Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > policy based routing

Reply
Thread Tools

policy based routing

 
 
eduke
Guest
Posts: n/a
 
      11-04-2005
Hi

Is it possible to route traffic from one interface only to routes that
are advertised to the router with BGP protocol? For example supose that
"sh ip route" output is like this:

B 1.1.1.0/24 [200/1] via 4.4.4.4, 1d20h
B 2.2.2.0/24 [200/1] via 4.4.4.4, 4d15h
B 3.3.3.0/24 [200/0] via 4.4.4.4, 3d21h
S* 0.0.0.0/0 [1/0] via 5.5.5.5

What I would like to set up is, if the client on interface FE0/0 wants
to go to networks 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 his traffic would
be routed. But if he tries to go somewhere else (destination network is
in this case 0.0.0.0) the packets would be dropped.

What kind of match rule should I use???

Thanks for help

Igor

 
Reply With Quote
 
 
 
 
Andy Furnell
Guest
Posts: n/a
 
      11-04-2005
On 2005-11-04, eduke <(E-Mail Removed)> wrote:
> Hi
>
> Is it possible to route traffic from one interface only to routes that
> are advertised to the router with BGP protocol? For example supose that
> "sh ip route" output is like this:
>
> B 1.1.1.0/24 [200/1] via 4.4.4.4, 1d20h
> B 2.2.2.0/24 [200/1] via 4.4.4.4, 4d15h
> B 3.3.3.0/24 [200/0] via 4.4.4.4, 3d21h
> S* 0.0.0.0/0 [1/0] via 5.5.5.5
>
> What I would like to set up is, if the client on interface FE0/0 wants
> to go to networks 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 his traffic would
> be routed. But if he tries to go somewhere else (destination network is
> in this case 0.0.0.0) the packets would be dropped.
>
> What kind of match rule should I use???
>


You can't use a match in this way, but if you reverse your logic you
could remove the default and use 'set ip default next-hop' on interfaces
that are allowed to use it to achieve the same end result.

Andy
 
Reply With Quote
 
 
 
 
ETLALAR
Guest
Posts: n/a
 
      11-04-2005
Something along the lines of:
!
route-map TEST permit 10
match ip address 101
set interface Null0
!
access-list 101 deny ip <client source IP subnet here> <client source IP
netmask here> 1.1.1.0 0.0.0.255
access-list 101 deny ip <client source IP subnet here> <client source IP
netmask here> 2.2.2.0 0.0.0.255
access-list 101 deny ip <client source IP subnet here> <client source IP
netmask here> 3.3.3.0 0.0.0.255
access-list 101 permit ip <client source IP subnet here> <client source IP
netmask here> any
!
interface FastEthernet0/0
ip policy route-map TEST
!
HTH
Cheers
Alex

--
1842395907
"eduke" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi
>
> Is it possible to route traffic from one interface only to routes that
> are advertised to the router with BGP protocol? For example supose that
> "sh ip route" output is like this:
>
> B 1.1.1.0/24 [200/1] via 4.4.4.4, 1d20h
> B 2.2.2.0/24 [200/1] via 4.4.4.4, 4d15h
> B 3.3.3.0/24 [200/0] via 4.4.4.4, 3d21h
> S* 0.0.0.0/0 [1/0] via 5.5.5.5
>
> What I would like to set up is, if the client on interface FE0/0 wants
> to go to networks 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 his traffic would
> be routed. But if he tries to go somewhere else (destination network is
> in this case 0.0.0.0) the packets would be dropped.
>
> What kind of match rule should I use???
>
> Thanks for help
>
> Igor
>



 
Reply With Quote
 
ETLALAR
Guest
Posts: n/a
 
      11-04-2005
> You can't use a match in this way, but if you reverse your logic you
> could remove the default and use 'set ip default next-hop' on interfaces
> that are allowed to use it to achieve the same end result.


If the default route is removed it will affect ALL users on the box, not
only those who come from Fa0/0.
HTH
Cheers
Alex


 
Reply With Quote
 
eduke
Guest
Posts: n/a
 
      11-04-2005
I can't do this because those networks could change. And there is much
more networks not only three as I showed in the example. The networks
are learnd from another box. So I need to set up something like this on
my router:

If you want to go to routes I learnd with BGP you are allowed.
If you want to go somewhere else your packets would be dropped.


Igor

 
Reply With Quote
 
Andy Furnell
Guest
Posts: n/a
 
      11-04-2005
On 2005-11-04, ETLALAR <(E-Mail Removed)> wrote:
>> You can't use a match in this way, but if you reverse your logic you
>> could remove the default and use 'set ip default next-hop' on interfaces
>> that are allowed to use it to achieve the same end result.

>
> If the default route is removed it will affect ALL users on the box, not
> only those who come from Fa0/0.


Hence the use of PBR and 'set ip default next-hop x.x.x.x' for all other
interfaces that need to use the default... It's an ass-backwards kludge,
but I can't see any way of doing it that doesn't involve hard-coding BGP
prefixes into the PBR policy-map (which kinda defeats the purpose of
using BGP in the first place, I would think)

Andy
 
Reply With Quote
 
ETLALAR
Guest
Posts: n/a
 
      11-04-2005
> I can't do this because those networks could change. And there is much
> more networks not only three as I showed in the example. The networks
> are learnd from another box. So I need to set up something like this on
> my router:
>
> If you want to go to routes I learnd with BGP you are allowed.
> If you want to go somewhere else your packets would be dropped.

You could automate this with script running off UNIX box: script should
periodically RSH into the Cisco router in question , get the list of BGP
routes then complile/change the access-list.
HTH
Cheers
Alex


 
Reply With Quote
 
M Gillespie
Guest
Posts: n/a
 
      11-04-2005
ETLALAR wrote:
>>I can't do this because those networks could change. And there is much
>>more networks not only three as I showed in the example. The networks
>>are learnd from another box. So I need to set up something like this on
>>my router:
>>
>>If you want to go to routes I learnd with BGP you are allowed.
>>If you want to go somewhere else your packets would be dropped.

>
> You could automate this with script running off UNIX box: script should
> periodically RSH into the Cisco router in question , get the list of BGP
> routes then complile/change the access-list.


Be very careful with just how much you help people as the results may be
catastrophic.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
intervlan routing and policy routing C3750 or C 4948 Sied@r Cisco 3 10-20-2005 08:42 PM
Policy Based Routing Scot Cisco 6 04-08-2005 12:57 PM
policy based routing problem Ivana Cisco 11 03-24-2005 11:09 AM
policy based routing on 4006 L3 switch with vlans prosthetic head Cisco 3 03-05-2004 07:20 PM
Cheapest Router With Three Ethernets and Policy Based Routing CHANGE USERNAME TO westes Cisco 6 12-17-2003 09:36 PM



Advertisments