cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
779
Views
0
Helpful
12
Replies

route map maybe??

Brent Rockburn
Level 2
Level 2

Hey guys,

I have a network with two ways out to the ISP. Currently everyone is going out isp1 the routing statement on my core is this.

ip route 0.0.0.0 0.0.0.0 192.x.x.x 5

I want to send my ip and my ip only out another path .. any suggestions on how to do this as easy as possible? My ip is 10.xx.xx.7

Thanks,

Brent

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

b.rockburn wrote:

Hey guys,

I have a network with two ways out to the ISP. Currently everyone is going out isp1 the routing statement on my core is this.

ip route 0.0.0.0 0.0.0.0 192.x.x.x 5

I want to send my ip and my ip only out another path .. any suggestions on how to do this as easy as possible? My ip is 10.xx.xx.7

Thanks,

Brent

Brent

You have come up with the answer yourself , PBR is the way to go eg.

access-list 101 permit ip host any

route-map PBR permit 10

match ip address 101

set ip next-hop

int vlan 10  <--- assuming your host is on vlan 10

ip policy route-map PBR

Note that you may need to modify the access-list as this will send ALL your traffic to the ISP2 next-hop. If you want to communicate with other vlans within your LAN you need deny statements first eg.

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

access-list 101 deny ip host 192.168.6.0 0.0.0.255

access-list 101 permit ip host any

Jon

yeah .. I though PBR was the way to go .. thanks guys for the quick response on this.

I have only one (for now LOL) follow up question.

If I tell vlan XX interface to use my PBR route map that will send ALL the traffic to ISP 2. I would like to only send my IP address .. and send everyone else out the old ISP.

So if I understand things correctly I do a permit on the ACL for me and a deny ip any any for everyone else. Once anyone else hits the deny IP any any will they then get sent to the old routing statement on the core?

b.rockburn wrote:

yeah .. I though PBR was the way to go .. thanks guys for the quick response on this.

I have only one (for now LOL) follow up question.

If I tell vlan XX interface to use my PBR route map that will send ALL the traffic to ISP 2. I would like to only send my IP address .. and send everyone else out the old ISP.

So if I understand things correctly I do a permit on the ACL for me and a deny ip any any for everyone else. Once anyone else hits the deny IP any any will they then get sent to the old routing statement on the core.

Brent

You don't actually have to do a deny as if there is no match it will get routed via the routing table anyway. So you can just include your host. The reason i included denies in my example was because your host might need to get to other internal vlans.

The PBR example provided by both Giuseppe and myself will only affect your hosts traffic. The rest of the traffic will be routed as normal.

Jon

Note that you may need to modify the access-list as this will send ALL your traffic to the ISP2 next-hop. If you want to communicate with other vlans within your LAN you need deny statements first eg.


So if I am reading this correctly once I apply this route map all my traffic will get sent out. So if I want to be able connect to anything on my internal lan I need to deny the necessary subnets?

Like so?


access-list 101 deny ip 10.xx.xx.xx 0.0.15.255 <=== My internal LAN subnet

access-list 101 permit ip host any

b.rockburn wrote:

Note that you may need to modify the access-list as this will send ALL your traffic to the ISP2 next-hop. If you want to communicate with other vlans within your LAN you need deny statements first eg.


So if I am reading this correctly once I apply this route map all my traffic will get sent out. So if I want to be able connect to anything on my internal lan I need to deny the necessary subnets?

Like so?


access-list 101 deny ip 10.xx.xx.xx 0.0.15.255 <=== My internal LAN subnet

access-list 101 permit ip host any


Exactly. You must deny traffic from your host that you do not want to be sent to the ISP next-hop.

Jon

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Brent,

your understanding is correct you need to use a route-map in PBR

access-list 1 permit host yourIP

route-map mypbr permit 10

match ip address 1

set ip next-hop isp2-ipaddress

int type x/y

desc interface internal receiving traffic

ip policy route-map mypbr

PBR works on inbound interface intercepting traffic flows

you may need to use an extended ACL if you want to divert traffic only for specific destinations

edit:

sorry Jon I haven't seen your post

Hope to help

Giuseppe

Do you guys know how to apply this on a 4500 L3 switch?

It's not taking my "ip policy" command.

My ios is cat4500e-entservicesk9-mz.122-50.SG.bin"

b.rockburn wrote:

Do you guys know how to apply this on a 4500 L3 switch?

It's not taking my "ip policy" command.

My ios is cat4500e-entservicesk9-mz.122-50.SG.bin"

You are trying to apply it on the L3 vlan interface ?

If so, what supervisor are you running in your 4500 ?

Jon

NAME: "Linecard(slot 3)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E     , VID: V02  , SN: JAE1224LNT4

NAME: "Linecard(slot 4)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E     , VID: V02  , SN: JAE1224L3JY

This is what I got from my sh inventory

b.rockburn wrote:

NAME: "Linecard(slot 3)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E     , VID: V02  , SN: JAE1224LNT4

NAME: "Linecard(slot 4)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E     , VID: V02  , SN: JAE1224L3JY

This is what I got from my sh inventory

Brent

PBR support was added to the Supervisor 6-E with IOS version 12.2(52)SG so you need to upgrade your IOS to be able to use it as you are currently running 12.2(50)SG.

Jon

There seem to be some issues bug wise with that IOS so I'm thinking of upgrading to 122-53.SE1

b.rockburn wrote:

There seem to be some issues bug wise with that IOS so I'm thinking of upgrading to 122-53.SE1

No problem. As long as it past 12.2(52)SG you should be fine.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco