PBR and Inter-VLAN Routing

Unanswered Question
Jul 6th, 2010
User Badges:

I want to keep inter-VLAN routing on the switch (about 10 vlans with L3 routing) and for some VLANs I need different gateway.

I tried to run PBR on incoming vlan.

interface Vlan10
ip address 10.10.10.1 255.255.255.128
ip policy route-map test

interface Vlan11
ip address 10.10.10.129 255.255.255.128


interface Vlan100
ip address 200.200.200.1 255.255.255.252

access-list 111 permit ip 10.10.10.0 0.0.0.127 any
route-map test permit 10
match ip address 111
set ip next-hop 200.200.200.2


In this scenerio all packets from vlan 10 are policy routed to 200.200.200.2. even traffic to vlan11.

I want policy routing for packets that aren't in local routing table.


Cisco recommended that cannot match ACLs with deny ACEs.


* The switch does not support route-map deny statements for PBR
* When configuring match criteria in a route map, follow these guidelines:

  – Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping.

  – Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 07/06/2010 - 12:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ho,


>> I want policy routing for packets that aren't in local routing table


try to use

set ip default next-hop


as action

in the route-map in this way the device will consult the routing table before attempting to divert traffic and it will do it only for those packets without an explicit route in routing table


Hope to help

Giuseppe

Nagaraja Thanthry Tue, 07/06/2010 - 13:01
User Badges:
  • Cisco Employee,

What is your default gateway pointing to? I guess your default route also points to the same IP as the policy route. If you have two static routes pointing to two different next hops, either remove one (one related to policy route) or increase its cost. Hope this helps.


Regards,


NT

danrya Tue, 07/06/2010 - 13:14
User Badges:
  • Bronze, 100 points or more

Do you already have a "default Route" defined?  If not:


ip route 0.0.0.0 0.0.0.0 200.200.200.2


Then all traffic that is not destined to a route in the routing table will be sent to 200.200.200.2


Dan

Ho yin Chan Tue, 07/06/2010 - 13:22
User Badges:

The default route is configured and points to the IP that is different than the policy route. I want the traffic from VLAN 10 to go through different gateway than the default route, which I defined in the route policy. But the inter-VLAN traffic should stay not route through the policy route. If I can put the deny statement in the ACEs, then I can specify the VLAN subnets in the ACEs.


i.e.

interface Vlan20

ip address 10.10.20.2 255.255.255.252

ip route 0.0.0.0 0.0.0.0 10.10.20.1



sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route


Gateway of last resort is 10.10.20.1 to network 0.0.0.0


     10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks

C       10.10.10.0/25 is directly connected, Vlan10

C       10.10.10.128/25 is directly connected, Vlan11

C       10.10.20.2/30 is directly connected, Vlan20

C       10.10.30.0/24 is directly connected, Vlan30

C       10.10.40.0/24 is directly connected, Vlan40

C       10.10.50.0/24 is directly connected, Vlan50

C       200.200.200.1/30 is directly connected, Vlan100

S*   0.0.0.0/0 [1/0] via 10.10.20.1

Nagaraja Thanthry Tue, 07/06/2010 - 13:33
User Badges:
  • Cisco Employee,

Try the following:


access-list 110 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255


route-map test deny 5
match ip address 110
route-map test permit 10
match ip address 111
set ip next-hop 200.200.200.2


This will ensure that the route map is not applied to the local traffic. Hope this helps.


Regards,


NT

Ho yin Chan Tue, 07/06/2010 - 13:35
User Badges:

I forgot to say that the PBR is configured on the 3750s with IPService image running. The route map deny statement is not support.

Nagaraja Thanthry Tue, 07/06/2010 - 13:55
User Badges:
  • Cisco Employee,

What code version you are running? Seems like the "route-map deny" is supported on the IPServices image.

Nagaraja Thanthry Tue, 07/06/2010 - 14:51
User Badges:
  • Cisco Employee,

Do you have another layer 3 switch? If yes, we could probably work around the limitations and route all local traffic to second switch for local routing and all other traffic to the outside device.


access-list 110 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255


route-map test permit 5
match ip address 110

set ip next-hop
route-map test permit 10
match ip address 111
set ip next-hop 200.200.200.2


On the second switch, you need to create SVI for all the vlans and turn on IP routing. Hope this helps.


Regards,


NT

danrya Tue, 07/06/2010 - 17:27
User Badges:
  • Bronze, 100 points or more

This seams like a lot of work for a "work around".  Why not just use 10 or less static routes?  For example, if you want to route the following subnets:


10.10.100.0/24

10.10.101.0/24

10.10.102.0/24

10.10.103.0/24

10.10.104.0/24

10.10.105.0/24

10.10.106.0/24

10.10.107.0/24

10.10.108.0/24

10.10.109.0/24


you can use:

ip route 10.10.100.0 255.255.255.0 200.200.200.2

ip route 10.10.101.0 255.255.255.0 200.200.200.2

ip route 10.10.102.0 255.255.255.0 200.200.200.2

ip route 10.10.103.0 255.255.255.0 200.200.200.2

ip route 10.10.104.0 255.255.255.0 200.200.200.2

ip route 10.10.105.0 255.255.255.0 200.200.200.2

ip route 10.10.106.0 255.255.255.0 200.200.200.2

ip route 10.10.107.0 255.255.255.0 200.200.200.2

ip route 10.10.108.0 255.255.255.0 200.200.200.2

ip route 10.10.109.0 255.255.255.0 200.200.200.2


or


ip route 10.10.100.0 255.255.252.0 200.200.200.2

ip route 10.10.104.0 255.255.252.0 200.200.200.2

ip route 10.10.108.0 255.255.254.0 200.200.200.2


So, as long as the subnets are contiguous, we can summarize them.  If you post the subnets we can help with the mask.


Dan

Actions

This Discussion