Article ID: 13620
Products
S-Series
Matrix N-Series DFE, firmware 7.11.01.0025 and higher
K-Series
Goals
Use different PBR next-hop addresses depending on packet characteristics.
Solution
This may be accomplished by specifying more than one map within the assigned route-map, with each map represented by a sequence number. When evaluating a PBR route-map for a routed packet, the process walks through each map in sequence.
In the firmware 7.x sample configuration shown here...
- Initially, map 10 yields a packet match to the NacWebRedirect access-list if the packet uses both TCP port 80 and DSCP value af12 (5811). If it does match, then it is forwarded to the next-hop address as defined ("10.10.12.1").
- Otherwise, map 20 (next in sequence) yields a packet match to the ACL-SourceIP access-list if the packet's Source IP address falls within one of the specified (reverse-masked) ranges. If it does match, then it is forwarded to the next-hop address as defined ("10.10.0.6").
- This process may continue for further iterations as desired. Here there are only two maps configured.
- When all relevant maps have been examined with no match, then (by default: 13123) the packet is forwarded per the routing table.
configure terminal
!
ip access-list extended NacWebRedirect
permit tcp any any eq 80 dscp af12
exit
!
ip access-list standard ACL-SourceIP
permit 10.10.179.0 0.0.0.255
permit 10.10.250.0 0.0.0.255
permit 10.10.248.0 0.0.0.255
permit 10.10.200.0 0.0.0.255
permit 10.10.253.224 0.0.0.31
permit 10.10.254.0 0.0.0.255
permit 10.10.181.0 0.0.0.255
permit 10.10.251.254 0.0.0.255
exit
!
route-map policy policy1 permit 10
match ip address NacWebRedirect
set next-hop 10.10.12.1
exit
route-map policy policy1 permit 20
match ip address ACL-Source-IP
set next-hop 10.10.0.6
exit
!
interface vlan.0.10
ip address 10.10.0.129 255.255.255.248 primary
ip policy route-map policy1
no shutdown
exit
!
exitFor more information, please refer to the
Configuration/CLI Guide applicable to your product and firmware version.
