Jun 22nd, 2009

I have an interesting scenerio, it is only for testing purposes and not what we will use for production. This is just for testing! Here is what I am trying to do.

I have a VLAN that is set-up for all workstations:

VLAN 100

interface Vlan100

description VLAN-100

ip address

ip ospf priority 10

ip policy route-map VLAN100_POLICY

In this router/msfc we are running EIGRP and OSPF, now this is now where the issue is at, this is pretty straight forward. We then have a default route:

ip route

This is the interface IP on the firewall.

In this path there is a proxy

Here is the route-map that is applied to the VLAN interface:

route-map VLAN100_POLICY permit 10

match ip address GOTO_FIREWALL

set ip default next-hop

In this acl we have IP's that will be used to bypass the proxy. The list is quite long so I will not bore you all with the info.

Ok onto what I need to do.

I am setting up a new proxy with more features and need to test a handful of users. I have my IP that needs to take a different path:

New VLAN103

New proxy

New firewall interface

Here are the ACL's I have created so far:

ip access-list extended BYPASS-BC2-TO-DMZ

permit ip host


ip access-list extended BYPASS-BC2-TO-E1

permit ip host


ip access-list extended GOTO-BLUECOAT2

permit ip host any


And the route-maps for manipulation:

route-map VLAN100_POLICY permit 15

match ip address BYPASS-BC2-TO-DMZ

set ip next-hop


route-map VLAN100_POLICY permit 20

match ip address GOTO-BLUECOAT2

set ip next-hop

I am trying to get internal access set-up and having a difficult time.

For instance I need to get to, which is directly connected:

interface Vlan252

description VLAN252-CSM

ip address


MONR001#sh ip route

Routing entry for

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via eigrp 555, ospf 100

Advertised by ospf 100

Routing Descriptor Blocks:

* directly connected, via Vlan252

Route metric is 0, traffic share count is 1

Is there a way to get my workstation to go to network with a route-map to a directly connected IP?

Yudong Wu Mon, 06/22/2009 - 14:17

If I understand your question correctly, what you need is just to use PBR to route your traffic to the specified host. So, you need apply the related route-map under the interface of the Vlan where your PC is in.

Rick Morris Tue, 06/23/2009 - 06:03

that is the question.

I know I need a PBR to get the traffic where I need it. The question in all of this is how do you build the PBR for a directly connected network.

I think I provided enough detail in the post, at least I hope, to explain what I am trying to do.

Yudong Wu Tue, 06/23/2009 - 06:38

Can you clarify your topology? is directly connected to MONR001, is your pc directly connected to this router as well?

If not, is MONR001 the last hop for to access network?

Rick Morris Tue, 06/23/2009 - 06:44

On the 6509 MSFC I have the following

interface Vlan100

description VLAN-100

ip address

ip ospf priority 10

ip policy route-map VLAN100_POLICY

This is my default route for my workstation

Also on this same 6509 is:

interface Vlan252

description VLAN252-CSM

ip address

This is the network I am trying to get to.

In this set-up according to my routing policy set-up I have a default route of

So if something does not match the policy applied to interface vlan 100 the traffic will go here.

So from a topology standpoint these networks are all local that I am referring to, which is why the networks show directly connected.

How do you create a PBR to a directly connected network?

Is it possible?

This is what I am trying to do.

Yudong Wu Tue, 06/23/2009 - 07:30

Ok, I hope I understood it now.

Saying you would like your PC to access network which is a directly connected network to the same 6509, do you want to forward the packet to a specified host first? If not, why don't you just let routing table make the decision? If yes, just use related "match ip address " and "set ip next hop x.x.x.x" command in your route-map. Make sure there is no overlap entry in your existing ACL "GOTO_FIREWALL".

Rick Morris Tue, 06/23/2009 - 07:42

I cannot let routing make the decision because I am trying to manipulate the routing table because of the test I am trying to run. I am trying to send traffic to a new location for internet, and non directly connected networks and that is just fine. When trying to direct that host to a local network it normally has access to it does not route. I need some way to do this via PBR. What you propose is cannot be technically done, IOS will not allow you to use a next-hop to an IP that is self, in this case the directly connected network? I am looking for a way to get around this.


