PBR Questions.

Tommy2727 · August 2011

HI GUYS/GALS

IM using pbr and creating a acl to pass interesting traffic one way and all other traffic another way, If I was permit the interesting traffic one way and want all other traffic another way, SHOULDN'T MY EXTENDED ACL HAVE A PERMIT IP ANY ANY STATEMENT BELOW MY INTERESTING TRAFFIC ENTRY. i KNW DUMB QUESTION BUT THANKS IN ADVANCE..
EXAMPLE..
IP ACCESS-LIST EXTENDED 101
PERMIT TCP ANY ANY ECQ FTP
PERMIT IP ANY ANY
THEN IM A CREATE A ROUTE MAP OBVIOUSLY TO MAKE THE TRAFFIC GO ONE WAY AND THE NON MATCHED ANOTHER, DO I HAVE TO EXPLICITY SAY IN MY MAP THAT THE NOT MATCH TRAFFIC GO ANOTHER WAY OR WILL THE TRAFFIC KNOW TO GO THE OTHER WAY B-C ITS NOT BEING MATCH

cheers..

Monkerz · August 2011

No, only the interesting traffic will be identified in the ACL.

Your first route map statement will match the ACL and set the next hop. The second route map statement will only have a command to set next hop.

The second route map statement will permit all other traffic.

ColbyG · August 2011

You're permitting traffic to be be PBRed, so you don't want that permit any at the bottom.

Tommy2727 · August 2011

thanks all did gns3 lab and dont need any any

cheers

Panzer919 · August 2011

The PBR statement should read something like this

ip access-list extended PBR
permit tcp any any eq ftp ftp-data
!
route-map PBR-FTP permit 10
match ip address PBR
set ip next-hop (next hop IP)
!
route-map PBR-FTP permit 20
!

Then apply this on the aggregate interface so that the policy can be enforced.

The 10 list sets the next hop for any matching traffic, the 20 list matches anything else and will follow your routing scheme.

ColbyG · August 2011

Been a little while since I played with PBR, but I don't think you'll need a permit at the bottom of the route-map. Anything denied by the ACL/route-map should be routed normally, not dropped. Worth labbing it to test, but I'm 90% sure that's how it works.

Panzer919 · August 2011

ColbyG wrote: »

Been a little while since I played with PBR, but I don't think you'll need a permit at the bottom of the route-map. Anything denied by the ACL/route-map should be routed normally, not dropped. Worth labbing it to test, but I'm 90% sure that's how it works.

It is like an ACL, if there is no match the packet will be dropped. I even doublechecked and this confirmed it

ColbyG · August 2011

It sounds like you're referring to route-map behavior, not PBR behavior specifically. From your link, page 182:

Step 4 If the route map has a deny statement, normal forwarding is used, as speciﬁed
in the route/forwarding table. The set statements will not be applied to the
packet.

Step 5 At the end of all the route map instances, an implicit route map will deny
all packets. If the packet has not found a match in the previous route map
instances, the packet will hit the implicit deny route map instance. When this
occurs, the packet will be forwarded by the router following the normal route
table

According to your link, I'm right.:)

Panzer919 · August 2011

ColbyG wrote: »

It sounds like you're referring to route-map behavior, not PBR behavior specifically. From your link, page 182:

According to your link, I'm right.:)

My bad, I re-read the thread and seen where I missed that - my fault for reading this and working at the same time

PBR Questions.

Comments