Below is from this linked page This document provides a sample configuration for policy-based routing (PBR) using the set ip default next-hop and set ip next-hop commands.The set ip default next-hop command verifies the existence of the destination IP address in the routing table, and… •if the destination IP address exists, the command does not policy route the packet, but forwards the packet based on the routing table. •if the destination IP address does not exist, the command policy routes the packet by sending it to the specified next hop.The set ip next-hop command verifies the existence of the next hop specified, and…•if the next hop exists in the routing table, then the command policy routes the packet to the next hop. •if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.On iosv-1 and iosv-7, I am working on route maps in place of using ip route 0.0.0.0 0.0.0.0. I have done a similar policy based routing on my HP switches in my data center. Those were routed from the Various VLAN to the Fortinet firewall VLAN gateway in the same subnet. So from HP Switch VLAN gateway to its layer 2 address on the firewall. It was designed to get around the Cisco ASA reverse packet spoofing rules on my old ASA. It also allows the traffic to stay layer 2 to entering the firewall all the way to the device back out.
I created a routemap that allows any traffic out of EIGRP and into OSPF.
route-map OSPF-DEFAULT-NEXT-HOP permit 10 match ip address 100 set ip default next-hop 192.168.7.1 ! ! access-list 100 permit ip any any
I created a routemap that allows any traffic out of OSPF and into EIGRP.
iosv-7 to iosv-1
router ospf 1 router-id 192.168.30.7 network 184.108.40.206 0.0.0.0 area 0 network 192.168.7.0 0.0.0.3 area 0 network 192.168.30.7 0.0.0.0 area 0 network 192.168.55.0 0.0.0.3 area 0 network 192.168.57.0 0.0.0.3 area 0 network 192.168.58.0 0.0.0.3 area 0 distribute-list route-map OSPF-DEFAULT-NEXT-HOP in
route-map OSPF-DEFAULT-NEXT-HOP permit 10 match ip address 100 set ip default next-hop 192.168.7.2 ! ! access-list 100 permit ip any any
I just wanted to show that iosv-1 is an ASBR because it is the boundary of OSPF and EIGRP.
iosv-1#sh ip ospf Routing Process “ospf 1” with ID 192.168.30.1 Start time: 00:00:42.751, Time elapsed: 00:01:48.841 Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability Supports NSSA (compatible with RFC 3101) Supports Database Exchange Summary List Optimization (RFC 5243) Event-log enabled, Maximum number of events: 1000, Mode: cyclic It is an autonomous system boundary router Redistributing External Routes from, connected, includes subnets in redistribution static, includes subnets in redistribution eigrp 100, includes subnets in redistribution Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs
truncated to save space.
On iosv-2 on setup route maps to do next hops from iosv-4, iosv-12, and iosv-13route-map iosv4-to-iosv9 permit 10 match ip address 104 set ip next-hop 192.168.2.2 ! route-map iosv-12-to-iosv11 permit 10 match ip address 112 set ip next-hop 192.168.11.1 ! route-map iosv-13-to-iosv10 permit 10 match ip address 110 set ip next-hop 192.168.10.1 ! ! access-list 104 permit ip host 192.168.4.1 any access-list 110 permit ip host 192.168.13.1 any access-list 112 permit ip host 192.168.12.1 any !104 is to direct iov-4 through iosv-2 to iosv-9 110 is to direct iov-13 through iosv-2 to iosv-11 110 is to direct iov-12 through iosv-2 to iosv-10I could use 192.168.4.0 0.0.0.252 instead of host 192.168.4.1 to do the entire subnet range. For this simulation one address is fine.access-list 104 permit ip 192.168.4.0 0.0.0.252 any