10-08-2008 10:35 AM - edited 03-06-2019 01:49 AM
I'm just dipping my toes into PBR so bear with me here.
Essentially, I am tying to route traffic from one remote office, through a data center (via a dedicated DS3 link)and out to the internet from there. I'm hopeful that the configs below will work and I also have questions about if they are all needed or not.
6509
-needs to use 255.255.1.18 for 1.1.0.0 /22 traffic
-needs to use 255.255.1.1 for remote office traffic
-needs to use 2.2.0.1 for all other traffic
traffic from 1.1.0.0 /22
-needs to get to 2.2.0.0 /22
-needs to use 255.255.1.1 for all other traffic
Create access-lits for route-map
access-list 120 remark [Office-LAN to ANY]
access-list 120 permit ip 1.1.0.0 255.255.252.0 any
access-list 121 remark [Office-LAN to Data Center-LAN]
access-list 121 permit ip 1.1.0.0 255.255.252.0 2.2.0.0 255.255.252.0
Create route-map
route-map DS3_MAP permit 10
description [DS3 - Office-LAN to Data Center-LAN]
match ip address 121
set ip next-hop 255.255.2.1
route-map DS3_MAP permit 20
description [DS3 - Office-LAN to ANY]
match ip address 120
set ip next-hop 255.255.1.1
Log into interface and add route-map
interface 1:1
ip policy route-map DS3_MAP
My questions are:
1) Do I need a route map for the 1.1.0.0/22 to 2.2.0.0/22 traffic or will the switches routing table handle that?
2) Where is the best place to put the route-map, on the interface for the DS3 router or on the VLAN that the DS3 router sits in (there will never be anything else in this VLAN).
3) Should I also create a route-map for the 2.2.0.0 VLAN or can I allow the routing table on the switch to handle this (I was planning on creating a 0.0.0.0 route to 2.2.0.1 on the switch)
I've uploaded a pdf of my design to hopefully help explain things clearly.
I appreciate any thoughts/comments that you can provide, I'be been going back and forth on where I should place the route-map and if I actually need one for the 1.1.0.0/22 to 2.2.0.0/22 traffic.
10-08-2008 12:06 PM
Hello Admin,
let's suppose that addresses like 255.255.x.y in your config are placeholders for public unicast ipv4 addresses
because they are not usable on ipv4.
1) you don't need so first route-map block can be removed or you need it (pdf to be reviewed where is the bypass DS3 ??? what is the router that will make PBR ?)
2) PBR works by intercepting traffic on the interface that receives it so you need to apply it on the internal lan interface of the DS3 router
3) you will need a symmetrical config on the other side to send on the DS3 traffic coming from everywhere to net 1.1.0.0/22 or it will use normal routing
4) PBR works on a single node: all ip next-hops you try to use must be reachable directly without going via another network device.
Hope to help
Giuseppe
10-09-2008 05:51 AM
You are correct, I pulled some addresses out of a hat and tossed them in the mix to protect the innocent. :-)
I am thinking that the PBR would be done on the Cat6509. Since it would have a default route pointing to 2.2.0.1, which is fine for the production VLAN, I need the 1.1.0.0/22 traffic to use 255.255.1.1 as it's default route to everything other than 2.2.0.0/22.
Let me recap.
I have a local network (1.1.0.0/22) that will go through a 7206 across a DS3 to another 7206 that sits in a remote Data Center. The DS3 only connects our local office and ths remote DC, once in the DC we have another connection that we use for getting to the internet. This remote 7206 is plugged into it's own VLAN on a 6509 that I am configuring as a core. On this 6509 I have two different paths to the internet, one is used for production purposes and the other is used for corporate traffic. I need the corporate (1.1.0.0) traffic to go across the DS3 to the 6509 and then have the 6509 route this traffic to the 515e (255.255.1.1), sitting in the corp internet VLAN, to reach the internet. I also need this 1.1.0.0 traffic to be able to reach the production (2.2.0.0) VLAN. I'm planning on putting a default route on the 6509 that points to the 515 (2.2.0.1) and figured that I needed a route-map to get my 1.1.0.0 traffic to use a different gateway. If there is another way to tackle this, I'm all ears.
I hope it's not to confusing, that's why I provided the .pdf diagram.
BTW - Equipment in use
2 - 7206 (non-vxr / npe-200) (ds3 routers)
1 - 6509 (sup720 / msfc3 / 6748 modules)
1 - 515e (corporate side firewall)
1 - 515 (production side firewall)
1 - 3640 (front-end for both externally available networks)
10-09-2008 01:04 PM
Hello Admin,
no problem for your 255.255.x.y ...
>> I'm planning on putting a default route on the 6509 that points to the 515 (2.2.0.1) and figured that I needed a route-map to get my 1.1.0.0 traffic to use a different gateway. If there is another way to tackle this, I'm all ears.
be aware that can be just enough a specific static route to net 2.2.0.0 out interface to production network with no PBR
ip routing use most specific route first and the default route is used only of prefixes without an entry in routing table
You may need to modify ACLs on PIX but normal routing should be enough.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: