cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
6
Helpful
15
Replies

Policy based routing issue

jorg.ramakers
Level 1
Level 1

Hi,

I want to assign a new gateway for a quarantainenet vlan. The gateway is located in another subnet. This subnet is only available via routing.

When i set a new gateway via policy based routing. I receive an error policy based routing rejected - normal routing.

I include an config and network drawing in the ticket.

Is it possible to assign a new gateway via policy based routing. How can i solve this issue?

Best regards

1 Accepted Solution

Accepted Solutions

Jorg

I thought that might be the case. If you want to use PBR the only way to resolve this with the 3750 is to ensure that the next-hop ie. the server is on a directly connected subnet to the 3750 so you may need to think about altering your topology.

Jon

View solution in original post

15 Replies 15

jorg.ramakers
Level 1
Level 1

Sorry forgot the attachments

HI Jorg, [Pls RATE if HELPS]

The details are not clear, but:

The set ip next-hop command verifies the existence of the next hop specified, and…

>> if the next hop exists in the routing table, then the command policy routes the packet to the next hop.

>> if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.

Does your Routers knows, the next hop ?

Also, use the "debug ip policy" to see the outputs.

Hope I am Informative.

Pls RATE if HELPS

Best Regards,

Guru Prasad R

Jon Marshall
Hall of Fame
Hall of Fame

Jorg

It's a little unclear from the diagram what you are trying to do. Are you saying that the next-hop is not a connected subnet on the L3 device ?

If so you may want to look at PBR - Recursive next-hop fetaure

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

Jon

Hi Jon,

No, the next hop 10.100.250.5 is the quarantianeserver. So the next hop is not directly connected. And the route to 10.100.250.5 is going over the default route.

Is het possible to do this via pbr?

If you set an "ip default next-hop" with a route map, that next-hop will be used ONLY if an explicit path to the destination network is not present in the routing table. An extended ACL must be used here, since a source and destination must be defined.

Example

R2(config)#access-list 150 permit ip host 172.1.1.1 210.1.1.0 0.0.0.255

R2(config)#route-map DEFAULT_NEXT_HOP permit

R2(config-route-map)#match ip address 150

R2(config-route-map)#set ip default next-hop 100.1.1.3

R2(config)#interface e0

R2(config-if)#ip policy route-map DEFAULT_NEXT_HOP

When a packet comes into ethernet0 with a source IP of 172.1.1.1 and is destined for any host on the 210.1.1.0/24 network, the next-hop address will be set to 100.1.1.3 IF there is no entry in the routing table for that network.

Francisco_1,

Thanks, that is what i'm looking for. But is the next hop not neccessary to directly connected in the ip default next-hop command ?

Cheers

Jorg

Jorg,

I'm not the expert here but to be more clear about the next hop commands which can be confusing sometimes, the "set ip next-hop" and "set ip default next-hop commands are similar but function differently. the "set ip next-hop" causes the router to use policy routing first and then use the routing table. the "set ip default next-hop" command uses the route table first and then policy route to the specified default next hop.

set ip next-hop: next-hop adresses must be in a connected subnet maybe someone else can shed more light on this discussion.

Francisco

Jorg

Dod you have a read of the link i posted. Normally with PBR the next-hop must be on a directly connected subnet. But with recursive PBR the next-hop does not have to be directly connected but it must be reachable ie. can you ping the next-hop from the L3 device you want to apply PBR to.

So you should be able to achieve what you want if i am understanding correctly. What device are you running this on as we need to check that PBR recursive is supported on that device.

Jon

Hi jon,

Yes, i read it. The device i'm using is a c3750 with ip services (both routers in the drawing are)

Best regards

Jorg

Jorg

Doesn't mention it as supported in Feature Navigator. Quickest way to check is on 3750

3750(config)# route-map test

then try "set ip next-hop ?"

if the keyword "recursive" is an option then let me know.

Jon

Hi Jon,

Will try to make a vpn connection to the clients network today.

The feature navigator is telling me that policy based routing is included in the ios. But not telling if the option is already included.

cheers

Jorg

Hi Jon,

The options i get are.

nwrt-sw250003(config-route-map)#set ip next-hop ?

A.B.C.D IP address of next hop

peer-address Use peer address (for BGP only)

verify-availability Verify if nexthop is reachable

Any way how i can resolve this?

Jorg

I thought that might be the case. If you want to use PBR the only way to resolve this with the 3750 is to ensure that the next-hop ie. the server is on a directly connected subnet to the 3750 so you may need to think about altering your topology.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco