Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tricky PBR

I have PBR need that I am a little stumped on. Here is the scenario:

I have a host on the LAN that I would like to route all internet bound traffic to a "new" internet circuit, and all LAN bound traffic to be routed via LAN routing methods. No other hosts on the subnet, just this one host.

host: 10.9.100.25

gateway for LAN: 10.9.100.1

Gateway for Internet: 10.9.200.5

All other LAN subnets: 10/8

So I am stumped on how to change his defualt route to something other and route all 10/8 traffic to his LAN GW.

Thank you for any assistance with this.

17 REPLIES

Re: Tricky PBR

Chuck,

Post the PBR - and we can have a look at it?

HTH.

New Member

Re: Tricky PBR

Hi Chuck, little schematic of your network will help us to recommend the right solution.

-serg

New Member

Re: Tricky PBR

Thanks guys,

Here is a logical of the environment, I basically need to change the default route for this one user to the new NAT firewall to go to the new internet, and make sure he can still get to the corporate network.

New Member

Re: Tricky PBR

You can create PBR, and attach it to the interface 10.9.100.1,

in the PBR,

deny 10.0.0.0 0.255.255.255

permit any

Then next hop to the NAT firewall..

HTH..

Ahmed

New Member

Re: Tricky PBR

So the PBR would do the deny or the ACL? I would deny 10.9.100.5 to all 10/8, then the next hop to the NAT firewall?

New Member

Re: Tricky PBR

This statement makes sure the traffic is routed (that's why "deny" is there) to your 10/8 and policy routed (permit any) to the new internet. Should work fine.

-serg

New Member

Re: Tricky PBR

OK, here is exactly what I have, and it is not working at the moment:

ACL:

10 deny ip host 10.9.100.5 10.0.0.0 0.255.255.255

20 permit ip host 10.9.100.5 any

Route-Map:

route-map Chuck permit 10

match ip address Chuck

set ip next-hop 10.9.99.5

Thanks

New Member

Re: Tricky PBR

did you apply this map to the router interface where your host is connected?

-serg

New Member

Re: Tricky PBR

yes, had to ask though right!

interface Vlan100

ip address 10.9.100.4 255.255.255.0

ip helper-address 10.9.43.13

no ip redirects

ip policy route-map Chuck

standby 1 ip 10.9.100.1

standby 1 priority 110

standby 1 preempt

end

New Member

Re: Tricky PBR

And your acl is named "Chuck" ?

do you see any hits on the acl?

New Member

Re: Tricky PBR

The name of the acl is Chuck, and it is very strange, I see 3 hits on the deny, and none on the permit.

New Member

Re: Tricky PBR

There should be many hits on the acl is why it is strange.

New Member

Re: Tricky PBR

So you generating traffic to the internet and see no hits on permit? can you check your new firewall if the traffic makes there and it allows that host to go out?

can you connect to 10/8 network?

what switch you using?

can you debug pbr ?

New Member

Re: Tricky PBR

keep in mind for certain switch types (3750 for example) you can not use deny statementd in PBR ACLs... in this case you have to do an explicit route map statement and forward traffic to your 10/8 vlan interface.

New Member

Re: Tricky PBR

Thanks, this is working. We had a nat issue on our FWSM, but that is resolved not and we are surfing out the new internet.

Many Thanks!

New Member

Re: Tricky PBR

Glad it worked - please use rating system ;)

-serg

New Member

Re: Tricky PBR

yes, had to ask though right!

interface Vlan100

ip address 10.9.100.4 255.255.255.0

ip helper-address 10.9.43.13

no ip redirects

ip policy route-map Chuck

standby 1 ip 10.9.100.1

standby 1 priority 110

standby 1 preempt

end

231
Views
0
Helpful
17
Replies