PBR Problem with IP next hop

Unanswered Question
Mar 5th, 2007
User Badges:

Hi,


Please refer to the diagram I have attached. I have configured the following.



The default gateway to the internet for switch 1 is via 10.50.100.2.


The gateway to vlan 10 and 30 is the vlan configured on switch 1 for . such that all traffic goes from Pix 1.


I have a new Vlan vlan 172. I have configured the gateway for this vlan on switch 3.


I have tested the reachability to and from this vlan to all other vlans.




I now want the clients on vlan 172 to go through the other pix 2 to the internet and access the lan as usual.


I configured the following Route map on Switch3.


ip access-list extended DMZList

Permit ip 172.16.200.0 0.0.0.255 any


Route-map DMZRoute Permit 10

match ip address DMZList

set ip next 10.50.100.3


interface Vlan172

ip policy route-map DMZRoute.


On applying the route map the clients from vlan 172 can reach internet however loses all connectivity to the internal network.


What could go wrong ? and what should be the things that I should look out for.


I would appreciate your help.


thankx



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
spremkumar Tue, 03/06/2007 - 00:10
User Badges:
  • Red, 2250 points or more

Hi Sanjay


I would suggest to redefine the ACL in which you can deny the access from VLAN 172 to other internal networks and permit VLAN 172 to access any.


I feel this may enforce the denied traffic to use normal routing table and the permitted traffic to make use of the next hop defined in your route-map..


very similar to below config lines..


ip access-list extended DMZList

Deny ip 172.16.200.0 0.0.0.255 10.10.100.0 0.0.0.255

Deny ip 172.16.200.0 0.0.0.255 10.30.100.0 0.0.0.255

Permit ip 172.16.200.0 0.0.0.255 any


Route-map DMZRoute Permit 10

match ip address DMZList

set ip next 10.50.100.3


interface Vlan172

ip policy route-map DMZRoute.


regds



sanjay.ccie Wed, 03/07/2007 - 23:45
User Badges:

hi,

your suggestion was indeed the solution. I had added another statement to the route map in which i set the next hop to switch 1 for the other vlans without realizing that access list in the first statement allowed "any" traffic and thus the permit 20 in the route map will never be evaluated.


thanx a lot.



Actions

This Discussion