Hi Joshua,


The usual way to do this is to match only the client you want to apply the policy route to, and let the default do the work for all the rest. So you can drop access list 20 and that policy.


I think you also want default-next-hop (which will honor the route table for connected/local subnets) instead of next-hop, which will send all traffic out to the cisco or srx, depending on the match.


SO, you only need:



route-map 100 permit 10
match ip address 10
set default-next-hop 10.5.1.5
!

interface vlan 100
ip policy route-map 100 ?


I'm using an S-Series, so check your command paths.


William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838

________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 4:27 PM
To: Enterasys Customer Mailing List
Subject: [enterasys] Policy Based Routing

I'm trying to configure a policy based route to override the default route that is currently in place on my N7 running 6.12.03.0003. Currently there is a default route on the N7 that is routing traffic out to the Internet via 192.168.37.1. I'm trying to redirect packets from 192.168.1.17 to 10.5.1.5. When I apply the following config I shut down everything from 192.168.37.1 and up. Does anyone see what I'm doing?

!
access-list 10 permit host 192.168.1.17
access-list 20 permit any
!
route-map 100 permit 10
match ip address 10
set next-hop 10.5.1.5
!
route-map 100 permit 20
match ip address 20
set next-hop 192.168.37.1
!
interface vlan 100
ip policy route-map 100

+---------------------+
|Scary Internet |
| Cloud |
+----------+---------+
|
|
|
|1.1.1.1
+--------+----------+ +--+
| | | |
| | +------+ Server
| SRX240 +------------------------+------+ 192.168.1.17
| |192.168.1.1
+--------+----------+
|192.168.37.1
|
|
|
|Vlan 100
|192.168.37.2
+--------+----------+
| |
|Enterasys | +----------------------+
|N7 |10.5.1.1 10.5.1.5| |
| +----------------------------------+ Cisco 3845 |
| |Vlan 5 | |
+--------------------+ +----------------------+

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com

* --To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Thanks William. Apparently my older firmware doesn't have the
default-next-hop. The only thing available when I go into the route-map
config is next-hop. I'm going to apply the config and see if I bring my
network to it's knees. :) Wish me luck!

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com




From: "Summers, William" <***@deerfield.edu>
To: "Enterasys Customer Mailing List" <***@listserv.unc.edu>
Date: 09/25/2014 01:50 PM
Subject: RE: [enterasys] Policy Based Routing



Hi Joshua,


The usual way to do this is to match only the client you want to apply the
policy route to, and let the default do the work for all the rest. So you
can drop access list 20 and that policy.


I think you also want default-next-hop (which will honor the route table
for connected/local subnets) instead of next-hop, which will send all
traffic out to the cisco or srx, depending on the match.


SO, you only need:



route-map 100 permit 10
match ip address 10
set default-next-hop 10.5.1.5
!

interface vlan 100
ip policy route-map 100 ?


I'm using an S-Series, so check your command paths.


William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838

________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 4:27 PM
To: Enterasys Customer Mailing List
Subject: [enterasys] Policy Based Routing

I'm trying to configure a policy based route to override the default route
that is currently in place on my N7 running 6.12.03.0003. Currently there
is a default route on the N7 that is routing traffic out to the Internet
via 192.168.37.1. I'm trying to redirect packets from 192.168.1.17 to
10.5.1.5. When I apply the following config I shut down everything from
192.168.37.1 and up. Does anyone see what I'm doing?

!
access-list 10 permit host 192.168.1.17
access-list 20 permit any
!
route-map 100 permit 10
match ip address 10
set next-hop 10.5.1.5
!
route-map 100 permit 20
match ip address 20
set next-hop 192.168.37.1
!
interface vlan 100
ip policy route-map 100

+---------------------+
|Scary Internet |
| Cloud |
+----------+---------+
|
|
|
|1.1.1.1
+--------+----------+ +--+
| | | |
| | +------+ Server
| SRX240 +------------------------+------+ 192.168.1.17
| |192.168.1.1
+--------+----------+
|192.168.37.1
|
|
|
|Vlan 100
|192.168.37.2
+--------+----------+
| |
|Enterasys | +----------------------+
|N7 |10.5.1.1 10.5.1.5| |
| +----------------------------------+ Cisco
3845 |
| |Vlan 5 | |
+--------------------+ +----------------------+

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com

* --To unsubscribe from enterasys, send email to ***@unc.edu<
mailto:***@unc.edu> with the body: unsubscribe enterasys
***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the
body: unsubscribe enterasys ***@westernmutual.com


---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

?Looking at this a little closer Joshua, I think you really want the policy route on the SRX, attached to 192.168.1.1 interface. If what you want is to send all traffic from 192.168.1.17 to 10.5.1.5.


