Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
236
Views
5
Helpful
2
Replies

PBR Problem with IP next hop

sanjay.ccie
Level 1
Level 1

‎03-05-2007 11:47 PM - edited ‎03-05-2019 02:43 PM

Hi,

Please refer to the diagram I have attached. I have configured the following.

The default gateway to the internet for switch 1 is via 10.50.100.2.

The gateway to vlan 10 and 30 is the vlan configured on switch 1 for . such that all traffic goes from Pix 1.

I have a new Vlan vlan 172. I have configured the gateway for this vlan on switch 3.

I have tested the reachability to and from this vlan to all other vlans.

I now want the clients on vlan 172 to go through the other pix 2 to the internet and access the lan as usual.

I configured the following Route map on Switch3.

ip access-list extended DMZList

Permit ip 172.16.200.0 0.0.0.255 any

Route-map DMZRoute Permit 10

match ip address DMZList

set ip next 10.50.100.3

interface Vlan172

ip policy route-map DMZRoute.

On applying the route map the clients from vlan 172 can reach internet however loses all connectivity to the internal network.

What could go wrong ? and what should be the things that I should look out for.

I would appreciate your help.

thankx

Labels:
Preview file
45 KB
0 Helpful
2 Replies 2

spremkumar
Level 9
Level 9

‎03-06-2007 12:10 AM

Hi Sanjay

I would suggest to redefine the ACL in which you can deny the access from VLAN 172 to other internal networks and permit VLAN 172 to access any.

I feel this may enforce the denied traffic to use normal routing table and the permitted traffic to make use of the next hop defined in your route-map..

very similar to below config lines..

ip access-list extended DMZList

Deny ip 172.16.200.0 0.0.0.255 10.10.100.0 0.0.0.255

Deny ip 172.16.200.0 0.0.0.255 10.30.100.0 0.0.0.255

Permit ip 172.16.200.0 0.0.0.255 any

Route-map DMZRoute Permit 10

match ip address DMZList

set ip next 10.50.100.3

interface Vlan172

ip policy route-map DMZRoute.

regds

sanjay.ccie
Level 1
Level 1
In response to spremkumar

‎03-07-2007 11:45 PM

hi,

your suggestion was indeed the solution. I had added another statement to the route map in which i set the next hop to switch 1 for the other vlans without realizing that access list in the first statement allowed "any" traffic and thus the permit 20 in the route map will never be evaluated.

thanx a lot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card