cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
336
Views
0
Helpful
3
Replies

route-map placement

softwareadmin
Level 1
Level 1

I'm just dipping my toes into PBR so bear with me here.

Essentially, I am tying to route traffic from one remote office, through a data center (via a dedicated DS3 link)and out to the internet from there. I'm hopeful that the configs below will work and I also have questions about if they are all needed or not.

6509

-needs to use 255.255.1.18 for 1.1.0.0 /22 traffic

-needs to use 255.255.1.1 for remote office traffic

-needs to use 2.2.0.1 for all other traffic

traffic from 1.1.0.0 /22

-needs to get to 2.2.0.0 /22

-needs to use 255.255.1.1 for all other traffic

Create access-lits for route-map

access-list 120 remark [Office-LAN to ANY]

access-list 120 permit ip 1.1.0.0 255.255.252.0 any

access-list 121 remark [Office-LAN to Data Center-LAN]

access-list 121 permit ip 1.1.0.0 255.255.252.0 2.2.0.0 255.255.252.0

Create route-map

route-map DS3_MAP permit 10

description [DS3 - Office-LAN to Data Center-LAN]

match ip address 121

set ip next-hop 255.255.2.1

route-map DS3_MAP permit 20

description [DS3 - Office-LAN to ANY]

match ip address 120

set ip next-hop 255.255.1.1

Log into interface and add route-map

interface 1:1

ip policy route-map DS3_MAP

My questions are:

1) Do I need a route map for the 1.1.0.0/22 to 2.2.0.0/22 traffic or will the switches routing table handle that?

2) Where is the best place to put the route-map, on the interface for the DS3 router or on the VLAN that the DS3 router sits in (there will never be anything else in this VLAN).

3) Should I also create a route-map for the 2.2.0.0 VLAN or can I allow the routing table on the switch to handle this (I was planning on creating a 0.0.0.0 route to 2.2.0.1 on the switch)

I've uploaded a pdf of my design to hopefully help explain things clearly.

I appreciate any thoughts/comments that you can provide, I'be been going back and forth on where I should place the route-map and if I actually need one for the 1.1.0.0/22 to 2.2.0.0/22 traffic.

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Admin,

let's suppose that addresses like 255.255.x.y in your config are placeholders for public unicast ipv4 addresses

because they are not usable on ipv4.

1) you don't need so first route-map block can be removed or you need it (pdf to be reviewed where is the bypass DS3 ??? what is the router that will make PBR ?)

2) PBR works by intercepting traffic on the interface that receives it so you need to apply it on the internal lan interface of the DS3 router

3) you will need a symmetrical config on the other side to send on the DS3 traffic coming from everywhere to net 1.1.0.0/22 or it will use normal routing

4) PBR works on a single node: all ip next-hops you try to use must be reachable directly without going via another network device.

Hope to help

Giuseppe

You are correct, I pulled some addresses out of a hat and tossed them in the mix to protect the innocent. :-)

I am thinking that the PBR would be done on the Cat6509. Since it would have a default route pointing to 2.2.0.1, which is fine for the production VLAN, I need the 1.1.0.0/22 traffic to use 255.255.1.1 as it's default route to everything other than 2.2.0.0/22.

Let me recap.

I have a local network (1.1.0.0/22) that will go through a 7206 across a DS3 to another 7206 that sits in a remote Data Center. The DS3 only connects our local office and ths remote DC, once in the DC we have another connection that we use for getting to the internet. This remote 7206 is plugged into it's own VLAN on a 6509 that I am configuring as a core. On this 6509 I have two different paths to the internet, one is used for production purposes and the other is used for corporate traffic. I need the corporate (1.1.0.0) traffic to go across the DS3 to the 6509 and then have the 6509 route this traffic to the 515e (255.255.1.1), sitting in the corp internet VLAN, to reach the internet. I also need this 1.1.0.0 traffic to be able to reach the production (2.2.0.0) VLAN. I'm planning on putting a default route on the 6509 that points to the 515 (2.2.0.1) and figured that I needed a route-map to get my 1.1.0.0 traffic to use a different gateway. If there is another way to tackle this, I'm all ears.

I hope it's not to confusing, that's why I provided the .pdf diagram.

BTW - Equipment in use

2 - 7206 (non-vxr / npe-200) (ds3 routers)

1 - 6509 (sup720 / msfc3 / 6748 modules)

1 - 515e (corporate side firewall)

1 - 515 (production side firewall)

1 - 3640 (front-end for both externally available networks)

Hello Admin,

no problem for your 255.255.x.y ...

>> I'm planning on putting a default route on the 6509 that points to the 515 (2.2.0.1) and figured that I needed a route-map to get my 1.1.0.0 traffic to use a different gateway. If there is another way to tackle this, I'm all ears.

be aware that can be just enough a specific static route to net 2.2.0.0 out interface to production network with no PBR

ip routing use most specific route first and the default route is used only of prefixes without an entry in routing table

You may need to modify ACLs on PIX but normal routing should be enough.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: