Setting up route maps on a Catalyst 3750

Answered Question

I understand that the 3750 does not support the ip default next-hop command, however still have a need for some of my VLANs to go out a secondary internet connection.  Let's say I have 4 VLANs (shown below).  Can I effetively deny all local traffic to my route-map and still send internet traffic out the second gateway?  Below I am denying the private ranges and then permit anything else.  So then in theory, I could just add  ip policy route-map PBR to each VLAN that I want to send out my second internet connection


VLAN 10   = 192.168.10.0 /24
VLAN 11   = 192.168.11.0 /24
VLAN 100  = 10.10.0.0 /24
VLAN 106  = 172.20.1.0 /24


access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.0.255

access-list 101 deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
access-list 101 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.0.0.255

access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip any any


route-map PBR permit 10
   match ip address 101
   set ip next-hop [Second-Default-Gateway-IP]

int vlan 10
   ip policy route-map PBR


This leads me to my questions


1) Internal traffic (inter-vlan communications) should still function just fine correct?  Since the route-map will not match, then internal routes are still used?

2) If the above config example does work correctly is there a way that I can have the PBR route-map essentially shut itself off if my [Second-Default-Gateway-IP] is not available?  This way the VLANs would not be denied Internet access, they would go out the gateway of last resort.

Correct Answer by Jon Marshall about 7 years 2 months ago

[email protected]


The ip default next-hop would be the best way to go if I could do it.  Is there anyway that I could get some the similar functionality without killing the CPU?  Would vrf-lite be the only way?


I can't think of another way to achieve what you want short of using a separate switch for these vlans.I would try the PBR route and see what happens to the CPU before going down the vrf-lite path.


The only other thing you could do is forward all traffic to the gateway of last resort and then have PBR on that device to redirect traffic from your specific vlans to the second default-gateway. This would remove the processing overhead from the 3750.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 04/14/2010 - 09:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]




1) Although your config would work the recommendation is not to use denys in an acl for PBR on the 3750 because the deny packets are then sent to the CPU ie. software switched rather than hardware switched and as this would be all inter-vlan communication you would degrade the performance of the switch.


What else uses gateway of last resort ie. you want to use a second default-gateway for the above subnets. What uses your gateway of last resort on the switch ?


Jon

Jon Marshall Wed, 04/14/2010 - 10:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


I guess what I was trying to get at was that I needed some VLANs to go out my gateway of last resort and others to the ip next hop.  Is there an easier/more recommended way to do it on the 3750?  This way I can take advantade of different connections (but not load balance them)


Your config is correct as i say. Perhaps you could try it and see what performance hit you get on the switch. If the CPU increases dramatically then you will know what is causing it.


You could look at vrf-lite where you have 2 routing tables independant of each other so one routing table could use the gateway of last resort and one could use the second default-gateway but then you would need to do route leaking between the vrfs if you wanted to have inter-vlan communication between those vlans using the gateway of last resort and those using the second default-gateway. Not sure how easy this would be to setup as i have never done it in that way before.


Jon

Correct Answer
Jon Marshall Wed, 04/14/2010 - 10:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


The ip default next-hop would be the best way to go if I could do it.  Is there anyway that I could get some the similar functionality without killing the CPU?  Would vrf-lite be the only way?


I can't think of another way to achieve what you want short of using a separate switch for these vlans.I would try the PBR route and see what happens to the CPU before going down the vrf-lite path.


The only other thing you could do is forward all traffic to the gateway of last resort and then have PBR on that device to redirect traffic from your specific vlans to the second default-gateway. This would remove the processing overhead from the 3750.


Jon

Actions

This Discussion