PBR: Force guest vlan to the desired path

Path Control 2 Minutes


This diagram is the same as the previous diagram in my post about VRF-lite. Another method is to use PBR to control traffic.

Create access list

access-list 1 permit 10.100.20.0 0.0.0.255

Create route-map

route-map guest-redirect permit 10
match ip address 1
set ip next-hop 192.168.20.2

Or

route-map guest-redirect permit 10
match ip address 1
set interface se0/3

Apply route map on interface

Here I am using router-on-a-stick, fa0/0.20 was created to carry vlan 20 tagged traffic. I want to control vlan 20 (Guest) to the direction indicated on the diagram above.

interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 10.100.20.1 255.255.255.0
ip policy route-map guest-redirect
end

Verify result

A PC which was a member of vlan 20 was used for testing.

1.1.1.1 is the loopback interface created to emulate production internet and 2.2.2.2 is for guest internet

Default route and PBR

Policy based routing can be known as advanced static route based on the source or destination address to make static next hop decision. The testing was based on specific static route between RXC and Production as well as between RXC and Guest, hence I could get desired result as above command prompt screenshot. However if a default route was enabled from Guest router to RXC router, Guest vlan can reach 1.1.1.1 and 2.2.2.2.

Default route is summarizing every possible ipv4 addresses, remember when doing summarization more zeroes are added and lesser prefix bits, in the case of 0.0.0.0/0 the 32-bit zeroes are to summarize every possible ipv4 addresses.

From the route-map, if source subnet 10.100.20.0 matched, the next hop or output interface will change, however if Guest router uses a default route (ip route 0.0.0.0 0.0.0.0 192.168.20.1) and could not find a specific route in its own routing table, the data will be forwarded back to RXC.

RXC (also uses default route ip route 0.0.0.0 0.0.0.0 192.168.10.2) looks for its own routing table and could not find specific route based on the received destination address will forward to Production (192.168.10.2), Production knows 1.1.1.1 as this is the directly connected route. In conclusion, 1.1.1.1 will be reachable despite policy has been specified.

Also if the RXC is using specific static route as long as Guest router is using default route, 1.1.1.1 is still reachable. In other words, Guest router must use specific route towards the direction of RXC otherwise PBR will be ineffective.

Before choosing PBR or VRF it would be advisable to know what type of route customer is using.

Production#sh ip route
Gateway of last resort is 192.168.10.1 to network 0.0.0.0

1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
C    192.168.10.0/24 is directly connected, Serial0/0
S*   0.0.0.0/0 [1/0] via 192.168.10.1
Production#

Guest#sh ip route
2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Loopback0
C    192.168.20.0/24 is directly connected, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
S       10.100.20.0 [1/0] via 192.168.20.1


Advertisement

Published by cyruslab

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s