I am looking to define a PBR to a number of different gateways based on first the verify availability and then based on source IP address match.
I currently have PBR setup to change the default gateway based on the source IP Address defined in a couple of ACL. The policy is assigned to all interfaces connected to the router. This is and has been working fine for a number of years.
route-map Internet, permit, sequence 40
ip address (access-lists): ContentBypass
ip default next-hop 192.168.1.26
route-map Internet, permit, sequence 60
ip address (access-lists): InternetAccess
ip default next-hop 192.168.1.21
We have expanded our Internet access by adding an ISP to another site. We now have two Internet connections, each attached to a 6509. The current configuration works fine on each site. I want to modify it to use the “set ip next-hop verify-availability”command . Working in stages I modified a test interface to run the following configuration with just the next_hop change before going to the verify availability command.
route-map Internet permit 40
description Inside - System Bypass of Content Management
match ip address ContentBypass
set ip default next-hop 192.168.40.26
route-map Internet permit 50
match ip address Test
set ip next-hop 192.168.40.26
route-map Internet permit 60
description District - Default Internet Access Policy
match ip address InternetAccess
set ip default next-hop 192.168.40.21
The source IP defined in the “test_Inside”is a subnet defined on a vlan interface.
When I use the” set ip default next-hop 192.168.40.26” command, it works fine, When I change to the “set ip next-hop 192.168.40.26” I cannot even ping the Vlan interface ip address.
first look at IP routing table, if an explicit route is found use that route to send the packet. If no explicit route is found then use the specified next-hop
set ip next-hop 192.168.40.26
send packet to specified next-hop if the next-hop is available
If you want to use the other internet connection for the test vlan IP subnet when it is the source you should use the first option or all traffic will be sent to next-hop when the source is in that IP subnet.
I keep thinking that I understand the differences, but the results confuse me.
The 192.168.40.x subnet is directly connected to the router and is in the route table. I see the destination address of 192.168.40.26 in the ARP table also.
The default gateway defined on the router is 0.0.0.0 0.0.0.0 10.255.1.10 - which is the other site with the original ISP connection.
I really liked how the default next_hop was been working by checking the route tables first and then modifying the next-hop if not found in the route table.
I believe that I need to remove the default option to set up a SLA / tracking and use the verify_availablity option. The network is basically a layer 2 network with 20 some sites. Two large sites, each with an ISP connection. All the edge sites will access the Internet through one of these two large site. I am trying to setup a set of PBR at each of the two large sites to redirect the internet traffic to the other site based on the "verify_availablity" of the local ISP. The other statements in the PBR are to direct traffic to a defined port on the ASA to bypass content filtering as needed.
Gateway of last resort is 10.255.1.10 to network 0.0.0.0
192.168.40.0/29 is subnetted, 2 subnets C 192.168.40.16 is directly connected, Vlan996 C 192.168.40.24 is directly connected, Vlan995 10.0.0.0/8 is variably subnetted, 118 subnets, 4 masks C 10.43.0.0/16 is directly connected, Vlan43
C 10.44.0.0/16 is directly connected, Vlan44
C 10.255.1.0/24 is directly connected, Vlan255
S* 0.0.0.0/0 [1/0] via 10.255.1.10
Edge sites stripped out. What am I missing 192.168.49.26 is explicitly defined and when I use the default option everything works
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...