3560 policy-based-routing

Unanswered Question
Jul 18th, 2007


i'm trying to accomplish the following scenario with a pbr. Pls do share your thoughts if the approach i'm taking can accomplish this.

Basically i want some workstations in my LAN to not be able to reach several IP addresses that's hosted in a another country. Now i tried vlan access maps with the usual acl to deny all these ips but somehow they just didn't do a gd job (probably trunking issues on the edge switches)

What i was thinking is:

-create a new vlan with a new scope.

-create an acl with the permit statements for the remote ips

-create a pbr which sends any attempts to this remote ips to a null interface

-have this policy-route tied to the newly created vlan.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 07/18/2007 - 07:56


This does sound a bit more complicated than it has to be. Are the source IP addresses in a different vlan than the destination IP addresses.

If they are i would use a normal acl and apply it to the layer 3 interface for that vlan.

If they aren't, yes you could put them into a separate vlan but then i would still use an acl on the L3 vlan interface.



Edison Ortiz Wed, 07/18/2007 - 08:01

Are you extending your VTP domain over the WAN connection ?

In order to configure VACL, you need to share the same VTP domain between src/dst - else just configure your typical ACL with access-group on the ingress/egress interface.

royalblues Wed, 07/18/2007 - 13:16

In addition, if you are going to use ACLs on the SVI to block the traffic, there is no need for the PBR to route to null0

for all the denied IPs.

The traffic would anyway be dropped and u can also use the deny any any log parameter to see the counts violating the permission.




This Discussion