cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
248
Views
0
Helpful
1
Replies

Questions on PBR

chengsh832478
Level 1
Level 1

Hi all,

There are 1 HQ and several small sites for my company. Web accessing is only possible in HQ. I am using router 2801 to route packets to/from between HQ and small sites.

As shown from the attached config file of 2801, fe0/0 is connected to my ISP thru a 3Mbps fat pipe, and fe0/1 is connected to local lan (10.1.1.0/24) located at HQ. Other LANs such as 10.1.3.0, 10.1.5.0, 10.1.6.0 are local LANs of small sites.

The problem is I don't really understand about the ACL - PBR that set in this config file. Could some one explain to me how the routing looks like?

Thanks in advance!

1 Reply 1

mohammedmahmoud
Level 11
Level 11

Hi,

Just as an intro to PBR, PBR is used to force policy routing rather than normal routing using the routing table, the packets that fails to be policy routed will fall back to normal routing using the routing table.

Your PBR applies to the input traffic on FastEthernet0/1 (Note PBR is always applied to the incoming traffic (and can never be applied to the outgoing traffic) which is logical as you need to take a decision how to route a packet when it arrives to the router - any traffic matching in the access-list is policy routed, while traffic unmatched is routed normally using the routing table and your static routes).

When looking at the configuration, each entry with deny in the ACL would not be policy routed, it will be routed normally via the routing table (also every packet that is implicitly denied by not being permitted will not be policy routed, and will be routed via normal routing using the routing table), and each entry that matches in the ACL will be policy routed using the respective next-hop from the route-map.

!

interface FastEthernet0/1

description HQ LAN Network

ip address 10.1.1.254 255.255.255.0

ip policy route-map RouteSet1

duplex auto

speed auto

!

access-list 100 deny ip host 10.1.1.5 10.1.5.0 0.0.0.255

access-list 100 deny ip host 10.1.1.5 10.1.6.0 0.0.0.255

access-list 100 deny ip host 10.1.1.5 10.1.2.0 0.0.0.255

access-list 100 deny ip host 10.1.1.5 10.1.3.0 0.0.0.255

access-list 100 deny ip host 10.1.1.10 10.1.5.0 0.0.0.255

access-list 100 deny ip host 10.1.1.10 10.1.6.0 0.0.0.255

access-list 100 deny ip host 10.1.1.10 10.1.2.0 0.0.0.255

access-list 100 deny ip host 10.1.1.10 10.1.3.0 0.0.0.255

access-list 100 permit ip host 10.1.1.5 any

access-list 100 permit ip host 10.1.5.5 any

access-list 100 permit ip host 10.1.1.10 any

access-list 101 deny ip any 10.1.1.0 0.0.0.255

access-list 101 deny ip any 10.1.2.0 0.0.0.255

access-list 101 deny ip any 10.1.3.0 0.0.0.255

access-list 101 deny ip any 10.1.6.0 0.0.0.255

access-list 101 permit ip host 10.1.5.5 any

route-map RouteSet2 permit 20

match ip address 101

set ip next-hop 10.1.1.11

!

route-map RouteSet1 permit 10

match ip address 100

set ip next-hop 10.1.1.11

!

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: