cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
405
Views
0
Helpful
3
Replies

3560 policy-based-routing

echelon360
Level 1
Level 1

guys,

i'm trying to accomplish the following scenario with a pbr. Pls do share your thoughts if the approach i'm taking can accomplish this.

Basically i want some workstations in my LAN to not be able to reach several IP addresses that's hosted in a another country. Now i tried vlan access maps with the usual acl to deny all these ips but somehow they just didn't do a gd job (probably trunking issues on the edge switches)

What i was thinking is:

-create a new vlan with a new scope.

-create an acl with the permit statements for the remote ips

-create a pbr which sends any attempts to this remote ips to a null interface

-have this policy-route tied to the newly created vlan.

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Hi

This does sound a bit more complicated than it has to be. Are the source IP addresses in a different vlan than the destination IP addresses.

If they are i would use a normal acl and apply it to the layer 3 interface for that vlan.

If they aren't, yes you could put them into a separate vlan but then i would still use an acl on the L3 vlan interface.

HTH

Jon

Edison Ortiz
Hall of Fame
Hall of Fame

Are you extending your VTP domain over the WAN connection ?

In order to configure VACL, you need to share the same VTP domain between src/dst - else just configure your typical ACL with access-group on the ingress/egress interface.

In addition, if you are going to use ACLs on the SVI to block the traffic, there is no need for the PBR to route to null0

for all the denied IPs.

The traffic would anyway be dropped and u can also use the deny any any log parameter to see the counts violating the permission.

HTH

Narayan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: