route-map placement

Unanswered Question

I'm just dipping my toes into PBR so bear with me here.

Essentially, I am tying to route traffic from one remote office, through a data center (via a dedicated DS3 link)and out to the internet from there. I'm hopeful that the configs below will work and I also have questions about if they are all needed or not.


-needs to use for /22 traffic

-needs to use for remote office traffic

-needs to use for all other traffic

traffic from /22

-needs to get to /22

-needs to use for all other traffic

Create access-lits for route-map

access-list 120 remark [Office-LAN to ANY]

access-list 120 permit ip any

access-list 121 remark [Office-LAN to Data Center-LAN]

access-list 121 permit ip

Create route-map

route-map DS3_MAP permit 10

description [DS3 - Office-LAN to Data Center-LAN]

match ip address 121

set ip next-hop

route-map DS3_MAP permit 20

description [DS3 - Office-LAN to ANY]

match ip address 120

set ip next-hop

Log into interface and add route-map

interface 1:1

ip policy route-map DS3_MAP

My questions are:

1) Do I need a route map for the to traffic or will the switches routing table handle that?

2) Where is the best place to put the route-map, on the interface for the DS3 router or on the VLAN that the DS3 router sits in (there will never be anything else in this VLAN).

3) Should I also create a route-map for the VLAN or can I allow the routing table on the switch to handle this (I was planning on creating a route to on the switch)

I've uploaded a pdf of my design to hopefully help explain things clearly.

I appreciate any thoughts/comments that you can provide, I'be been going back and forth on where I should place the route-map and if I actually need one for the to traffic.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Wed, 10/08/2008 - 12:06

Hello Admin,

let's suppose that addresses like 255.255.x.y in your config are placeholders for public unicast ipv4 addresses

because they are not usable on ipv4.

1) you don't need so first route-map block can be removed or you need it (pdf to be reviewed where is the bypass DS3 ??? what is the router that will make PBR ?)

2) PBR works by intercepting traffic on the interface that receives it so you need to apply it on the internal lan interface of the DS3 router

3) you will need a symmetrical config on the other side to send on the DS3 traffic coming from everywhere to net or it will use normal routing

4) PBR works on a single node: all ip next-hops you try to use must be reachable directly without going via another network device.

Hope to help


You are correct, I pulled some addresses out of a hat and tossed them in the mix to protect the innocent. :-)

I am thinking that the PBR would be done on the Cat6509. Since it would have a default route pointing to, which is fine for the production VLAN, I need the traffic to use as it's default route to everything other than

Let me recap.

I have a local network ( that will go through a 7206 across a DS3 to another 7206 that sits in a remote Data Center. The DS3 only connects our local office and ths remote DC, once in the DC we have another connection that we use for getting to the internet. This remote 7206 is plugged into it's own VLAN on a 6509 that I am configuring as a core. On this 6509 I have two different paths to the internet, one is used for production purposes and the other is used for corporate traffic. I need the corporate ( traffic to go across the DS3 to the 6509 and then have the 6509 route this traffic to the 515e (, sitting in the corp internet VLAN, to reach the internet. I also need this traffic to be able to reach the production ( VLAN. I'm planning on putting a default route on the 6509 that points to the 515 ( and figured that I needed a route-map to get my traffic to use a different gateway. If there is another way to tackle this, I'm all ears.

I hope it's not to confusing, that's why I provided the .pdf diagram.

BTW - Equipment in use

2 - 7206 (non-vxr / npe-200) (ds3 routers)

1 - 6509 (sup720 / msfc3 / 6748 modules)

1 - 515e (corporate side firewall)

1 - 515 (production side firewall)

1 - 3640 (front-end for both externally available networks)

Giuseppe Larosa Thu, 10/09/2008 - 13:04

Hello Admin,

no problem for your 255.255.x.y ...

>> I'm planning on putting a default route on the 6509 that points to the 515 ( and figured that I needed a route-map to get my traffic to use a different gateway. If there is another way to tackle this, I'm all ears.

be aware that can be just enough a specific static route to net out interface to production network with no PBR

ip routing use most specific route first and the default route is used only of prefixes without an entry in routing table

You may need to modify ACLs on PIX but normal routing should be enough.

Hope to help



This Discussion