IP Next Hop to send user out to a different internet connection

ngthen · ‎02-18-2010

I have a 3750 which handles all of my central routing to various subnets through out my building. Also, I have two internet connections. My question is, can I use IP Next Hop to direct users out the second internet connection essentially overriding the default gateway for them. By setting IP next hop however, will this cause my internal static routes to stop functioning or will these have a higher priority

Lei Tian · ‎02-18-2010

Hi,

Yes, you can use PBR (policy based routing) to force some traffic use different exist link. PBR will be processed before the routing lookup, so you can force certain traffic use one path and rest traffic use default route. Be aware there are some limitations when using PBR on 3750, please refer the configuration guide for detail configuration

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swiprout.html

HTH,

Lei Tian

ngthen · ‎02-18-2010

So if PBR is processed before the routing lookup is there an easy way that I can tell it to ignore anything going to private subnets (ie 10, 172, 192). This way things aren't sent to the other gateway for internal traffic?

xcz504d1114 · ‎02-18-2010

You asked right as I posted

Here is an example of a configuration for a policy route to do just that:

ip access-list extended INET2_ACL

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

permit ip any any

route-map INET2

match ip address INET2_ACL

set ip next-hop 10.1.1.1

interface vlan 100

ip policy route-map INET2

This of course assumes your internal network is 10.0.0.0/8, and notice the deny is before the permit.

HTH,

Craig

Lei Tian · ‎02-18-2010

Hi,

You need to create a route-map first, within the route-map need to have an ACL to specific the traffic you want to redirect, then you need to set ip next-hop only for the traffic match the ACL.

See the configuration example

route-map test

match ip address test

set ip next-hop x.x.x.x

ip access test

permit x.x.x.x x.x.x.x (the traffic you want to redirect)

HTH,

Lei Tian

xcz504d1114 · ‎02-18-2010

In addition to what the previous poster linked, make sure you specify that internal traffic should NOT be policy routed, as the policy based route takes precedence over all routing decisions. So if your internal network is 192.168.1.0/24, you need to create a deny statement in the ACL you build for your PBR for that network, otherwise things such as internal DNS servers, printers, etc. the router will send out your second internet pop to reach.

HTH,

Craig

Lei Tian · ‎02-18-2010

Hi Craig,

Deny statement is not supported on 3750' PBR.

Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address.

Thanks,

Lei Tian

xcz504d1114 · ‎02-18-2010

Ah, good to know! Thanks Lei

Lei Tian · ‎02-18-2010

As a note here is the limitations when using PBR on 3750:

1) sdm prefer routing must be used
2) ip policy must be placed on a routed interface or an svi
3) ip services software is required, the ip policy command is not available on
ip base
4) only unicast traffic applies to the policy
5) you can not have any route-map deny statements, this causes 100% cpu
utilization
6) you can not reference any access-lists that contain deny statements, this
causes 100% cpu utilization
7) you can not use set interface, set default next hop or set default interface
within the route-map
8) you can not use WCCP and PBR on the same interface

They all document on the link I posed. I recommend you go over the document before implement.

HTH,

Lei Tian