PBR Issue (match interface or match ip next-hop)

Unanswered Question
Nov 30th, 2009

Hi,

I have a need to change the next-hop address of all traffic entering interface A AND (leaving interface B OR has a next hop of X)

e.g.

Normally All traffic going out of interface Fa2/0 has next-hop of 10.0.0.2

I want traffic that has entered the router from F0/0 that is headed this way to have it's next hop set to 10.0.0.3

Traffic entering by any other interface (Fa0/1 , Fa1/0 etc) should follow normal routing.

Traffic entering Fa0/0 but is destined for an interface other than Fa2/0 should also be left alone.

Using an access-list and match ip <acl> is extremely difficult as both source and destinations are subject to frequent changes, and management overhead of the ACL would be cumbersome.

I have tried:

route-map MYMAP permit 10

  match interface Fa2/0

  set ip next-hop 10.0.0.3


interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip policy route-map MYMAP

But this matches ALL packets entering F0/0

I have also tried

route-map MYMAP permit 10

  match ip next-hop ACL_NEXTHOP

  set ip next-hop 10.0.0.3


ip access-list standard ACL_NEXTHOP

  permit host 10.0.0.2

interface FastEthernet0/1
  ip address 172.16.1.1 255.255.255.0
  ip policy route-map MYMAP

Can anyone please point me in the right direction?

I have attached my Lab Diagram

Many Thanks,

Nick

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Mon, 11/30/2009 - 09:27

hsw_networking wrote:

Hi,

I have a need to change the next-hop address of all traffic entering interface A AND (leaving interface B OR has a next hop of X)

e.g.

Normally All traffic going out of interface Fa2/0 has next-hop of 10.0.0.2

I want traffic that has entered the router from F0/0 that is headed this way to have it's next hop set to 10.0.0.3

Traffic entering by any other interface (Fa0/1 , Fa1/0 etc) should follow normal routing.

Traffic entering Fa0/0 but is destined for an interface other than Fa2/0 should also be left alone.

Using an access-list and match ip is extremely difficult as both source and destinations are subject to frequent changes, and management overhead of the ACL would be cumbersome.

I have tried:

route-map MYMAP permit 10

  match interface Fa2/0

  set ip next-hop 10.0.0.3


interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip policy route-map MYMAP

But this matches ALL packets entering F0/0

I have also tried

route-map MYMAP permit 10

  match ip next-hop ACL_NEXTHOP

  set ip next-hop 10.0.0.3


ip access-list standard ACL_NEXTHOP

  permit host 10.0.0.2

interface FastEthernet0/1
  ip address 172.16.1.1 255.255.255.0
  ip policy route-map MYMAP

Can anyone please point me in the right direction?

I have attached my Lab Diagram

Many Thanks,

Nick

Nick

The "match ip next-hop ..." command is used when route-maps are being used for redistribution between routing protocols ie. it cannot be used for PBR.

For PBR you have -

1) match ip address

2) match length

so you will need to use an acl with the source and destination networks i'm afraid.

Jon

hsw_networking Mon, 11/30/2009 - 09:45

I had another thought,

I don't suppose there is any way of applying a route-map to an EGRESS interface is there?

i.e.

Any packets EXITING Fa2/0 should have the next-hop set.

Jon Marshall Mon, 11/30/2009 - 09:51

hsw_networking wrote:

I had another thought,

I don't suppose there is any way of applying a route-map to an EGRESS interface is there?

i.e.

Any packets EXITING Fa2/0 should have the next-hop set.

Nick

No swearing now

PBR takes place before routing for obvious reasons. So basically no because the router will already have decided the interface based on the routing table, it won't then try and apply PBR after that. Have a look at this link which describes the order of operation on a router -

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Jon

Actions

This Discussion

Related Content