC 1918 range that is eq to www 443 - do NOT perform PBR
3. permit any TCP traffic from any address that equals www and 443 - Perform PBR

Set the next hop to be 10.223.8.150

=====================================================================

ANY OTHER TRAFFIC WILL BE TREATED NORMALLY

!

!

access-list 43 permit 10.223.241.108

access-list 43 permit 172.30.231.31

!

ip access-list standard 45

  permit 172.26.65.253

  permit 172.18.150.36

  permit 10.223.248.63

!

access-list 51 permit 10.113.48.1

!

ip acces-list extended 55

  deny tcp any 172.16.0.0 0.15.255.255 eq www 443 8080

  deny tcp any 10.0.0.0 0.255.255.255 eq www 443

  permit tcp any any eq www 443

Hope this helps

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hello

Yes that is correct without a set statement, it will act upon the acl, meaing in this config it simply permit traffic sourced from access-list 43 45 routed normally.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.