RE: PBR

From: ccie2be (ccie2be@nyc.rr.com)
Date: Fri May 06 2005 - 09:37:32 GMT-3

• Next message: Brian Dennis: "RE: Preventing rogue hosts from intercepting rip packets"
• Previous message: gladston@br.ibm.com: "Bandwidth - CBWFQ"
• Maybe in reply to: Serge N'GBESSO: "PBR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Serge,

Here are a couple things about Policy Routing that are important to know.

Concept:

Policy Routing is designed to cause forwarding decisions to be made based on
criteria that is different from the normal way forwarding decisions are
made. Normal forwarding is based on destination ip address but with Policy
Routing the criteria is based on anything you can match against with the
match command. (I'm fairly sure, however, that not all the match command
options can be used with Policy Routing. I think that some match options
are specifically for BGP, redistribution or other functions.)

For Policy Routing to work, the Policy Routing function must "intercept" the
packets prior to the packet reaching the normal routing and forwarding
function. That's why Policy routing for incoming packets is always
configured on the incoming interface. (For packets generated by the router
itself, a different command is used.)

Packets that don't match the match criteria are routing as normal.

If the intention is to drop matched packets, it seems to me and acl could do
the trick just as well and is much less to type. Note that distribute lists
are for filtering routes in IGP updates, not for filtering packets.

Also, I recommend that you look into the various set options available with
PBR as a few of them are exceedingly non-intuitive - at least that was true
for me.

For example, check out the difference in usage of:

set default next-hop

set ip next-hop

HTH, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Serge N'GBESSO
Sent: Friday, May 06, 2005 5:24 AM
To: ccielab@groupstudy.com
Subject: PBR

Hi all,
 
i need a fastrack review on PBR, consider this config :
<-- ccbootcamp security v6 lab3 Task 7.1.2
r14:
access-list 100 permit ip any 10.14.14.0 0.0.0.255
route-map Filter permit 10
 match ip address 100
 set interface Null0
!
interface atm 2/0.1
ip policy route-map Filter
>
 
1 - Is PBR applied INBOUND only ?
2 - This config blackhole matched traffic BUT drop (implicit) all other as
there is no match ?!
3 - Can i really do the same with a <distribute-list> ?

                
---------------------------------
 Dicouvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos
mails !
Criez votre Yahoo! Mail

• Next message: Brian Dennis: "RE: Preventing rogue hosts from intercepting rip packets"
• Previous message: gladston@br.ibm.com: "Bandwidth - CBWFQ"
• Maybe in reply to: Serge N'GBESSO: "PBR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:56 GMT-3