I'm just dipping my toes into PBR so bear with me here.
Essentially, I am tying to route traffic from one remote office, through a data center (via a dedicated DS3 link)and out to the internet from there. I'm hopeful that the configs below will work and I also have questions about if they are all needed or not.
-needs to use 255.255.1.18 for 184.108.40.206 /22 traffic
-needs to use 255.255.1.1 for remote office traffic
-needs to use 220.127.116.11 for all other traffic
traffic from 18.104.22.168 /22
-needs to get to 22.214.171.124 /22
-needs to use 255.255.1.1 for all other traffic
Create access-lits for route-map
access-list 120 remark [Office-LAN to ANY]
access-list 120 permit ip 126.96.36.199 255.255.252.0 any
access-list 121 remark [Office-LAN to Data Center-LAN]
access-list 121 permit ip 188.8.131.52 255.255.252.0 184.108.40.206 255.255.252.0
route-map DS3_MAP permit 10
description [DS3 - Office-LAN to Data Center-LAN]
match ip address 121
set ip next-hop 255.255.2.1
route-map DS3_MAP permit 20
description [DS3 - Office-LAN to ANY]
match ip address 120
set ip next-hop 255.255.1.1
Log into interface and add route-map
ip policy route-map DS3_MAP
My questions are:
1) Do I need a route map for the 220.127.116.11/22 to 18.104.22.168/22 traffic or will the switches routing table handle that?
2) Where is the best place to put the route-map, on the interface for the DS3 router or on the VLAN that the DS3 router sits in (there will never be anything else in this VLAN).
3) Should I also create a route-map for the 22.214.171.124 VLAN or can I allow the routing table on the switch to handle this (I was planning on creating a 0.0.0.0 route to 126.96.36.199 on the switch)
I've uploaded a pdf of my design to hopefully help explain things clearly.
I appreciate any thoughts/comments that you can provide, I'be been going back and forth on where I should place the route-map and if I actually need one for the 188.8.131.52/22 to 184.108.40.206/22 traffic.
You are correct, I pulled some addresses out of a hat and tossed them in the mix to protect the innocent. :-)
I am thinking that the PBR would be done on the Cat6509. Since it would have a default route pointing to 220.127.116.11, which is fine for the production VLAN, I need the 18.104.22.168/22 traffic to use 255.255.1.1 as it's default route to everything other than 22.214.171.124/22.
Let me recap.
I have a local network (126.96.36.199/22) that will go through a 7206 across a DS3 to another 7206 that sits in a remote Data Center. The DS3 only connects our local office and ths remote DC, once in the DC we have another connection that we use for getting to the internet. This remote 7206 is plugged into it's own VLAN on a 6509 that I am configuring as a core. On this 6509 I have two different paths to the internet, one is used for production purposes and the other is used for corporate traffic. I need the corporate (188.8.131.52) traffic to go across the DS3 to the 6509 and then have the 6509 route this traffic to the 515e (255.255.1.1), sitting in the corp internet VLAN, to reach the internet. I also need this 184.108.40.206 traffic to be able to reach the production (220.127.116.11) VLAN. I'm planning on putting a default route on the 6509 that points to the 515 (18.104.22.168) and figured that I needed a route-map to get my 22.214.171.124 traffic to use a different gateway. If there is another way to tackle this, I'm all ears.
I hope it's not to confusing, that's why I provided the .pdf diagram.
BTW - Equipment in use
2 - 7206 (non-vxr / npe-200) (ds3 routers)
1 - 6509 (sup720 / msfc3 / 6748 modules)
1 - 515e (corporate side firewall)
1 - 515 (production side firewall)
1 - 3640 (front-end for both externally available networks)
>> I'm planning on putting a default route on the 6509 that points to the 515 (126.96.36.199) and figured that I needed a route-map to get my 188.8.131.52 traffic to use a different gateway. If there is another way to tackle this, I'm all ears.
be aware that can be just enough a specific static route to net 184.108.40.206 out interface to production network with no PBR
ip routing use most specific route first and the default route is used only of prefixes without an entry in routing table
You may need to modify ACLs on PIX but normal routing should be enough.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...