Solved: That looks pretty good, but I

Juan Ricardo Zamora Vega · ‎10-22-2014

Hello all!,

I'm an CCNA guy but on my job we've got a BGP with two different ISPs: Cogent and Transtelco. The thing is that I'm not such familiar with BGP but we need to implement PBR with our BGP connection.

I attached you a simple diagram for your reference.

My intention is to make possible that one of my LAN subnets, 201.158.105.X /28, go through Transtelco connection but my other subnets go through Cogent.

So, I made some research about this and I found out route-maps solution and so on. Here is a little configuration that I made and I want to know if I'm going for the right way or if I missing something:

_________________________________________________

MyCompany-Router(config)# access-list 100 permit tcp 201.158.105.X 0.0.0.15 201.174.78.X 0.0.0.3
MyCompany-Router(config)# access-list 100 permit ip 201.158.105.X 0.0.0.15 201.174.78.X 0.0.0.3
MyCompany-Router(config)# access-list 100 permit udp 201.158.105.X 0.0.0.15 201.174.78.X 0.0.0.3

MyCompany-Router(config)# route-map Transtelco-Clients 10
MyCompany-Router(config-route-map)# match ip address 100
MyCompany-Router(config-route-map)# set ip next hop 201.174.78.X

MyCompany-Router(config)# int Gi0/0/0
MyCompany-Router(config-if)# ip policy route-map Transtelco-Clients

_________________________________________________

I hope you experts can help me to figure it out and this can help me to get my CCNP certification along the next year.

Thanks in advance,

Ricardo Zamora.

ghostinthenet · ‎10-22-2014

That looks pretty good, but I think you might want to make simplify your ACL 100 and make it a bit more generic.

Right now, you have it matching TCP, UDP and IP. When you match IP, that includes TCP and UDP packets, so there's no need to have them in there separately.

Also, you're matching a destination of 201.174.78.X/30 which is also the destination of your next hop router. This ACL will work, but will only match traffic that is actually trying to reach your ISP router and will route everything else normally.

If you go with something like this:

access-list 100 permit ip 201.158.105.x 0.0.0.15 any

That will cover all traffic coming from your 201.158.105.x/28 network with any destination and force it to next hop 201.174.78.x.

The route map looks good, it's just the ACL that needs a bit of tweaking.

View solution in original post

houtan haddadlarijani · ‎10-22-2014

This is almost correct but what about traffic that are not matched by ACL 100.

add following line without any match or set command to your configuration to route other traffic (not matched by ACL 100) normally:

MyCompany-Router(config)# route-map Transtelco-Clients 20

Houtan

ghostinthenet · ‎10-22-2014

That "route-map Transtelco-Clients 20" isn't really going to do anything, Houtan.

If Ricardo leaves his route map as-is, anything not matched will be routed normally. The default no-match action for a route map is to deny it, so anything that doesn't hit his "route-map Transtelco-Clients 10" match statement will fall out of the route map and won't be considered for PBR. When this happens, normal routing takes over. By adding "route-map Transtelco-Clients 20", you're matching all packets to the PBR rule but not setting any action... dropping things back to normal routing, but adding unnecessary processing beforehand.

Juan Ricardo Zamora Vega · ‎10-23-2014

Hello Jody,

I was wondering to myself last night if it is possible that the route-map could be for an specific host, let's say: 201.158.105.13/32 instead of an entire subnet. I mean, just to know if it could be a posibility to PBR.

Thanks.

ghostinthenet · ‎10-23-2014

Absolutely. PBR is extremely flexible that way. Just change your ACL to something like this:

 access-list 100 permit ip host 201.158.105.13 any

This will match only the host in the ACL and let everything else fall to standard routing.

Juan Ricardo Zamora Vega · ‎10-22-2014

Hello Jody & Houtan, thank you first at all.

I will make some labs with this configuration. I'm happy because, I'm not so bad on routing (:

Ciao!.

ghostinthenet · ‎10-22-2014

That looks pretty good, but I think you might want to make simplify your ACL 100 and make it a bit more generic.

Right now, you have it matching TCP, UDP and IP. When you match IP, that includes TCP and UDP packets, so there's no need to have them in there separately.

Also, you're matching a destination of 201.174.78.X/30 which is also the destination of your next hop router. This ACL will work, but will only match traffic that is actually trying to reach your ISP router and will route everything else normally.

If you go with something like this:

access-list 100 permit ip 201.158.105.x 0.0.0.15 any

That will cover all traffic coming from your 201.158.105.x/28 network with any destination and force it to next hop 201.174.78.x.

The route map looks good, it's just the ACL that needs a bit of tweaking.

John Blakley · ‎10-22-2014

Currently, the acl allows for the 201.158.105.0/28 to be policy routed only if the destination is 201.174.78.0/30. Is this what you're wanting? If so, I wouldn't change the acl outside of potentially removing udp and tcp from the acl if you're going to send all ip through it anyway.

If you're wanting to send all traffic from the 201.158.105.0 subnet to the next hop, you should change to what Jody stated. I would caution though that if you're only wanting to send traffic to the next hop when it matches those destination addresses, do not add what Jody has stated because that affects all traffic sourced from that subnet.

*Edit*

I didn't see the attachment before replying. Jody's response will work for what you're wanting to do now that I see the one leg is your ISP.

HTH,

John

HTH, John *** Please rate all useful posts ***

Juan Ricardo Zamora Vega · ‎10-22-2014

Hello John,

What I want to do is that all traffic sourced from the subnet 201.158.105.0/28 goes through Transtelco interface of my router.

I hope this explanation could clarify your doubts.

Thanks :).

Policy-Based Routing Newbie.