Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
0
Helpful
2
Replies

PBR using Next_hop

csco010260260
Level 1
Level 1

‎09-15-2010 10:48 AM - edited ‎03-06-2019 12:59 PM

Hello;

I am looking to define a PBR to a number of different gateways based on first the verify availability and then based on source IP address match.

I currently have PBR setup to change the default gateway based on the source IP Address defined in a couple of ACL. The policy is assigned to all interfaces connected to the router. This is and has been working fine for a number of years.

route-map Internet, permit, sequence 40

  Match clauses:

    ip address (access-lists): ContentBypass

  Set clauses:

    ip default next-hop 192.168.1.26

  route-map Internet, permit, sequence 60

  Match clauses:

    ip address (access-lists): InternetAccess

  Set clauses:

    ip default next-hop 192.168.1.21

We have expanded our Internet access by adding an ISP to another site. We now have two Internet connections, each attached to a 6509. The current configuration works fine on each site. I want to modify it to use the “set ip next-hop verify-availability”  command . Working in stages I modified a test interface to run the following configuration with just the next_hop change before going to the verify availability command.

route-map Internet permit 40

description Inside - System Bypass of Content Management

match ip address ContentBypass

set ip default next-hop 192.168.40.26

!

route-map Internet permit 50

description test_Inside

match ip address Test

set ip next-hop 192.168.40.26

!

route-map Internet permit 60

description District - Default Internet Access Policy

match ip address InternetAccess

set ip default next-hop 192.168.40.21

The source IP defined in the “test_Inside”  is a subnet defined on a vlan interface.

When I use the” set ip default next-hop 192.168.40.26” command, it works fine, When I change to the “set ip next-hop 192.168.40.26” I cannot even ping the Vlan interface ip address.

Any help would be appreciated

Dan

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-15-2010 01:11 PM

Hello Dan,

the two commands make different actions:

set ip default next-hop 192.168.40.26:

first look at IP routing table, if an explicit route is found use that route to send the packet. If no explicit route is found then use the specified next-hop

set ip next-hop 192.168.40.26

send packet to specified next-hop if the next-hop is available

If you want to use the other internet connection for the test vlan IP subnet when it is the source you should use the first option or all traffic will be sent to next-hop when the source is in that IP subnet.

Hope to help

Giuseppe

0 Helpful

csco010260260
Level 1
Level 1
In response to Giuseppe Larosa

‎09-15-2010 01:46 PM

Thanks for the quick reponse

I keep thinking that I understand the differences, but the results confuse me.

The 192.168.40.x subnet is directly connected to the router and is in the route table. I see the destination address of 192.168.40.26 in the ARP table also.

The default gateway defined on the router is 0.0.0.0 0.0.0.0 10.255.1.10  - which is the other site with the original ISP connection.

I really liked how the default next_hop was been working by checking the route tables first and then modifying the next-hop if not found in the route table.

I believe that I need to remove the default option to set up a SLA / tracking and use the verify_availablity option. The network is basically a layer 2 network with 20 some sites. Two large sites, each with an ISP connection. All the edge sites will access the Internet through one of these two large site. I am trying to setup a set of PBR at each of the two large sites to redirect the internet traffic to the other site based on the "verify_availablity" of the local ISP. The other statements in the PBR are to direct traffic to a defined port on the ASA to bypass content filtering as needed.


Gateway of last resort is 10.255.1.10 to network 0.0.0.0

     192.168.40.0/29 is subnetted, 2 subnets
C       192.168.40.16 is directly connected, Vlan996
C       192.168.40.24 is directly connected, Vlan995
      10.0.0.0/8 is variably subnetted, 118 subnets, 4 masks
C       10.43.0.0/16 is directly connected, Vlan43

C       10.44.0.0/16 is directly connected, Vlan44

C       10.255.1.0/24 is directly connected, Vlan255

S*   0.0.0.0/0 [1/0] via 10.255.1.10

Edge sites stripped out. What am I missing 192.168.49.26 is explicitly defined and when I use the default option everything works

Thanks

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card