Nice text diagram by the way....that must have taken some time.





William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838
________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 5:11 PM
To: Enterasys Customer Mailing List
Subject: RE: [enterasys] Policy Based Routing

Thanks William. Apparently my older firmware doesn't have the default-next-hop. The only thing available when I go into the route-map config is next-hop. I'm going to apply the config and see if I bring my network to it's knees. :) Wish me luck!

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com




From: "Summers, William" <***@deerfield.edu>
To: "Enterasys Customer Mailing List" <***@listserv.unc.edu>
Date: 09/25/2014 01:50 PM
Subject: RE: [enterasys] Policy Based Routing
________________________________



Hi Joshua,


The usual way to do this is to match only the client you want to apply the policy route to, and let the default do the work for all the rest. So you can drop access list 20 and that policy.


I think you also want default-next-hop (which will honor the route table for connected/local subnets) instead of next-hop, which will send all traffic out to the cisco or srx, depending on the match.


SO, you only need:



route-map 100 permit 10
match ip address 10
set default-next-hop 10.5.1.5
!

interface vlan 100
ip policy route-map 100 ?


I'm using an S-Series, so check your command paths.


William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838

________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 4:27 PM
To: Enterasys Customer Mailing List
Subject: [enterasys] Policy Based Routing

I'm trying to configure a policy based route to override the default route that is currently in place on my N7 running 6.12.03.0003. Currently there is a default route on the N7 that is routing traffic out to the Internet via 192.168.37.1. I'm trying to redirect packets from 192.168.1.17 to 10.5.1.5. When I apply the following config I shut down everything from 192.168.37.1 and up. Does anyone see what I'm doing?

!
access-list 10 permit host 192.168.1.17
access-list 20 permit any
!
route-map 100 permit 10
match ip address 10
set next-hop 10.5.1.5
!
route-map 100 permit 20
match ip address 20
set next-hop 192.168.37.1
!
interface vlan 100
ip policy route-map 100

+---------------------+
|Scary Internet |
| Cloud |
+----------+---------+
|
|
|
|1.1.1.1
+--------+----------+ +--+
| | | |
| | +------+ Server
| SRX240 +------------------------+------+ 192.168.1.17
| |192.168.1.1
+--------+----------+
|192.168.37.1
|
|
|
|Vlan 100
|192.168.37.2
+--------+----------+
| |
|Enterasys | +----------------------+
|N7 |10.5.1.1 10.5.1.5| |
| +----------------------------------+ Cisco 3845 |
| |Vlan 5 | |
+--------------------+ +----------------------+

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com

* --To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys ***@westernmutual.com


* --To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

heh, thanks. I'd love to take credit but it was actually done through
asciiflow.com. I've already configured PBR on the SRX to forward traffic
coming from 192.168.1.17 to 192.168.37.2. I'm able to ping 37.2 but not
10.5.1.1 on the other side.

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com




From: "Summers, William" <***@deerfield.edu>
To: "Enterasys Customer Mailing List" <***@listserv.unc.edu>
Cc: "***@westernmutual.com" <***@westernmutual.com>
Date: 09/25/2014 02:30 PM
Subject: RE: [enterasys] Policy Based Routing



?Looking at this a little closer Joshua, I think you really want the
policy route on the SRX, attached to 192.168.1.1 interface. If what you
want is to send all traffic from 192.168.1.17 to 10.5.1.5.


Nice text diagram by the way....that must have taken some time.





William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838
________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 5:11 PM
To: Enterasys Customer Mailing List
Subject: RE: [enterasys] Policy Based Routing

Thanks William. Apparently my older firmware doesn't have the
default-next-hop. The only thing available when I go into the route-map
config is next-hop. I'm going to apply the config and see if I bring my
network to it's knees. :) Wish me luck!

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com




From: "Summers, William" <***@deerfield.edu>
To: "Enterasys Customer Mailing List" <***@listserv.unc.edu>
Date: 09/25/2014 01:50 PM
Subject: RE: [enterasys] Policy Based Routing
________________________________



Hi Joshua,


The usual way to do this is to match only the client you want to apply the
policy route to, and let the default do the work for all the rest. So you
can drop access list 20 and that policy.


I think you also want default-next-hop (which will honor the route table
for connected/local subnets) instead of next-hop, which will send all
traffic out to the cisco or srx, depending on the match.


SO, you only need:



route-map 100 permit 10
match ip address 10
set default-next-hop 10.5.1.5
!

interface vlan 100
ip policy route-map 100 ?


I'm using an S-Series, so check your command paths.


