cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6087
Views
0
Helpful
26
Replies

PBR on cisco 3560

esnw33430
Level 1
Level 1

Hello all

I'm having a problem configuring PBR on a switch......

we have a 3560 with the IPservices IOS installed an SDM set to routing, we need 3 vlans (each has their own router / ISP) and they all need to share a single printer / copier.

so:

vlan1 (users and isp1)

vlan2 (users and isp2)

vlan3 (users and isp3)

all the users in all vlans need to access the same printer / copier, any ideas?

I posted a similar question a while back but we found the ios was incompatable with pbr, we now have a switch with ipservices ios installed
(12.2(53)SE1 )

cheers

Graham

2 Accepted Solutions

Accepted Solutions

If those routers cannot deal with static routes I don't think they are routers at all.....

Anyway.....

The 3560 will not intercept the packets for this reason:
When a host on VLAN x sends traffic to a host on another VLAN (VLAN y), it will send the packets to the default gateway.
The default is the router (so the switch will not intercept this traffic).
The 3560 will just switch frames (as a L2 switch).

In other words,
You have an scenario where you have VLANs, and the InterVLAN routing is being done by the routers.
So, in order to have communication between VLANs, traffic must go through the router.
The router will then decide what to do with the traffic (not the 3560)

I can imagine some workarounds, for example:
Enter a static route on the machine to send traffic intended to the printer to the 3560 (and have the 3560 route traffic)
In CLI on a Windows machine:
route ADD x.x.x.x mask 255.255.255.255 3560's_IP

If you add the above route on a windows computer, then it will send traffic to x.x.x.x to the 3560 instead than to the default gateway.
The 3560 must have IP routing configured and must be able to route between VLANs as well.

Federico.

View solution in original post

Exactly.

We should have done this since we started ;-)

Federico.

View solution in original post

26 Replies 26

Hello Graham,

You have 3 VLANs on the 3560.
Each VLAN has its default gateway as the 3560?
If so, what's the problem that you're having?

Where is the printer that needs to be accesible from all VLANs?
The 3560 can do InterVLAN routing as well, please specify what is that you need.

Federico.

hi there

thanks for your reply....

like you say we already have 3 vlans and each has their own router / internet access, the users are given the ip address of the router on their vlan as default gateway so i am told we will need pbr (these are not cisco routers so its making life a little awkward). we now need to add a printer that they all need to be able to use.

do i need a 4th vlan? or do i just drop the printer into one of the existing vlans?

then once I have the printer on the network how do i ensure that they can all print to it but not access each others vlans.

Cheers

Graham

Hi,

You only need PBR when you need to be able to manipulate the routing in some way so that it won't rely solely
on the IP routing table.

If you need to access a printer (on another VLAN), then you can simply have a static route on the router for that.

PBR is only if the routing needs to be controlled not only on destination IP, but on source IP for instance.
I don't see a reason for PBR.

The printer can be on a separate VLAN (VLAN 4), or on one of the existing VLANs.

Federico.

HI and again thanks for your time on this....

so even though each VLAN has a router (that the users of that vlan use as their default gateway) I dont need PBR?

these routers are the dhcp and dns server for their respective vlan,so just to be clear (i might be wrong here so please correct me):

vlan1

192.168.1.x

192.168.1.1 (is the default gateway / router IP for vlan1 users)

vlan2

192.168.2.x

192.168.2.1  (is the default gateway / router IP for vlan2 users)

vlan3

192.168.3.x

192.168.3.1 (is the default gateway / router IP for vlan3 users)

vlan4 (created to hold the printer they all neeed to print to)

192.168.4.x

192.168.4.2 is the ip address for the printer they all need to print to

users are given their IP by DHCP from the respective router attached to their VLAN and this cannot be changed, they will see 192.168.4.x as a subnet not local to the vlan and so will attempt to route the traffic "off site" and so push the traffic out the WAN interface. would PBR not be needed to route packets before the router on the VLAN try's to forward the traffic to the internet?

E.G a user on vlan 1 would see 192.168.4.2 as external to its LAN and so try to fire this out of its WAN connection.

cheers

Graham

If you have access to the routers (default gateways for the VLANs), then you don't need PBR.

All you need is the appropiate static routes to reach each other VLANs.

i.e.

User on VLAN 1 tries to access the printer (VLAN 4)

The packet is intended to a separate subnet.

The packet is sent to the default gatway.

The default gateway (the router) will send the packet to the other router so that it can be delivered to the appropiate destination subnet.

So, all you need is the appropiate static routes on the routers.

The problem is if you don't control the routers.

Then you will need to control the routing internally.

Federico.

Thanks for the info

the issue is like you have said there, the routers are all different and I know that atleast one of them does not allow me to add static routes back into the lan. none of them support trunk ports either.

these are just low end ISP supplied routers with minimal functionality.

I'll try again to have the routers do the routing internally (well on the ones that can handle staic routes back into the LAN) and see what happens.

cheers

Graham

The easiest way then, is to have the 3560 to be the default gateway for all VLANs and do the InterVLAN routing.

In this case, the 3560 will have to do PBR to send the default gateway to the correct router based on source VLAN.

VLAN 1-4 will have default gateway the 3560.

The 3560 routes between VLANs.

The 3560 uses PBR to send the packets to the correct default gateway.

Federico.

OK i'll look at doing this tonight (im taking the switch home), i have never configured PBR before so I got some learning to do.

Cheers

Graham

thanks for the link.....

think i'm starting to get lost now

ok here goes:

on vlan1 we have:

router: 192.168.1.1 (this supplys dhcp and dns and is the default gateway for users on vlan1)

int vlan1 is set to 192.168.1.2

on vlan2

router: 192.168.2.1 (this supplys dhcp and dns and is the default gateway for users on  vlan2)

int vlan2 is set to 192.168.2.2

on vlan3

router: 192.168.3.1 (this supplys dhcp and dns and is the default gateway for users on  vlan3)

int vlan3 is set to 192.168.3.2

to save hassle im going to add the printer to vlan 3 (lets give it an address of 192.168.3.3) also.

I cannot change the default gateway for any of the users on any of the vlans (they are assigned by the routers and they are not intelligent enough to have trunks and routes to do the routing on the lan for me)

how do i get the switch to allow vlans 1 and 2 to access the printer in vlan 3?

what do i need to do to configure PBR, if i disconnect the routers and point all users to the gefault gateway of the vlan ip address then it works, as soon as we connect the routers it stops working (due to the dhcp server setting the router as the default gateway).

sorry about this, think im being stupid now

No need for apologies.
The thing is basically this:


If the hosts point to the routers as their default gateway, then the 3560 is not doing any routing (and therefore cannot
manipulate the routing)

In this scenario that you describe, the 3560 is only going to switch frames and not look at the routing.

When hosts on VLAN x want to talk to hosts on VLAN x, the traffic stay local.
When hosts on VLAN x want to talk to hosts on VLAN y, the traffic is sent to the router

I see two solutions:
1. Control the routers to manipulate the routing
2. Control the routing in the 3560

Which is more feasible?

Don't hesitate asking if it's not clear, english is not my native language ;-)

Federico.

The routers are not capable of dealing with the routing (static routes and trunk ports) so we must use the 3560, so how do i get the switch to do routing if the routers are supplying there own IP as the default gateway?


the routers automatically set the default gateway and i cannot change it, now if there was a way to have pbr to "intercept" the traffic on its way to the routers and route it before it get to the default gateway......

would this not allow me to get the users to the printer and still allow the router to be the default gateway?

If those routers cannot deal with static routes I don't think they are routers at all.....

Anyway.....

The 3560 will not intercept the packets for this reason:
When a host on VLAN x sends traffic to a host on another VLAN (VLAN y), it will send the packets to the default gateway.
The default is the router (so the switch will not intercept this traffic).
The 3560 will just switch frames (as a L2 switch).

In other words,
You have an scenario where you have VLANs, and the InterVLAN routing is being done by the routers.
So, in order to have communication between VLANs, traffic must go through the router.
The router will then decide what to do with the traffic (not the 3560)

I can imagine some workarounds, for example:
Enter a static route on the machine to send traffic intended to the printer to the 3560 (and have the 3560 route traffic)
In CLI on a Windows machine:
route ADD x.x.x.x mask 255.255.255.255 3560's_IP

If you add the above route on a windows computer, then it will send traffic to x.x.x.x to the 3560 instead than to the default gateway.
The 3560 must have IP routing configured and must be able to route between VLANs as well.

Federico.

Thanks for that, the routers are very low end things and there is no option to add static routes in the GUI on 2 of them and one dont even support telnet to allow config at the command line.

i was told that using pbr would enable a way to have the routing dealt with by policy before it was sent to the router as normal (apply route-map on the interface that the packets enter the switch to re-route data matching my requirements (allow printing to a different subnet) to the correct place, if the traffic does not match my requirements then just send it to the default gateway).

at least i know this is not possible now using the equipment we have purchased and the routers supplied by the ISP's

thanks for taking the time to help me with this.

Graham

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco