White Papers
7 Using Policy Based Routing and Access Control Lists in a Virtualized Network
2 Example 1 – Traffic Isolation
Route one IP address range (or subnet) to ISP A, and a second IP address range (or subnet) to ISP B. In this
example, it is assumed that traditional routing is already enabled and configured.
Consider the network of the company below which is comprised of several groups including Human
Resources (HR) and Accounting. Each group has a different IP address range within the same subnet.
There is a requirement to route HR internet traffic through ISP A while the Accounting traffic needs to be
routed through ISP B as shown in Figure 1. The switch that routes this traffic for the different groups can
use PBR.
Internet
ISP A
ISP B
Accounting
Human Resources
Human Resources
Accounting
{
Stack
HR
Accounting
172.16.7.7 192.168.6.6
10.1.5.x
10.1.5.x
10.1.6.x
10.1.6.x
Using Policy Based Routing for Traffic Isolation Figure 1.
Using a route-map, a match statement is configured based on the IP address range of each group. Equal
access as well as source IP address-sensitive routing is achieved using this technique.
Two access lists (Accounting and HR) are created to associate each packet to a corresponding work group
(Accounting or HR). Packets coming from one range of IP addresses are associated with the Accounting
group. Packets from another range of IP addresses are associated with the HR group. A route-map is
then used to determine the group each packet belongs to and send them out the desired interface using a
“next-hop” statement.
Note: The "next-hop" IP address must be found in the IP routing table to prevent the packet from
reverting to traditional routing. This requires that the next hop router be directly connected. Packets are
dropped if the next-hop address specified in the route-map is not reachable.