cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
427
Views
5
Helpful
8
Replies

Policy Based Routing with Deny

subra4u
Level 1
Level 1

Hi All,

We have a Cat-3550 with a route-map for a SVI (VLAN 1) to redirect the traffic. Everything is fine except for the fact the traffic to the other VLANs are also routed the same way with additional hop. I would like to exclude this using a deny statement but for some reason that doesnt seem to work. Please find the config details below:

interface Vlan1

ip address 10.18.1.2 255.255.255.0

ip directed-broadcast

ip policy route-map server

no ip mroute-cache

end

route-map server permit 10

match ip address servers

set ip next-hop 10.18.122.6

ip access-list extended servers

permit ip 10.18.1.0 0.0.0.255 any

New config (which doesnt work)

route-map newserver deny 10

match ip address 199

!

route-map newserver permit 20

match ip address servers

set ip next-hop 10.18.122.6

access-list 199 permit ip 10.18.1.0 0.0.0.255 10.18.2.0 0.0.0.255

access-list 199 permit ip 10.18.1.0 0.0.0.255 10.18.3.0 0.0.0.255

access-list 199 permit ip 10.18.1.0 0.0.0.255 10.18.4.0 0.0.0.255

access-list 199 permit ip 10.18.1.0 0.0.0.255 10.18.5.0 0.0.0.255

What am i missing here. Thanks in advance,

Cheers

subra

8 Replies 8

Subra,

Your configuration looks good to me. You want to deny switching between Vlans to let them go using the normal routing table.

You may use a "debup ip policy" command to see what's going on.

Well, in case it really doesn't work. You may think about other ways.

!

route-map newserver permit 10

match ip address only-for-server

set ip next-hop 10.18.122.6

ip access-list extended only-for-server

deny ip 10.18.1.0 0.0.0.255 10.18.2.0 0.0.0.255

deny ip 10.18.1.0 0.0.0.255 10.18.3.0 0.0.0.255

deny ip 10.18.1.0 0.0.0.255 10.18.4.0 0.0.0.255

deny ip 10.18.1.0 0.0.0.255 10.18.5.0 0.0.0.255

permit ip 10.18.1.0 0.0.0.255 any

!

HTH,

Toshi

Cheers mate. It works.................

bretjaquish
Level 3
Level 3

Why not just add a "deny" statement to the front of your "permit" statement in the ip access-list extended servers access list?

Bret,

Are you really thinking about that way? If so, 5P! for you anyway! heheheh..

Toshi

LOL, that's what I get for walking away before hitting the post button. One minute!

bret,

Maybe less than one minute! (grin)

Good job,Man

Toshi

venkat.thiruve
Level 1
Level 1

no

venkat.thiruve
Level 1
Level 1

I found the Details of the ip-address on the site http://www.ip-details.com/ Is there any website to know the details of the Ip-address owner.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco