cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1599
Views
5
Helpful
14
Replies

Route-map related querry

Jacob Samuel
Level 1
Level 1

Hi Friends,

I would like to know something about route-map.

I have some vlans in my switch, i want some of the ip's from these vlans to go outside through another router (router2). i have created different different route-maps and called on each interface vlans. I have a vlan that is connecting to the routers also.  Instead of creating different different route-maps for different vlans and calling it on each different layer 3 interface vlans, can i create a common route-map which permit ip's from different vlan and call it on the vlan that is connecting to the router. or should i call the same on the interfcae vlan itself?

ie-

!

vlan 10

name floor1

ip add 1.1.1.1 255.255.255.0

vlan 20

name floor2

ip ad 2.2.2.1 255.255.255.0

vlan 30

name floor3

ip 3.3.3.1 255.255.255.0

!

!

vlan 100

name connect-to-routers

ip 10.10.10.10 255.255.255.0

!

thanks and regards

Sunny

2 Accepted Solutions

Accepted Solutions

jacob.samuel wrote:

Hi

Thanks for the reply. I have few more doubts on this,

1) Can i make a route-map with different next hops, like a primary and secondary like that ?

2) I have certain L3 Vlans created in the msfc and certain L3 Vlans created in fwsm module? how can i do the route-map for L3 Vlans inside the fwsm?

regards

Sunny

Sunny

1) Yes you can. You can do "set ip next-hop "

2) FWSM does not support PBR so you can only do it on MSFC vlan interfaces.

Jon

View solution in original post

jacob.samuel wrote:

Hi Jon,

Thanks a lot for the suggestion. There was some discussion going on to move the backup link from the second router and plug it directly on the MSFC. I will create a static route to point the traffic destined for branch 2 servers from the branch 1 servers & will use PBR, same at branch 2 core switch also. As per this plan the secondary link will be in the core switch itself. In this scenario i believe i should put the route-map on the FWSM Outside Vlan interface only right?

appreciate your response.

thanks & regards

Jacob

If you are connecting the backup link directly into the 6500 then yes, the only place you can do PBR would be on the SVI on the MSFC that connects to the outside of the FWSM.

Jon

View solution in original post

14 Replies 14

Jon Marshall
Hall of Fame
Hall of Fame

jacob.samuel wrote:

Hi Friends,

I would like to know something about route-map.

I have some vlans in my switch, i want some of the ip's from these vlans to go outside through another router (router2). i have created different different route-maps and called on each interface vlans. I have a vlan that is connecting to the routers also.  Instead of creating different different route-maps for different vlans and calling it on each different layer 3 interface vlans, can i create a common route-map which permit ip's from different vlan and call it on the vlan that is connecting to the router. or should i call the same on the interfcae vlan itself?

ie-

!

vlan 10

name floor1

ip add 1.1.1.1 255.255.255.0

vlan 20

name floor2

ip ad 2.2.2.1 255.255.255.0

vlan 30

name floor3

ip 3.3.3.1 255.255.255.0

!

!

vlan 100

name connect-to-routers

ip 10.10.10.10 255.255.255.0

!

thanks and regards

Sunny

Sunny

PBR only works on ingress not egress so if you want to policy route traffic for vlans 10,20 & 30 you will need to apply the route-map to each of these interfaces.

Jon

Hi

Thanks for the reply. I have few more doubts on this,

1) Can i make a route-map with different next hops, like a primary and secondary like that ?

2) I have certain L3 Vlans created in the msfc and certain L3 Vlans created in fwsm module? how can i do the route-map for L3 Vlans inside the fwsm?

regards

Sunny

jacob.samuel wrote:

Hi

Thanks for the reply. I have few more doubts on this,

1) Can i make a route-map with different next hops, like a primary and secondary like that ?

2) I have certain L3 Vlans created in the msfc and certain L3 Vlans created in fwsm module? how can i do the route-map for L3 Vlans inside the fwsm?

regards

Sunny

Sunny

1) Yes you can. You can do "set ip next-hop "

2) FWSM does not support PBR so you can only do it on MSFC vlan interfaces.

Jon

Thanks a lot Jon. I do see some commands like route-map in FWSM interface configuration, but i also need to check more in to that. If you have any information for the same i would appreciate.

Thanks again for your kind help Jon.

regards

Sunny

jacob.samuel wrote:

Thanks a lot Jon. I do see some commands like route-map in FWSM interface configuration, but i also need to check more in to that. If you have any information for the same i would appreciate.

Thanks again for your kind help Jon.

regards

Sunny

Sunny

route-maps are used for a number of things, not just PBR. The FWSM does support the route-map command but only for controlling redistributed routes -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/qr.html#wp1593801

Jon

Hi Jon,

Thanks a lot for the link. what should i do in this case, i have 2 servers inside the server farm (FWSM interface) at 2 locations and is getting synchronized freequently over the wan, this takes too much bandwidth from the WAN. I have one dedicated link and another link acting as a backup, as a remady customer want to put the traffic from these servers to go through the secondary link.

The positioning of firewall is behind the MSFC (FWSM - > Switch MSFC - > Routers).

Could you help me with any suggestion on this please.

Thanks and Regards

Sunny

jacob.samuel wrote:

Hi Jon,

Thanks a lot for the link. what should i do in this case, i have 2 servers inside the server farm (FWSM interface) at 2 locations and is getting synchronized freequently over the wan, this takes too much bandwidth from the WAN. I have one dedicated link and another link acting as a backup, as a remady customer want to put the traffic from these servers to go through the secondary link.

The positioning of firewall is behind the MSFC (FWSM - > Switch MSFC - > Routers).

Could you help me with any suggestion on this please.

Thanks and Regards

Sunny

Sunny

If the secondary link is on the routers in your diagram above then you can still use PBR. However need to know, is the secondary link on the same router as th primary link or a different router ?

If same router you can use PBR on the LAN facing interface on the router at both ends.

If different routers then you can use PBR on the vlan interface that connects to the outside of the FWSM.

Jon

Hi Jon,

Thanks a lot for the suggestion. There was some discussion going on to move the backup link from the second router and plug it directly on the MSFC. I will create a static route to point the traffic destined for branch 2 servers from the branch 1 servers & will use PBR, same at branch 2 core switch also. As per this plan the secondary link will be in the core switch itself. In this scenario i believe i should put the route-map on the FWSM Outside Vlan interface only right?

appreciate your response.

thanks & regards

Jacob

jacob.samuel wrote:

Hi Jon,

Thanks a lot for the suggestion. There was some discussion going on to move the backup link from the second router and plug it directly on the MSFC. I will create a static route to point the traffic destined for branch 2 servers from the branch 1 servers & will use PBR, same at branch 2 core switch also. As per this plan the secondary link will be in the core switch itself. In this scenario i believe i should put the route-map on the FWSM Outside Vlan interface only right?

appreciate your response.

thanks & regards

Jacob

If you are connecting the backup link directly into the 6500 then yes, the only place you can do PBR would be on the SVI on the MSFC that connects to the outside of the FWSM.

Jon

Hi Jon,

I did this testing by putting the PBR on the FWSM outside interface vlan on MSFC. I did it with out changing the Link from the Router 2 to the Core switch since the link transfer from Router to Core Switch may take some time. I was testing using the tracert to find which route it is taking. For the MSFC |Vlan the traffic is showing the trace paths but for the Firewalled Vlan i can not see the trace paths, its giving * only.

I can not see any match count on the access-list and route-maps on the Core switch FWSM outside Vlan. I tried to do a wrong ip next hop and this time i can see hits on the access-list and route-map also. Is there any issue? If yes, what could be the issue? since it is a firewalled source & destination thats why it is like this?

is the soultion is working? why the access-list and route-maps count on the core switch is not getting increased ?

Appreciate your valuable input

thanks and regards

Sunny

jacob.samuel wrote:

Hi Jon,

I did this testing by putting the PBR on the FWSM outside interface vlan on MSFC. I did it with out changing the Link from the Router 2 to the Core switch since the link transfer from Router to Core Switch may take some time. I was testing using the tracert to find which route it is taking. For the MSFC |Vlan the traffic is showing the trace paths but for the Firewalled Vlan i can not see the trace paths, its giving * only.

I can not see any match count on the access-list and route-maps on the Core switch FWSM outside Vlan. I tried to do a wrong ip next hop and this time i can see hits on the access-list and route-map also. Is there any issue? If yes, what could be the issue? since it is a firewalled source & destination thats why it is like this?

is the soultion is working? why the access-list and route-maps count on the core switch is not getting increased ?

Appreciate your valuable input

thanks and regards

Sunny

Sunny

The 6500 does PBR in hardware as well as acl processing (at least most of the time). Because it is done in hardware the counters on such things as acls are not incremented ie. they will only be incremented on a 6500 if the processing was done in software.

So if the solution is working then don't worry about the counters.

Jon

Hi Jon,

Thanks a lot for the solution. It is working fine.

regards

Sunny

Hi

i am facing an issue in this scenario now, the link from ISP 1 is connected to the router and the backup link from isp 2 is now connected to the core switch. Now i am using a default route on the core switch to forward the traffic to the router and using a route-map and forwarding the traffic from servers to the secondary link. i want the users to use the primary link always and the secondary link as a backup for the primary also.

here my issue is, from the core i am forwarding the traffic to the router using the default route ( 0.0.0.0 0.0.0.0 192.168.1.1), now i need to route the traffic from the users to the secondary link on the core if the isp 1 link fails. how can i do the same ?

i add a secondary default route pointing to the secondary link on the core but it will work only if the router as it is fails or the ethernet link from the core switch to the Router fails. How will i re-route the traffic to the secondary link if the isp1 link fails?

regards

Sunny

Sunny,  you could use reliable static routing using two default routes, one being tracked,  and I believe you can integrate this feature while still  doing pbr.

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

The issue at hand however is if I recall, the IOS's that are used on MSFCs don't support this feature but this is a search I did couple of years ago , perhaps have changed ,   you may want to check feature navigator against your MSFC ios version ..   Native IOS does support  IP SLA  route track..,  just a thought..

Im sure Jon  will have other thoughts.

Regards

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco