05-28-2007 10:49 PM - edited 03-03-2019 05:11 PM
Hi all,
There are 1 HQ and several small sites for my company. Web accessing is only possible in HQ. I am using router 2801 to route packets to/from between HQ and small sites.
As shown from the attached config file of 2801, fe0/0 is connected to my ISP thru a 3Mbps fat pipe, and fe0/1 is connected to local lan (10.1.1.0/24) located at HQ. Other LANs such as 10.1.3.0, 10.1.5.0, 10.1.6.0 are local LANs of small sites.
The problem is I don't really understand about the ACL - PBR that set in this config file. Could some one explain to me how the routing looks like?
Thanks in advance!
05-28-2007 11:39 PM
Hi,
Just as an intro to PBR, PBR is used to force policy routing rather than normal routing using the routing table, the packets that fails to be policy routed will fall back to normal routing using the routing table.
Your PBR applies to the input traffic on FastEthernet0/1 (Note PBR is always applied to the incoming traffic (and can never be applied to the outgoing traffic) which is logical as you need to take a decision how to route a packet when it arrives to the router - any traffic matching in the access-list is policy routed, while traffic unmatched is routed normally using the routing table and your static routes).
When looking at the configuration, each entry with deny in the ACL would not be policy routed, it will be routed normally via the routing table (also every packet that is implicitly denied by not being permitted will not be policy routed, and will be routed via normal routing using the routing table), and each entry that matches in the ACL will be policy routed using the respective next-hop from the route-map.
!
interface FastEthernet0/1
description HQ LAN Network
ip address 10.1.1.254 255.255.255.0
ip policy route-map RouteSet1
duplex auto
speed auto
!
access-list 100 deny ip host 10.1.1.5 10.1.5.0 0.0.0.255
access-list 100 deny ip host 10.1.1.5 10.1.6.0 0.0.0.255
access-list 100 deny ip host 10.1.1.5 10.1.2.0 0.0.0.255
access-list 100 deny ip host 10.1.1.5 10.1.3.0 0.0.0.255
access-list 100 deny ip host 10.1.1.10 10.1.5.0 0.0.0.255
access-list 100 deny ip host 10.1.1.10 10.1.6.0 0.0.0.255
access-list 100 deny ip host 10.1.1.10 10.1.2.0 0.0.0.255
access-list 100 deny ip host 10.1.1.10 10.1.3.0 0.0.0.255
access-list 100 permit ip host 10.1.1.5 any
access-list 100 permit ip host 10.1.5.5 any
access-list 100 permit ip host 10.1.1.10 any
access-list 101 deny ip any 10.1.1.0 0.0.0.255
access-list 101 deny ip any 10.1.2.0 0.0.0.255
access-list 101 deny ip any 10.1.3.0 0.0.0.255
access-list 101 deny ip any 10.1.6.0 0.0.0.255
access-list 101 permit ip host 10.1.5.5 any
route-map RouteSet2 permit 20
match ip address 101
set ip next-hop 10.1.1.11
!
route-map RouteSet1 permit 10
match ip address 100
set ip next-hop 10.1.1.11
!
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: