[f-nsp] Policy based routing?
seph
seph at directionless.org
Fri Feb 5 17:22:58 EST 2010
access-groups are only support in the port in side, not the out
side. I can work around this, but it's really cumbersome. So I'm looking
at what other options there are. PBR seems like a nice abstraction, I'm
trying to tell how viable it is here.
seph
Nick Morrison <nick at nick.on.net> writes:
> Silly question,
>
> If all you want is an ACL to block traffic, why not just use an
> access-group?
>
> N
>
> On Fri, Feb 5, 2010 at 8:14 PM, Logan Rawlins
> <logan.rawlins at highwinds.com>wrote:
>
>> Sure at the end of your policy point a default match all to a nexthop ip
>> that you have null routed
>>
>> ip route a.a.a.a/32 null0
>>
>> ip access-list extended permit-all
>> permit ip any any
>>
>> route-map pbr-firewall permit 1000
>> match ip address permit-all
>> set ip next-hop a.a.a.a
>>
>> int e 1/1
>> ip policy route-map pbr-firewall
>>
>>
>> On Feb 5, 2010, at 12:49 PM, seph wrote:
>>
>> > As I continue to tinker with my network, I'm increasing interesting in
>> > PBR. Unfortunately, the only info I can find is in the Configuration
>> > Guide, which seems sparse. I'm hoping folks here might have some advice.
>> >
>> > Given how small a section in the config guide it has, I wonder how
>> > widely used it is. It feels like an afterthought. Do people actually use
>> > it?
>> >
>> > Is there other documentation that I should be reading?
>> >
>> > If I'm using PBR as sort of a firewall, is there a way to set a default
>> > "don't route these packets"
>> >
>> > Am I crazy for trying?
>> >
>> > Thanks for any advice
>> >
>> > seph
>> >
>> >
>> > _______________________________________________
>> > foundry-nsp mailing list
>> > foundry-nsp at puck.nether.net
>> > http://puck.nether.net/mailman/listinfo/foundry-nsp
>> >
>>
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>
>
>
> --
> Nick Morrison <nick at nick.on.net>
More information about the foundry-nsp
mailing list