Policy routing is a very simple topic. Force certain traffic to a destination of your choice. I have done policy routing a few times in the past once for a customer that had 20+ locations that was looking to keep private, less restricted and purely public networks from intermingling. So this is a quicky for those that may have added a new internet connection in a different data center with non clustered firewalls that want to test it out.
route-map TEST-Inet permit 10
C1(config-route-map)#match ?
as-path Match BGP AS path list
clns CLNS information
community Match BGP community list
extcommunity Match BGP/VPN extended community list
interface Match first hop interface of route
ip IP specific information
length Packet length
metric Match metric of route
mpls-label Match routes which have MPLS labels
nlri BGP NLRI type
policy-list Match IP policy list
route-type Match route-type of route
tag Match tag of route
!
C1(config-route-map)#match ip ?
address Match address of route or match packet
next-hop Match next-hop address of route
route-source Match advertising source address of route
for this example I will use ip address
C1(config-route-map)#match ip address ?
<1-199> IP access-list number
<1300-2699> IP access-list number (expanded range)
WORD IP access-list name
prefix-list Match entries of prefix-lists
I will use an extended access-list 100 for this example. Next comes the set feature which shows as: set Set values in destination routing protocol
I'm going to omit some of the choices as some of these don't apply
C1(config-route-map)#set ?
interface Output interface
ip IP specific information
we can use either an ip destination or interface. the choice is yours to decided i normally choose ip
C1(config-route-map)#set ip ?
address Specify IP address
next-hop Next hop address
so here we go with the complete policy to route only internet traffic to the other internet connection.
route-map TEST-Inet permit 10
match ip address 100
set ip address 10.0.0.1
!
route-map TEST-Inet permit 20 <>
access-list 100 deny tcp host 10.2.1.3 10.0.0.0 0.255.255.255
access-list 100 deny tcp host 10.2.1.3 172.16.0.0 0.15.255.255
access-list 100 deny tcp host 10.2.1.3 192.168.0.0 0.0.255.255
access-list 100 permit tcp host 10.2.1.3 any www
access-list 100 permit tcp host 10.2.1.3 any 443
Friday, April 3, 2009
Saturday, March 7, 2009
Another great learning experience
I had to say that I had another great learning experience. When working with bgp to prevent your AS from being a transit from your multi-homed router. Protect it coming in and going out!
outbound protection includes using a AS-path filter to the neighbor statement
ip as-path filter 1 permit ^$
neighbor 10.1.1.1 filter 1 out
in bound protection includes a route-map with an catch any access-list with a community on no-export
route-map IN permit 10
match address 99
set community no-export
neighbor 10.1.1.1 route-map IN in
as the old saying goes hindsight is 20/20
outbound protection includes using a AS-path filter to the neighbor statement
ip as-path filter 1 permit ^$
neighbor 10.1.1.1 filter 1 out
in bound protection includes a route-map with an catch any access-list with a community on no-export
route-map IN permit 10
match address 99
set community no-export
neighbor 10.1.1.1 route-map IN in
as the old saying goes hindsight is 20/20
Subscribe to:
Posts (Atom)
