Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Route-Map Help.

Hello,

I am attempting to create an environment where my current production traffic continues to use the current route to the current firewall but traffic from a specific network to the same destination is directed to a different firewall to head to the internet.

Current Static route

ip route 172.1.20.0 255.255.255.0 10.1.1.1

Instead I want to have the following:

Traffic from 10.2.1.1 destined to 172.1.20.0 needs to go to firewall 10.1.1.50

all other traffic destined to 172.1.20.0 needs to continue to go to firewall 10.1.1.1

Please let me know your suggestions.. Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: Route-Map Help.

This configuration will be better:

interface vlan 102

ip policy route-map firewall-test

access-list 102 permit ip 10.2.1.0 255.255.255.0 172.1.20.0 255.255.255.0

route-map firewall-test permit 10

match ip address 102

set ip default next-hop 10.1.1.50

In short, traffic not matching the src/dst pair from the ACL will take the normal routing table so please leave your static routes as they are today.

HTH,

__

Edison.

11 REPLIES
Hall of Fame Super Bronze

Re: Route-Map Help.

Sure, that can be easily done with Policy Based Routing.

Documentation on such feature can be found at:

http://www.cisco.com/en/US/docs/ios/12_4/ip_route/configuration/guide/piconfig.html#wp1001398

HTH,

__

Edison.

Community Member

Re: Route-Map Help.

Will I need to eliminate the current static route when implementing the new PBR?

Hall of Fame Super Bronze

Re: Route-Map Help.

No.

Hall of Fame Super Gold

Re: Route-Map Help.

Paul

Policy Based Routing does not change the existing routing process. PBR acts as an over-ride to the normal routing decision for certain traffic that you identify through an access list in a route map.

When properly implemented your traffic from the specified subnet will use the alternate firewall and all other traffic will continue to use the existing static route.

HTH

Rick

Community Member

Re: Route-Map Help.

Based on the original criteria is the following headed in the right direction? Do I need to add a 3 access list for ALL of the other traffic that currently has static route assignments so that they are not broken in the process?

access-list 102 permit ip 10.2.1.0 255.255.255.0 172.1.20.0 255.255.255.0

access-list 103 permit ip 0.0.0.0 0.0.0.0 172.1.20.0 255.255.255.0

interface vlan 102

ip policy route-map firewall-test

route-map firewall-test permit 10

match ip address 102

set ip default next-hop 10.1.1.50

route-map firewall-test permit 20

match ip address 103

set ip default next-hop 10.1.1.1

Thanks..

Hall of Fame Super Bronze

Re: Route-Map Help.

This configuration will be better:

interface vlan 102

ip policy route-map firewall-test

access-list 102 permit ip 10.2.1.0 255.255.255.0 172.1.20.0 255.255.255.0

route-map firewall-test permit 10

match ip address 102

set ip default next-hop 10.1.1.50

In short, traffic not matching the src/dst pair from the ACL will take the normal routing table so please leave your static routes as they are today.

HTH,

__

Edison.

Community Member

Re: Route-Map Help.

Did I mix up the masks on the access-list? they are supposed to be wildcard masks and not network masks right? Just want to make sure for my scripts.

Thanks..

Hall of Fame Super Bronze

Re: Route-Map Help.

yes, they should be inverse-mask 0.0.0.255 :)

You should also use the "set ip next-hop" instead of the "set ip default next-hop".

The latter inspects the routing table before performing the route-map. You want the former.

Community Member

Re: Route-Map Help.

I am not getting a hit on the access list or on the route map when we are trying to test this. any thoughts?

Hall of Fame Super Bronze

Re: Route-Map Help.

Please post the portion of the config along with some debugs such as debug ip packet 102 detail.

Make sure to undebug right after in order to avoid high CPU utilization in the router

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml

Community Member

Re: Route-Map Help.

I think I got it working. I had moved the policy map to the interface where the originating device was sitting, not the outbound interface. That seems to have it working.

Thank you for all of your help.

163
Views
4
Helpful
11
Replies
CreatePlease to create content