route map maybe??

Unanswered Question
Jan 18th, 2010

Hey guys,

I have a network with two ways out to the ISP. Currently everyone is going out isp1 the routing statement on my core is this.

ip route 0.0.0.0 0.0.0.0 192.x.x.x 5

I want to send my ip and my ip only out another path .. any suggestions on how to do this as easy as possible? My ip is 10.xx.xx.7

Thanks,

Brent

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 01/18/2010 - 09:27

b.rockburn wrote:

Hey guys,

I have a network with two ways out to the ISP. Currently everyone is going out isp1 the routing statement on my core is this.

ip route 0.0.0.0 0.0.0.0 192.x.x.x 5

I want to send my ip and my ip only out another path .. any suggestions on how to do this as easy as possible? My ip is 10.xx.xx.7

Thanks,

Brent

Brent

You have come up with the answer yourself , PBR is the way to go eg.

access-list 101 permit ip host any

route-map PBR permit 10

match ip address 101

set ip next-hop

int vlan 10  <--- assuming your host is on vlan 10

ip policy route-map PBR

Note that you may need to modify the access-list as this will send ALL your traffic to the ISP2 next-hop. If you want to communicate with other vlans within your LAN you need deny statements first eg.

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

access-list 101 deny ip host 192.168.6.0 0.0.0.255

access-list 101 permit ip host any

Jon

Brent Rockburn Mon, 01/18/2010 - 09:40

yeah .. I though PBR was the way to go .. thanks guys for the quick response on this.

I have only one (for now LOL) follow up question.

If I tell vlan XX interface to use my PBR route map that will send ALL the traffic to ISP 2. I would like to only send my IP address .. and send everyone else out the old ISP.

So if I understand things correctly I do a permit on the ACL for me and a deny ip any any for everyone else. Once anyone else hits the deny IP any any will they then get sent to the old routing statement on the core?

Jon Marshall Mon, 01/18/2010 - 09:43

b.rockburn wrote:

yeah .. I though PBR was the way to go .. thanks guys for the quick response on this.

I have only one (for now LOL) follow up question.

If I tell vlan XX interface to use my PBR route map that will send ALL the traffic to ISP 2. I would like to only send my IP address .. and send everyone else out the old ISP.

So if I understand things correctly I do a permit on the ACL for me and a deny ip any any for everyone else. Once anyone else hits the deny IP any any will they then get sent to the old routing statement on the core.

Brent

You don't actually have to do a deny as if there is no match it will get routed via the routing table anyway. So you can just include your host. The reason i included denies in my example was because your host might need to get to other internal vlans.

The PBR example provided by both Giuseppe and myself will only affect your hosts traffic. The rest of the traffic will be routed as normal.

Jon

Brent Rockburn Mon, 01/18/2010 - 10:05

Note that you may need to modify the access-list as this will send ALL your traffic to the ISP2 next-hop. If you want to communicate with other vlans within your LAN you need deny statements first eg.


So if I am reading this correctly once I apply this route map all my traffic will get sent out. So if I want to be able connect to anything on my internal lan I need to deny the necessary subnets?

Like so?


access-list 101 deny ip 10.xx.xx.xx 0.0.15.255 <=== My internal LAN subnet

access-list 101 permit ip host any

Jon Marshall Mon, 01/18/2010 - 10:07

b.rockburn wrote:

Note that you may need to modify the access-list as this will send ALL your traffic to the ISP2 next-hop. If you want to communicate with other vlans within your LAN you need deny statements first eg.


So if I am reading this correctly once I apply this route map all my traffic will get sent out. So if I want to be able connect to anything on my internal lan I need to deny the necessary subnets?

Like so?


access-list 101 deny ip 10.xx.xx.xx 0.0.15.255 <=== My internal LAN subnet

access-list 101 permit ip host any


Exactly. You must deny traffic from your host that you do not want to be sent to the ISP next-hop.

Jon

Giuseppe Larosa Mon, 01/18/2010 - 09:29

Hello Brent,

your understanding is correct you need to use a route-map in PBR

access-list 1 permit host yourIP

route-map mypbr permit 10

match ip address 1

set ip next-hop isp2-ipaddress

int type x/y

desc interface internal receiving traffic

ip policy route-map mypbr

PBR works on inbound interface intercepting traffic flows

you may need to use an extended ACL if you want to divert traffic only for specific destinations

edit:

sorry Jon I haven't seen your post

Hope to help

Giuseppe

Brent Rockburn Mon, 01/18/2010 - 10:25

Do you guys know how to apply this on a 4500 L3 switch?

It's not taking my "ip policy" command.

My ios is cat4500e-entservicesk9-mz.122-50.SG.bin"

Jon Marshall Mon, 01/18/2010 - 10:31

b.rockburn wrote:

Do you guys know how to apply this on a 4500 L3 switch?

It's not taking my "ip policy" command.

My ios is cat4500e-entservicesk9-mz.122-50.SG.bin"

You are trying to apply it on the L3 vlan interface ?

If so, what supervisor are you running in your 4500 ?

Jon

Brent Rockburn Mon, 01/18/2010 - 10:34

NAME: "Linecard(slot 3)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E     , VID: V02  , SN: JAE1224LNT4

NAME: "Linecard(slot 4)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E     , VID: V02  , SN: JAE1224L3JY

This is what I got from my sh inventory

Jon Marshall Mon, 01/18/2010 - 10:40

b.rockburn wrote:

NAME: "Linecard(slot 3)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E     , VID: V02  , SN: JAE1224LNT4

NAME: "Linecard(slot 4)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E     , VID: V02  , SN: JAE1224L3JY

This is what I got from my sh inventory

Brent

PBR support was added to the Supervisor 6-E with IOS version 12.2(52)SG so you need to upgrade your IOS to be able to use it as you are currently running 12.2(50)SG.

Jon

Brent Rockburn Mon, 01/18/2010 - 10:52

There seem to be some issues bug wise with that IOS so I'm thinking of upgrading to 122-53.SE1

Jon Marshall Mon, 01/18/2010 - 10:58

b.rockburn wrote:

There seem to be some issues bug wise with that IOS so I'm thinking of upgrading to 122-53.SE1

No problem. As long as it past 12.2(52)SG you should be fine.

Jon

Actions

This Discussion