cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1507
Views
0
Helpful
17
Replies

Tricky PBR

chuckholley
Level 1
Level 1

I have PBR need that I am a little stumped on. Here is the scenario:

I have a host on the LAN that I would like to route all internet bound traffic to a "new" internet circuit, and all LAN bound traffic to be routed via LAN routing methods. No other hosts on the subnet, just this one host.

host: 10.9.100.25

gateway for LAN: 10.9.100.1

Gateway for Internet: 10.9.200.5

All other LAN subnets: 10/8

So I am stumped on how to change his defualt route to something other and route all 10/8 traffic to his LAN GW.

Thank you for any assistance with this.

17 Replies 17

andrew.prince
Level 10
Level 10

Chuck,

Post the PBR - and we can have a look at it?

HTH.

t814687
Level 1
Level 1

Hi Chuck, little schematic of your network will help us to recommend the right solution.

-serg

Thanks guys,

Here is a logical of the environment, I basically need to change the default route for this one user to the new NAT firewall to go to the new internet, and make sure he can still get to the corporate network.

You can create PBR, and attach it to the interface 10.9.100.1,

in the PBR,

deny 10.0.0.0 0.255.255.255

permit any

Then next hop to the NAT firewall..

HTH..

Ahmed

So the PBR would do the deny or the ACL? I would deny 10.9.100.5 to all 10/8, then the next hop to the NAT firewall?

This statement makes sure the traffic is routed (that's why "deny" is there) to your 10/8 and policy routed (permit any) to the new internet. Should work fine.

-serg

OK, here is exactly what I have, and it is not working at the moment:

ACL:

10 deny ip host 10.9.100.5 10.0.0.0 0.255.255.255

20 permit ip host 10.9.100.5 any

Route-Map:

route-map Chuck permit 10

match ip address Chuck

set ip next-hop 10.9.99.5

Thanks

did you apply this map to the router interface where your host is connected?

-serg

yes, had to ask though right!

interface Vlan100

ip address 10.9.100.4 255.255.255.0

ip helper-address 10.9.43.13

no ip redirects

ip policy route-map Chuck

standby 1 ip 10.9.100.1

standby 1 priority 110

standby 1 preempt

end

And your acl is named "Chuck" ?

do you see any hits on the acl?

The name of the acl is Chuck, and it is very strange, I see 3 hits on the deny, and none on the permit.

There should be many hits on the acl is why it is strange.

So you generating traffic to the internet and see no hits on permit? can you check your new firewall if the traffic makes there and it allows that host to go out?

can you connect to 10/8 network?

what switch you using?

can you debug pbr ?

keep in mind for certain switch types (3750 for example) you can not use deny statementd in PBR ACLs... in this case you have to do an explicit route map statement and forward traffic to your 10/8 vlan interface.

Review Cisco Networking for a $25 gift card