William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838

________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 4:27 PM
To: Enterasys Customer Mailing List
Subject: [enterasys] Policy Based Routing

I'm trying to configure a policy based route to override the default route
that is currently in place on my N7 running 6.12.03.0003. Currently there
is a default route on the N7 that is routing traffic out to the Internet
via 192.168.37.1. I'm trying to redirect packets from 192.168.1.17 to
10.5.1.5. When I apply the following config I shut down everything from
192.168.37.1 and up. Does anyone see what I'm doing?

!
access-list 10 permit host 192.168.1.17
access-list 20 permit any
!
route-map 100 permit 10
match ip address 10
set next-hop 10.5.1.5
!
route-map 100 permit 20
match ip address 20
set next-hop 192.168.37.1
!
interface vlan 100
ip policy route-map 100

+---------------------+
|Scary Internet |
| Cloud |
+----------+---------+
|
|
|
|1.1.1.1
+--------+----------+ +--+
| | | |
| | +------+ Server
| SRX240 +------------------------+------+ 192.168.1.17
| |192.168.1.1
+--------+----------+
|192.168.37.1
|
|
|
|Vlan 100
|192.168.37.2
+--------+----------+
| |
|Enterasys | +----------------------+
|N7 |10.5.1.1 10.5.1.5| |
| +----------------------------------+ Cisco
3845 |
| |Vlan 5 | |
+--------------------+ +----------------------+

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com

* --To unsubscribe from enterasys, send email to ***@unc.edu<
mailto:***@unc.edu> with the body: unsubscribe enterasys
***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the
body: unsubscribe enterasys ***@westernmutual.com


* --To unsubscribe from enterasys, send email to ***@unc.edu<
mailto:***@unc.edu> with the body: unsubscribe enterasys
***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the
body: unsubscribe enterasys ***@westernmutual.com


---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Thanks for the hint. Turned out that I had a mis-config on the SRX. The
data is flowing.

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com




From: "Summers, William" <***@deerfield.edu>
To: "Enterasys Customer Mailing List" <***@listserv.unc.edu>
Cc: "***@westernmutual.com" <***@westernmutual.com>
Date: 09/25/2014 02:30 PM
Subject: RE: [enterasys] Policy Based Routing



?Looking at this a little closer Joshua, I think you really want the
policy route on the SRX, attached to 192.168.1.1 interface. If what you
want is to send all traffic from 192.168.1.17 to 10.5.1.5.


Nice text diagram by the way....that must have taken some time.





William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838
________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 5:11 PM
To: Enterasys Customer Mailing List
Subject: RE: [enterasys] Policy Based Routing

Thanks William. Apparently my older firmware doesn't have the
default-next-hop. The only thing available when I go into the route-map
config is next-hop. I'm going to apply the config and see if I bring my
network to it's knees. :) Wish me luck!

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com




From: "Summers, William" <***@deerfield.edu>
To: "Enterasys Customer Mailing List" <***@listserv.unc.edu>
Date: 09/25/2014 01:50 PM
Subject: RE: [enterasys] Policy Based Routing
________________________________



Hi Joshua,


The usual way to do this is to match only the client you want to apply the
policy route to, and let the default do the work for all the rest. So you
can drop access list 20 and that policy.


I think you also want default-next-hop (which will honor the route table
for connected/local subnets) instead of next-hop, which will send all
traffic out to the cisco or srx, depending on the match.


SO, you only need:



route-map 100 permit 10
match ip address 10
set default-next-hop 10.5.1.5
!

interface vlan 100
ip policy route-map 100 ?


I'm using an S-Series, so check your command paths.


William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838

________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 4:27 PM
To: Enterasys Customer Mailing List
Subject: [enterasys] Policy Based Routing

I'm trying to configure a policy based route to override the default route
that is currently in place on my N7 running 6.12.03.0003. Currently there
is a default route on the N7 that is routing traffic out to the Internet
via 192.168.37.1. I'm trying to redirect packets from 192.168.1.17 to
10.5.1.5. When I apply the following config I shut down everything from
192.168.37.1 and up. Does anyone see what I'm doing?

