01-18-2010 09:17 AM - edited 03-06-2019 09:20 AM
Hey guys,
I have a network with two ways out to the ISP. Currently everyone is going out isp1 the routing statement on my core is this.
ip route 0.0.0.0 0.0.0.0 192.x.x.x 5
I want to send my ip and my ip only out another path .. any suggestions on how to do this as easy as possible? My ip is 10.xx.xx.7
Thanks,
Brent
01-18-2010 09:27 AM
b.rockburn wrote:
Hey guys,
I have a network with two ways out to the ISP. Currently everyone is going out isp1 the routing statement on my core is this.
ip route 0.0.0.0 0.0.0.0 192.x.x.x 5
I want to send my ip and my ip only out another path .. any suggestions on how to do this as easy as possible? My ip is 10.xx.xx.7
Thanks,
Brent
Brent
You have come up with the answer yourself , PBR is the way to go eg.
access-list 101 permit ip host
route-map PBR permit 10
match ip address 101
set ip next-hop
int vlan 10 <--- assuming your host is on vlan 10
ip policy route-map PBR
Note that you may need to modify the access-list as this will send ALL your traffic to the ISP2 next-hop. If you want to communicate with other vlans within your LAN you need deny statements first eg.
vlan 10 = 192.168.5.0/24
vlan 11 = 192.168.6.0/24
access-list 101 deny ip host
access-list 101 permit ip host
Jon
01-18-2010 09:40 AM
yeah .. I though PBR was the way to go .. thanks guys for the quick response on this.
I have only one (for now LOL) follow up question.
If I tell vlan XX interface to use my PBR route map that will send ALL the traffic to ISP 2. I would like to only send my IP address .. and send everyone else out the old ISP.
So if I understand things correctly I do a permit on the ACL for me and a deny ip any any for everyone else. Once anyone else hits the deny IP any any will they then get sent to the old routing statement on the core?
01-18-2010 09:43 AM
b.rockburn wrote:
yeah .. I though PBR was the way to go .. thanks guys for the quick response on this.
I have only one (for now LOL) follow up question.
If I tell vlan XX interface to use my PBR route map that will send ALL the traffic to ISP 2. I would like to only send my IP address .. and send everyone else out the old ISP.
So if I understand things correctly I do a permit on the ACL for me and a deny ip any any for everyone else. Once anyone else hits the deny IP any any will they then get sent to the old routing statement on the core.
Brent
You don't actually have to do a deny as if there is no match it will get routed via the routing table anyway. So you can just include your host. The reason i included denies in my example was because your host might need to get to other internal vlans.
The PBR example provided by both Giuseppe and myself will only affect your hosts traffic. The rest of the traffic will be routed as normal.
Jon
01-18-2010 10:05 AM
Note that you may need to modify the access-list as this will send ALL your traffic to the ISP2 next-hop. If you want to communicate with other vlans within your LAN you need deny statements first eg.
So if I am reading this correctly once I apply this route map all my traffic will get sent out. So if I want to be able connect to anything on my internal lan I need to deny the necessary subnets?
Like so?
access-list 101 deny ip 10.xx.xx.xx 0.0.15.255 <=== My internal LAN subnet
access-list 101 permit ip host
01-18-2010 10:07 AM
b.rockburn wrote:
Note that you may need to modify the access-list as this will send ALL your traffic to the ISP2 next-hop. If you want to communicate with other vlans within your LAN you need deny statements first eg.
So if I am reading this correctly once I apply this route map all my traffic will get sent out. So if I want to be able connect to anything on my internal lan I need to deny the necessary subnets?
Like so?
access-list 101 deny ip 10.xx.xx.xx 0.0.15.255 <=== My internal LAN subnet
access-list 101 permit ip host
any
Exactly. You must deny traffic from your host that you do not want to be sent to the ISP next-hop.
Jon
01-18-2010 09:29 AM
Hello Brent,
your understanding is correct you need to use a route-map in PBR
access-list 1 permit host yourIP
route-map mypbr permit 10
match ip address 1
set ip next-hop isp2-ipaddress
int type x/y
desc interface internal receiving traffic
ip policy route-map mypbr
PBR works on inbound interface intercepting traffic flows
you may need to use an extended ACL if you want to divert traffic only for specific destinations
edit:
sorry Jon I haven't seen your post
Hope to help
Giuseppe
01-18-2010 10:25 AM
Do you guys know how to apply this on a 4500 L3 switch?
It's not taking my "ip policy" command.
My ios is cat4500e-entservicesk9-mz.122-50.SG.bin"
01-18-2010 10:31 AM
b.rockburn wrote:
Do you guys know how to apply this on a 4500 L3 switch?
It's not taking my "ip policy" command.
My ios is cat4500e-entservicesk9-mz.122-50.SG.bin"
You are trying to apply it on the L3 vlan interface ?
If so, what supervisor are you running in your 4500 ?
Jon
01-18-2010 10:34 AM
NAME: "Linecard(slot 3)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E , VID: V02 , SN: JAE1224LNT4
NAME: "Linecard(slot 4)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E , VID: V02 , SN: JAE1224L3JY
This is what I got from my sh inventory
01-18-2010 10:40 AM
b.rockburn wrote:
NAME: "Linecard(slot 3)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E , VID: V02 , SN: JAE1224LNT4NAME: "Linecard(slot 4)", DESCR: "Supervisor 6-E 10GE (X2), 1000BaseX (SFP) with 2 10GE X2 ports"
PID: WS-X45-SUP6-E , VID: V02 , SN: JAE1224L3JYThis is what I got from my sh inventory
Brent
PBR support was added to the Supervisor 6-E with IOS version 12.2(52)SG so you need to upgrade your IOS to be able to use it as you are currently running 12.2(50)SG.
Jon
01-18-2010 10:52 AM
There seem to be some issues bug wise with that IOS so I'm thinking of upgrading to 122-53.SE1
01-18-2010 10:58 AM
b.rockburn wrote:
There seem to be some issues bug wise with that IOS so I'm thinking of upgrading to 122-53.SE1
No problem. As long as it past 12.2(52)SG you should be fine.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide