Routing based on Source

Unanswered Question
May 4th, 2007

Hi all,

Hi have heard about Policy Based Routing, and i dont know if exist a better way to doing what i want.

The main goal, is to choose a diferent destination next hop ip address, from a Wan site router, with 2 diferent networks in their LAN.

I wanna do this in my Wan router, not in client Wan router.

Remote Site:

Lan Subnet: 172.23.55.0 / 24

2nd Lan Subnet: 172.24.55.0 / 24

IP WAN 192.168.156.26 / 30 - RIP - OSPF (ISP)

Central Site:

Default Gateway: 172.20.0.254 / 24

Interface Vlan 1135 - IP WAN 192.168.156.2 / 30 <-> OSPF - ISP - RIP (192.168.156.25 / 30) <-> Remote Site

Interface GigabitEthernet1/0/24 - Trunk 1135, more...

Gateway for source network 172.24.55.0 - 172.20.1.254

Best Regards,

Bruno Petr?nio

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
bjornarsb Fri, 05/04/2007 - 04:00

Hi,

Have a look at this basic example,

it might help you.

But I'm not sure I got your point?

Why do you want to do PBR when you have only one WAN link?

Regards,

Bjornarsb

b.petronio Fri, 05/04/2007 - 04:43

Hi,

I've seen that configuration before, but this Wan Link, is a multi-remote sites one.

Each site will have a secondary Lan Address, and traffic sourced on that networks must have a diferent next hop address, from the the Principal Lan Address Remote Sites.

In my Central Site Router, the routes for remote sites are learned from OPSF, but i have other Vlans in the same interface that i dont want to participate on this PBR.

Should i apply the PBR only in the Vlan1135 ?

Here are an example "show ip route ospf"

...

O E2 172.23.54.0 [110/1000] via 192.168.156.1, 21:38:39, Vlan1135 (Site 1 - Lan)

O E2 172.24.54.0 [110/1000] via 192.168.156.1, 21:38:39, Vlan1135 (Site 1 - Secundary Lan)

O E2 172.23.62.0 [110/1000] via 192.168.156.1, 21:38:39, Vlan1135 (Site 2)

O E2 172.23.61.0 [110/1000] via 192.168.156.1, 21:38:39, Vlan1135 (Site 3)

...

Running-Config

****

interface GigabitEthernet1/0/24

description Connected to WAN

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1135,"others"

switchport mode trunk

...

interface Vlan1135

ip address 192.168.156.2 255.255.255.252

ip ospf hello-interval 3

...

router ospf 1135

router-id 192.168.156.2

log-adjacency-changes

redistribute connected metric 1 subnets

redistribute static subnets

network 192.168.156.0 0.0.0.3 area 0

default-information originate

****

If there are any other simple way of doing this, please fill free to comment.

Best Regards,

Petr?nio

b.petronio Fri, 05/04/2007 - 06:20

Hi have reading some documents, and found the folowing sentence regarding PBR:

"Enabling PBR -

To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then, you must enable PBR for that route map on a particular interface.

***All packets arriving on the specified interface matching the match clauses will be subject to PBR. ***

"

And the all rest ?

Pass's trough with out any policy?

The reference interface could be a interface VLAN, the example one, 1135 ?

In my case, all that is not matching 172.24.0.0, will passtrought as the policy wasn't exist? saying in other words, is not filtered ?

Tks,

Bruno Petr?nio

Amit Singh Fri, 05/04/2007 - 07:10

Bruno,

We appreciate you efforts that your are puuting to make us understand you requirement but its a little complex to understand it correctly.A brief network topology/diagram would help us to understand the exact requirement that you have.

As far as PBR traffic is concerned, If there is a certain type of traffic which doesnot match route map, it will not be policy routed and will passthrough using the normal routing table lookup. It doesnot drop that trraffic.

Do you want that traffic to be dropped? What is the exact requirement here on this front ??

-amit singh

b.petronio Fri, 05/04/2007 - 07:26

Tks Amit,

All, that i want is to destinguish the Source of the packets that is arrinving at my wan interface, (Vlan1135), from remote sites.

Why?

I will need to create a Secondary LAN Addressing in my remote sites, and the people having that 2nd range, will have a different next hop address at my central site.

They should be routed to a different router than the other guys in the same location but in a different remote LAN network.

I'll try to design a scheme for ur understanding.

By the way, i just started the Access-list to match the 2nd LAN Address, and is not matching any packet, when i do a ping sourced in Secondary address Lan.

"access-list 25 permit 172.24.55.0 0.0.0.255 log"

The source's of the packet will change if u have a routing network between the sites ?

Tks,

Petr?nio

b.petronio Fri, 05/04/2007 - 07:33

Sorry again,

I'm trying to put this running fast, and was just configuring the default configuration.

I've just barred when i was trying to config the interface Vlan 1135, "ip policy route-map NAME" command.

It says "%PLATFORM_PBR-4-SDM_MISMATCH: PBR requires sdm template routing", and as i could search, the L3Switch, needs a reload after change the sdm prefer to routing. (It have a desktop default template).

My N?x question is:

As i have another type of routing in here, ip route vrf, ip route and ospf, this will be affecting the other routing processes ?

Many thanks.

Petr?nio

Amit Singh Fri, 05/04/2007 - 07:44

Bruno,

You have to enable SDM " routing template " to use the policy based routing. This will not effect the other features that you have enabled for routing. The routing template maximizes system resources for unicast routing.

Please try putting the network diagram and a brief explanation to suggest the design/config gurther.

-amit singh

Amit Singh Fri, 05/04/2007 - 09:46

Bruno,

I did see your overall topology and the configurations that you want to do. I could see that you have multiple remote sites connected over MPLS WAN and are coming on Vlan1135. Here is what we will do:

1. Configure the " SDM template to routing " on 3750.

2. Reload the switch and it will get the new template config.

3. Configure the policy based routing for all the secondry subnets that you want the traffic to be forwraded to TESTIE router.You can configure a single access-list.

4. Apply the route map to " VLAN 1135" SVI i.e the L3 interface.

I think once we do that, we should be able to policy route the traffic.

HTH,Please rate if it does.

-amit singh

Actions

This Discussion