!
access-list 10 permit host 192.168.1.17
access-list 20 permit any
!
route-map 100 permit 10
match ip address 10
set next-hop 10.5.1.5
!
route-map 100 permit 20
match ip address 20
set next-hop 192.168.37.1
!
interface vlan 100
ip policy route-map 100

+---------------------+
|Scary Internet |
| Cloud |
+----------+---------+
|
|
|
|1.1.1.1
+--------+----------+ +--+
| | | |
| | +------+ Server
| SRX240 +------------------------+------+ 192.168.1.17
| |192.168.1.1
+--------+----------+
|192.168.37.1
|
|
|
|Vlan 100
|192.168.37.2
+--------+----------+
| |
|Enterasys | +----------------------+
|N7 |10.5.1.1 10.5.1.5| |
| +----------------------------------+ Cisco
3845 |
| |Vlan 5 | |
+--------------------+ +----------------------+

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com

* --To unsubscribe from enterasys, send email to ***@unc.edu<
mailto:***@unc.edu> with the body: unsubscribe enterasys
***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the
body: unsubscribe enterasys ***@westernmutual.com


* --To unsubscribe from enterasys, send email to ***@unc.edu<
mailto:***@unc.edu> with the body: unsubscribe enterasys
***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the
body: unsubscribe enterasys ***@westernmutual.com


---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

​sweet.



William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838
________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 5:50 PM
To: Enterasys Customer Mailing List
Subject: RE: [enterasys] Policy Based Routing

Thanks for the hint. Turned out that I had a mis-config on the SRX. The data is flowing.

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com




From: "Summers, William" <***@deerfield.edu>
To: "Enterasys Customer Mailing List" <***@listserv.unc.edu>
Cc: "***@westernmutual.com" <***@westernmutual.com>
Date: 09/25/2014 02:30 PM
Subject: RE: [enterasys] Policy Based Routing
________________________________



?Looking at this a little closer Joshua, I think you really want the policy route on the SRX, attached to 192.168.1.1 interface. If what you want is to send all traffic from 192.168.1.17 to 10.5.1.5.


Nice text diagram by the way....that must have taken some time.





William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838
________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 5:11 PM
To: Enterasys Customer Mailing List
Subject: RE: [enterasys] Policy Based Routing

Thanks William. Apparently my older firmware doesn't have the default-next-hop. The only thing available when I go into the route-map config is next-hop. I'm going to apply the config and see if I bring my network to it's knees. :) Wish me luck!

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com




From: "Summers, William" <***@deerfield.edu>
To: "Enterasys Customer Mailing List" <***@listserv.unc.edu>
Date: 09/25/2014 01:50 PM
Subject: RE: [enterasys] Policy Based Routing
________________________________



Hi Joshua,


The usual way to do this is to match only the client you want to apply the policy route to, and let the default do the work for all the rest. So you can drop access list 20 and that policy.


I think you also want default-next-hop (which will honor the route table for connected/local subnets) instead of next-hop, which will send all traffic out to the cisco or srx, depending on the match.


SO, you only need:



route-map 100 permit 10
match ip address 10
set default-next-hop 10.5.1.5
!

interface vlan 100
ip policy route-map 100 ?


I'm using an S-Series, so check your command paths.


William Summers
Network Administrator
Deerfield Academy
Tel. 413.774.1838

________________________________
From: ***@westernmutual.com <***@westernmutual.com>
Sent: Thursday, September 25, 2014 4:27 PM
To: Enterasys Customer Mailing List
Subject: [enterasys] Policy Based Routing

I'm trying to configure a policy based route to override the default route that is currently in place on my N7 running 6.12.03.0003. Currently there is a default route on the N7 that is routing traffic out to the Internet via 192.168.37.1. I'm trying to redirect packets from 192.168.1.17 to 10.5.1.5. When I apply the following config I shut down everything from 192.168.37.1 and up. Does anyone see what I'm doing?

!
access-list 10 permit host 192.168.1.17
access-list 20 permit any
!
route-map 100 permit 10
match ip address 10
set next-hop 10.5.1.5
!
route-map 100 permit 20
match ip address 20
set next-hop 192.168.37.1
!
interface vlan 100
ip policy route-map 100

+---------------------+
|Scary Internet |
| Cloud |
+----------+---------+
|
|
|
|1.1.1.1
+--------+----------+ +--+
| | | |
| | +------+ Server
| SRX240 +------------------------+------+ 192.168.1.17
| |192.168.1.1
+--------+----------+
|192.168.37.1
|
|
|
|Vlan 100
|192.168.37.2
+--------+----------+
| |
|Enterasys | +----------------------+
|N7 |10.5.1.1 10.5.1.5| |
| +----------------------------------+ Cisco 3845 |
| |Vlan 5 | |
+--------------------+ +----------------------+

Joshua Sanders
Asst. Vice President - Systems Operations
Western Mutual Insurance Group
26775 Malibu Hills Road Suite 100
Calabasas, CA 91301
Main Line: 800-927-2142
***@westernmutual.com

* --To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys ***@westernmutual.com


* --To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys ***@westernmutual.com


* --To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@deerfield.edu

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-enterasy