policy based routing

Discussion in 'Cisco' started by eduke, Nov 4, 2005.

  1. eduke

    eduke Guest

    Hi

    Is it possible to route traffic from one interface only to routes that
    are advertised to the router with BGP protocol? For example supose that
    "sh ip route" output is like this:

    B 1.1.1.0/24 [200/1] via 4.4.4.4, 1d20h
    B 2.2.2.0/24 [200/1] via 4.4.4.4, 4d15h
    B 3.3.3.0/24 [200/0] via 4.4.4.4, 3d21h
    S* 0.0.0.0/0 [1/0] via 5.5.5.5

    What I would like to set up is, if the client on interface FE0/0 wants
    to go to networks 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 his traffic would
    be routed. But if he tries to go somewhere else (destination network is
    in this case 0.0.0.0) the packets would be dropped.

    What kind of match rule should I use???

    Thanks for help

    Igor
     
    eduke, Nov 4, 2005
    #1
    1. Advertising

  2. eduke

    Andy Furnell Guest

    On 2005-11-04, eduke <> wrote:
    > Hi
    >
    > Is it possible to route traffic from one interface only to routes that
    > are advertised to the router with BGP protocol? For example supose that
    > "sh ip route" output is like this:
    >
    > B 1.1.1.0/24 [200/1] via 4.4.4.4, 1d20h
    > B 2.2.2.0/24 [200/1] via 4.4.4.4, 4d15h
    > B 3.3.3.0/24 [200/0] via 4.4.4.4, 3d21h
    > S* 0.0.0.0/0 [1/0] via 5.5.5.5
    >
    > What I would like to set up is, if the client on interface FE0/0 wants
    > to go to networks 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 his traffic would
    > be routed. But if he tries to go somewhere else (destination network is
    > in this case 0.0.0.0) the packets would be dropped.
    >
    > What kind of match rule should I use???
    >


    You can't use a match in this way, but if you reverse your logic you
    could remove the default and use 'set ip default next-hop' on interfaces
    that are allowed to use it to achieve the same end result.

    Andy
     
    Andy Furnell, Nov 4, 2005
    #2
    1. Advertising

  3. eduke

    ETLALAR Guest

    Something along the lines of:
    !
    route-map TEST permit 10
    match ip address 101
    set interface Null0
    !
    access-list 101 deny ip <client source IP subnet here> <client source IP
    netmask here> 1.1.1.0 0.0.0.255
    access-list 101 deny ip <client source IP subnet here> <client source IP
    netmask here> 2.2.2.0 0.0.0.255
    access-list 101 deny ip <client source IP subnet here> <client source IP
    netmask here> 3.3.3.0 0.0.0.255
    access-list 101 permit ip <client source IP subnet here> <client source IP
    netmask here> any
    !
    interface FastEthernet0/0
    ip policy route-map TEST
    !
    HTH
    Cheers
    Alex

    --
    1842395907
    "eduke" <> wrote in message
    news:...
    > Hi
    >
    > Is it possible to route traffic from one interface only to routes that
    > are advertised to the router with BGP protocol? For example supose that
    > "sh ip route" output is like this:
    >
    > B 1.1.1.0/24 [200/1] via 4.4.4.4, 1d20h
    > B 2.2.2.0/24 [200/1] via 4.4.4.4, 4d15h
    > B 3.3.3.0/24 [200/0] via 4.4.4.4, 3d21h
    > S* 0.0.0.0/0 [1/0] via 5.5.5.5
    >
    > What I would like to set up is, if the client on interface FE0/0 wants
    > to go to networks 1.1.1.0/24, 2.2.2.0/24, 3.3.3.0/24 his traffic would
    > be routed. But if he tries to go somewhere else (destination network is
    > in this case 0.0.0.0) the packets would be dropped.
    >
    > What kind of match rule should I use???
    >
    > Thanks for help
    >
    > Igor
    >
     
    ETLALAR, Nov 4, 2005
    #3
  4. eduke

    ETLALAR Guest

    > You can't use a match in this way, but if you reverse your logic you
    > could remove the default and use 'set ip default next-hop' on interfaces
    > that are allowed to use it to achieve the same end result.


    If the default route is removed it will affect ALL users on the box, not
    only those who come from Fa0/0.
    HTH
    Cheers
    Alex
     
    ETLALAR, Nov 4, 2005
    #4
  5. eduke

    eduke Guest

    I can't do this because those networks could change. And there is much
    more networks not only three as I showed in the example. The networks
    are learnd from another box. So I need to set up something like this on
    my router:

    If you want to go to routes I learnd with BGP you are allowed.
    If you want to go somewhere else your packets would be dropped.


    Igor
     
    eduke, Nov 4, 2005
    #5
  6. eduke

    Andy Furnell Guest

    On 2005-11-04, ETLALAR <> wrote:
    >> You can't use a match in this way, but if you reverse your logic you
    >> could remove the default and use 'set ip default next-hop' on interfaces
    >> that are allowed to use it to achieve the same end result.

    >
    > If the default route is removed it will affect ALL users on the box, not
    > only those who come from Fa0/0.


    Hence the use of PBR and 'set ip default next-hop x.x.x.x' for all other
    interfaces that need to use the default... It's an ass-backwards kludge,
    but I can't see any way of doing it that doesn't involve hard-coding BGP
    prefixes into the PBR policy-map (which kinda defeats the purpose of
    using BGP in the first place, I would think)

    Andy
     
    Andy Furnell, Nov 4, 2005
    #6
  7. eduke

    ETLALAR Guest

    > I can't do this because those networks could change. And there is much
    > more networks not only three as I showed in the example. The networks
    > are learnd from another box. So I need to set up something like this on
    > my router:
    >
    > If you want to go to routes I learnd with BGP you are allowed.
    > If you want to go somewhere else your packets would be dropped.

    You could automate this with script running off UNIX box: script should
    periodically RSH into the Cisco router in question , get the list of BGP
    routes then complile/change the access-list.
    HTH
    Cheers
    Alex
     
    ETLALAR, Nov 4, 2005
    #7
  8. eduke

    M Gillespie Guest

    ETLALAR wrote:
    >>I can't do this because those networks could change. And there is much
    >>more networks not only three as I showed in the example. The networks
    >>are learnd from another box. So I need to set up something like this on
    >>my router:
    >>
    >>If you want to go to routes I learnd with BGP you are allowed.
    >>If you want to go somewhere else your packets would be dropped.

    >
    > You could automate this with script running off UNIX box: script should
    > periodically RSH into the Cisco router in question , get the list of BGP
    > routes then complile/change the access-list.


    Be very careful with just how much you help people as the results may be
    catastrophic.
     
    M Gillespie, Nov 4, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CHANGE USERNAME TO westes
    Replies:
    6
    Views:
    1,099
    CHANGE USERNAME TO westes
    Dec 17, 2003
  2. prosthetic head
    Replies:
    3
    Views:
    3,575
    Hansang Bae
    Mar 5, 2004
  3. Ivana

    policy based routing problem

    Ivana, Mar 22, 2005, in forum: Cisco
    Replies:
    11
    Views:
    4,132
    Ivan OstreŇ°
    Mar 24, 2005
  4. Scot

    Policy Based Routing

    Scot, Apr 6, 2005, in forum: Cisco
    Replies:
    6
    Views:
    2,715
  5. Cen
    Replies:
    1
    Views:
    2,240
    Christoph Gartmann
    Oct 24, 2005
Loading...

Share This Page