policy routing

From: Joe Pruett (joey@q7.com)
Date: Tue Sep 05 2000 - 21:16:17 EDT

Next message: Mark Prior: "Re: [nsp] 12.0(12)S: Any feedback from the field..."
Previous message: Larry Rosenman: "RE: [nsp] 12.0(12)S: Any feedback from the field..."
In reply to: Larry Rosenman: "RE: [nsp] 12.0(12)S: Any feedback from the field..."
Next in thread: paulp@mozcom.com: "[nsp] OSPF load-balance"
Reply: paulp@mozcom.com: "[nsp] OSPF load-balance"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

i have a router that i want to logically split in half. i want to have
some frame dlcis use on ethernet and others use the second. so i think
that i should be able to do that with policy routing. but to add to the
complexity, one half of the router is an internet router and the other
half is a private network router and there is another box between the two
ethernets that will do most of the firewall and nat stuff. so like this:

         | s0.1 internet
         | s0.10 private connection
         | s0.11 private connection
         |
+-----------------+
| cisco 2600 |
+-----------------+
eth0/0 eth0/1
  | |
  | +------+ |
  +--| fw |--+
     +------+ |
               +---system
               |
               +---system
               .
               .
               .

and i want packets from s0.1 to go over eth0/0 and packets on the other
dlci interfaces to go over eth0/1. the fw will have 10.0.0.1 for the
eth0/1 net and some isp assigned for the eth0/0 net. the cisco will
default route to s0.1.

so i think it should be like:

route-map private
set ip default next-hop 10.0.0.1

int s0.1
ip address 4.3.2.1 # from isp

int s0.10
ip policy route-map private
ip address 10.0.1.254

int s0.11
ip policy route-map private
ip address 10.0.2.254

int eth0/0
ip address 1.2.3.4 # from isp (fw 1.2.3.5)

int eth0/1
ip address 10.0.0.254

ip route 0.0.0.0 0.0.0.0 s0.1

am i on the right page here? do i need an explicit match statement in the
route-map to match all packets? do i need to use a 'set interface' clause
in the route-map? by setting the default next-hop, will that guarantee
all traffic from the frame interfaces will not end up going back out the
s0.1 interface if it isn't for the internal net (or another frame
connection)? i guess if traffic comes in on s0.10 destined for 1.2.3.5
(the external fw) it will go directly over eth0/0. i guess i could extend
the route-map like:

ip access-list extended public
permit ip any 1.2.3.0 0.0.0.255

route-map private 10
set ip default next-hop 10.0.0.1

route-map private 20
match ip address public
set ip next-hop 10.0.0.1

which should just force traffic to 10.0.0.1 even if it is trying to go to
the external eth0/0 network, right?

Next message: Mark Prior: "Re: [nsp] 12.0(12)S: Any feedback from the field..."
Previous message: Larry Rosenman: "RE: [nsp] 12.0(12)S: Any feedback from the field..."
In reply to: Larry Rosenman: "RE: [nsp] 12.0(12)S: Any feedback from the field..."
Next in thread: paulp@mozcom.com: "[nsp] OSPF load-balance"
Reply: paulp@mozcom.com: "[nsp] OSPF load-balance"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:16 EDT