Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

PBR 2821 2ISP

Hi I have 2821 and 2 ISP. I want for network's 10.10.60.0 - 10.10.61.0 goto over ISP 1, and all remained over isp2. It's work! But in this configuration not work routing between network. For example: 10.10.60.0 not route 10.10.10.0, 10.10.10.0 not route 10.10.18.0

You can help me fix it?

My config:

!

interface GigabitEthernet0/0.4

encapsulation dot1Q 4

ip address 10.10.4.254 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip policy route-map univer

no cdp enable

!

!

interface GigabitEthernet0/0.18

encapsulation dot1Q 18

ip address 10.10.18.254 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip policy route-map univer

!

!

interface GigabitEthernet0/0.60

encapsulation dot1Q 60

ip address 10.10.60.254 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip policy route-map sety

!

interface GigabitEthernet0/1.1

encapsulation dot1Q 102

ip address 92.255.YYY.130 255.255.255.252

ip nat outside

ip virtual-reassembly

zone-member security out-zone-sety

!

interface GigabitEthernet0/1.2

encapsulation dot1Q 101

ip address 195.70.XXX.68 255.255.255.240

ip nat outside

ip virtual-reassembly

zone-member security out-zone

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 195.70.YYY.65

ip route 0.0.0.0 0.0.0.0 92.255.XX.129

ip route 10.10.0.0 255.255.0.0 10.10.4.1

ip nat inside source route-map sety interface GigabitEthernet0/1.1 overload

ip nat inside source route-map univer interface GigabitEthernet0/1.2 overload

!

ip access-list standard ForSety

permit 10.10.60.0 0.0.0.255

permit 10.10.61.0 0.0.0.255

ip access-list standard ForUniver

permit 0.0.0.0 10.10.59.255

permit 10.10.70.0 0.0.185.255

!

!

route-map univer permit 10

match ip address ForUniver

set interface GigabitEthernet0/1.2

!

route-map sety permit 10

match ip address ForSety

set interface GigabitEthernet0/1.1

!

1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: PBR 2821 2ISP

Sun:

PBR is sourced-based routing, right?

So, your route maps are forcing all traffic from the source networks to take the next hop you've assigned, regardless of the destination. All source traffic that matches the ACL for the route map is going to take that next hop, which is not what you want for local inter-subnet/vlan routing. You want "normal" destination-based routing for such traffic.

You need to do two things:

1.) Use extended ACLs in your route maps that define more specific flows and include "deny" statements for traffic sourced from one subnet and headed toward another.

Example: access-list 110 deny 10.10.60.0 0.0.0.255 10.10.18.0 0.0.0.255

This will exclude such traffic from the policy set forth in the route map and allow for normal destination-based routing.

2.) Fix the ACL called "For Univer". For one thing, there's no such thing as a ".185" octet in a wildcard mask. And what is the story with that first statement?

HTH

Victor

6 REPLIES
Blue

Re: PBR 2821 2ISP

Sun:

PBR is sourced-based routing, right?

So, your route maps are forcing all traffic from the source networks to take the next hop you've assigned, regardless of the destination. All source traffic that matches the ACL for the route map is going to take that next hop, which is not what you want for local inter-subnet/vlan routing. You want "normal" destination-based routing for such traffic.

You need to do two things:

1.) Use extended ACLs in your route maps that define more specific flows and include "deny" statements for traffic sourced from one subnet and headed toward another.

Example: access-list 110 deny 10.10.60.0 0.0.0.255 10.10.18.0 0.0.0.255

This will exclude such traffic from the policy set forth in the route map and allow for normal destination-based routing.

2.) Fix the ACL called "For Univer". For one thing, there's no such thing as a ".185" octet in a wildcard mask. And what is the story with that first statement?

HTH

Victor

New Member

Re: PBR 2821 2ISP

Hi Victor.

Than you for help. All work.

I do not understand you question

"And what is the story with that first statement?"

Hall of Fame Super Gold

Re: PBR 2821 2ISP

I had much the same question about this statement in your access list:

permit 0.0.0.0 10.10.59.255

HTH

Rick

New Member

Re: PBR 2821 2ISP

Works

Blue

Re: PBR 2821 2ISP

Great. Im glad I was able to help you.

Thanks for the rating, too.

Victor

New Member

Re: PBR 2821 2ISP

I can imagine the thought process behind the ForUniver ACL even if it's not valid(0.0.0.0 to 10.10.59.255 and 10.10.70.0 and everythng higher since 70+185 is 255).

But it should be

deny 10.60.0.0 0.0.0.255

deny 10.61.0.0 0.0.0.255

permit any

152
Views
0
Helpful
6
Replies
CreatePlease to create content