cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
429
Views
0
Helpful
6
Replies

PBR 2821 2ISP

sun_sazanov
Level 1
Level 1

Hi I have 2821 and 2 ISP. I want for network's 10.10.60.0 - 10.10.61.0 goto over ISP 1, and all remained over isp2. It's work! But in this configuration not work routing between network. For example: 10.10.60.0 not route 10.10.10.0, 10.10.10.0 not route 10.10.18.0

You can help me fix it?

My config:

!

interface GigabitEthernet0/0.4

encapsulation dot1Q 4

ip address 10.10.4.254 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip policy route-map univer

no cdp enable

!

!

interface GigabitEthernet0/0.18

encapsulation dot1Q 18

ip address 10.10.18.254 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip policy route-map univer

!

!

interface GigabitEthernet0/0.60

encapsulation dot1Q 60

ip address 10.10.60.254 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip policy route-map sety

!

interface GigabitEthernet0/1.1

encapsulation dot1Q 102

ip address 92.255.YYY.130 255.255.255.252

ip nat outside

ip virtual-reassembly

zone-member security out-zone-sety

!

interface GigabitEthernet0/1.2

encapsulation dot1Q 101

ip address 195.70.XXX.68 255.255.255.240

ip nat outside

ip virtual-reassembly

zone-member security out-zone

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 195.70.YYY.65

ip route 0.0.0.0 0.0.0.0 92.255.XX.129

ip route 10.10.0.0 255.255.0.0 10.10.4.1

ip nat inside source route-map sety interface GigabitEthernet0/1.1 overload

ip nat inside source route-map univer interface GigabitEthernet0/1.2 overload

!

ip access-list standard ForSety

permit 10.10.60.0 0.0.0.255

permit 10.10.61.0 0.0.0.255

ip access-list standard ForUniver

permit 0.0.0.0 10.10.59.255

permit 10.10.70.0 0.0.185.255

!

!

route-map univer permit 10

match ip address ForUniver

set interface GigabitEthernet0/1.2

!

route-map sety permit 10

match ip address ForSety

set interface GigabitEthernet0/1.1

!

1 Accepted Solution

Accepted Solutions

lamav
Level 8
Level 8

Sun:

PBR is sourced-based routing, right?

So, your route maps are forcing all traffic from the source networks to take the next hop you've assigned, regardless of the destination. All source traffic that matches the ACL for the route map is going to take that next hop, which is not what you want for local inter-subnet/vlan routing. You want "normal" destination-based routing for such traffic.

You need to do two things:

1.) Use extended ACLs in your route maps that define more specific flows and include "deny" statements for traffic sourced from one subnet and headed toward another.

Example: access-list 110 deny 10.10.60.0 0.0.0.255 10.10.18.0 0.0.0.255

This will exclude such traffic from the policy set forth in the route map and allow for normal destination-based routing.

2.) Fix the ACL called "For Univer". For one thing, there's no such thing as a ".185" octet in a wildcard mask. And what is the story with that first statement?

HTH

Victor

View solution in original post

6 Replies 6

lamav
Level 8
Level 8

Sun:

PBR is sourced-based routing, right?

So, your route maps are forcing all traffic from the source networks to take the next hop you've assigned, regardless of the destination. All source traffic that matches the ACL for the route map is going to take that next hop, which is not what you want for local inter-subnet/vlan routing. You want "normal" destination-based routing for such traffic.

You need to do two things:

1.) Use extended ACLs in your route maps that define more specific flows and include "deny" statements for traffic sourced from one subnet and headed toward another.

Example: access-list 110 deny 10.10.60.0 0.0.0.255 10.10.18.0 0.0.0.255

This will exclude such traffic from the policy set forth in the route map and allow for normal destination-based routing.

2.) Fix the ACL called "For Univer". For one thing, there's no such thing as a ".185" octet in a wildcard mask. And what is the story with that first statement?

HTH

Victor

Hi Victor.

Than you for help. All work.

I do not understand you question

"And what is the story with that first statement?"

I had much the same question about this statement in your access list:

permit 0.0.0.0 10.10.59.255

HTH

Rick

HTH

Rick

Works

Great. Im glad I was able to help you.

Thanks for the rating, too.

Victor

I can imagine the thought process behind the ForUniver ACL even if it's not valid(0.0.0.0 to 10.10.59.255 and 10.10.70.0 and everythng higher since 70+185 is 255).

But it should be

deny 10.60.0.0 0.0.0.255

deny 10.61.0.0 0.0.0.255

permit any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: