Source-sensitive Routing

Unanswered Question
Dec 19th, 2011
User Badges:

Hello,


I would like to know how I can apply some policy-based routing, based on the source of the flows. For example, all flows from the Internet go one way, and all private flows go through the other way.


I try to create this ACL :

Fore private :


ip access-list standard PRIVATE

permit 10.0.0.0 0.255.255.255

permit 172.16.0.0 0.15.255.255

permit 192.168.0.0 0.0.255.255


And for public :


ip access-list standard PUBLIC

deny   10.0.0.0 0.255.255.255

deny   172.16.0.0 0.15.255.255

deny   192.168.0.0 0.0.255.255

permit any


And then I create some route-map and apply settings like that :

route-map BOU49-VERS-SDSL permit 10

match ip address PRIVATE

set local-preference 150



I use "set local-preference" because I use BGP to receive and send route to others routers.


Anyway, I'm pretty sure it is the "match ip" which don't work, because with a "show route-map BOU49-VERS-SDSL", I have no match, never :


route-map BOU49-VERS-SDSL, permit, sequence 10

  Match clauses:

    ip address (access-lists): PRIVATE

  Set clauses:

    local-preference 150

  Policy routing matches: 0 packets, 0 bytes



Any idea how route packets base on the source ??


Thank you for your help, and sorry for my english ;-)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Mon, 12/19/2011 - 05:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Aurelien


You tell us that you created a route map but you do not tell us how you have applied that route map. And it is important to know how the route map was applied.


You describe what you want to do as being Policy Based Routing. And a route map for PBR is applied on the interface where the traffic arrives. But what your route map does is to set a BGP parameter. For that route map to work it would need to be applied to a BGP neighbor and not to an interface. And that brings up the question of whether the neighbor would be advertising private addresses to you. So perhaps you can clarify what is your topology and how you are applying the route map and then perhaps we can give better answers.


HTH


Rick

aurelien-bern Mon, 12/19/2011 - 07:53
User Badges:

First, thank you for your time.


I'm sorry for forgetting this information. Here is where I apply the route-map :

neighbor 172.21.3.254 route-map BOU49-VERS-SDSL in


I join a file which describe the topology of my network, and I can describe it with word too !


There are 2 participants in my problem :

- My company : provide a core network for a client, in a VPN. We can represent this core network with one router for simplicity. This router is the link between the client and Internet.

- The client : he's connected to our core network with 2 routers (1 Cisco881 for SDSL connection and 1 Cisco 887 for IPADSL connection)



Exchanges between client and core are made dynamically with BGP (client AS is 64620 and let's says core AS is 65500 even if it's public in reality)



What I want to do :

I want that all flows which are for other customers sites (in the same VPN) go through the 881 (SDSL connection) and all flow which are for the Internet go through the 887 (ADSL connection). But I also want that all flows COME FROM the Internet come back through the 887 and all flows COME FROM other sites of the VPN (so with a private address) come back through the 881.



For the first part it's ok, I can send all flows for the VPN through the 881 and all flow for the Internet through the 887.



The problem is : how can I sort the flow when the come back ? For now, they all come back through the 881...



What I thought to do was the ACL and the route-map I mention before. The client network is 10.0.0.0 and is advertised to the core from the 881 and the 887. I just think I can put a higher priority on advertisement from the 887 WHEN packets source are Internet addresses, and a higher priority on advertisement from the 881 WHEN packets source is private. So when Internet : go 887, and when private, go 881.


If you need any information, just tell me !



Actions

This Discussion

Related Content