Solved

Policy based routing

  • 1 October 2018
  • 3 replies
  • 450 views

According to documentation and lab environment, we can only use source and destination IP criteria for match, it is not convenient, but ok, for example - what if i want to pass some traffic through global routing table, before redirecting to PBR:
pbr-map map1 seq1
match src-ip A.A.A.A dst-ip B.B.B.B
set next-hop default
pbr-map map1 seq2
match src-ip A.A.A.A dst-ip 0.0.0.0/0
set next-hop C.C.C.C

A.A.A.A is a host with service on it, A.A.A.A -> B.B.B.B we want to go win default routing table, traffic A.A.A.A -> 0.0.0.0 we want to go to the next-hop C.C.C.C - firewall appliance for example

Can we achieve this?

Thanks.
icon

Best answer by Pete B 2 October 2018, 19:54

Our PBR implementation is Linux iprule-based, so we don't have a Cisco-like configuration like a make deny clause. You can maybe try configuring separate ACLs using the ACL syntax for dropping packets. We don't support the route default action at this time.
View original

3 replies

Userlevel 4
Hi @IVAN DOLBNYA PBR can only match on incoming interface/source IP/dest IP. Is your suggestion for trying PBR only if the global routing table is not able to route?
traffic from host should be routed with PBR, but not all traffic, is it possible to use different terminating action, not "set next-hop", but for example "route default", or make deny clause like in Cisco
route-map pbr-map1 deny5
match src A.A.A.A dst B.B.B.B
route-map pbr-map1 permit 5
match src A.A.A.A
set ip nexthop C.C.C.C

etc
Userlevel 4
Our PBR implementation is Linux iprule-based, so we don't have a Cisco-like configuration like a make deny clause. You can maybe try configuring separate ACLs using the ACL syntax for dropping packets. We don't support the route default action at this time.

Reply