×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Policies based routing configuration

Unanswered Question
Mar 5th, 2012
User Badges:

Dear all,


FYI

10.1.18.71 (Firewall A)

10.1.2.1   (Firewal B) (connected through


I've one Cisco 3750G-12S with ip routing enable, the swtich is with IP Service firmware, with PRR support.

Currently set my default static route 0.0.0.0 0.0.0.0 10.1.18.71 to my Firewall A


Currently all of the VLAN for will be routed to 10.1.18.71


I've created a new VLAN 2 for my 10.1.2.0/24 network with the VLAN interface 2 ip address 10.1.2.10, my intention is to route 10.1.2.0/24 traffic to my 10.1.2.1 by creating the access list and route-map.


I've created an access-list & route-map as below.


access-list 101 permit ip 10.1.2.0 0.0.0.255 any

no cdp run

route-map route10traffic permit 10

match ip address 101

set ip next-hop 10.1.2.1


I've configure my test pc with a static ip and my gateway pointing to 10.1.2.10 (VLAN 2 gateway) , i'm not able to route to 10.1.2.1. Any idea ?


Thanks & Regards,

yeewensmc

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Vivek Ganapathi Mon, 03/05/2012 - 21:51
User Badges:
  • Silver, 250 points or more

Hello,


Have you tried the below?


access-list 101 permit ip 10.1.2.0 0.0.0.255 any

no cdp run

route-map route10traffic permit 10

match ip address 101

set interface

interface

ip policy route-map route10traffic

Also, the configs which you posted doesn't show anything wrong. It should also work fine. To troubleshoot further, check if the 10.1.2.0/24 exists in the routing table. Could you please post me the show ip route output?


Vivek.

yeewensmc Sun, 03/11/2012 - 21:12
User Badges:

Dear Vivek,


I've enter the

set interface gigabitethernet 1/0/6 (interface trunk to my next firewall B)


but when i key in the

interface gigabitethernet 1/0/6


ip policy route-map route10traffic (don't have this command)


I've enter the this instead


access-list 101 permit ip 10.1.2.0 0.0.0.255 any

no cdp run

route-map route10traffic permit 10

match ip address 101

set ip next-hop 10.1.2.1

!

route-map route10trafic permit 10

match ip address 101

set interface GigabitEthernet1/0/6



interface GigabitEthernet1/0/6

switchport trunk encapsulation dot1q

switchport mode trunk

ip access-group 101 in


Is the ip access-group 101 in command will replace

ip policy route-map route10traffic ?


Here's the output of my coreswitch show ip route


CORE#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route



Gateway of last resort is 10.1.18.71 to network 0.0.0.0



S    192.168.4.0/24 [1/0] via 10.1.18.6

     10.0.0.0/8 is variably subnetted, 22 subnets, 2 masks

S       10.10.0.0/16 [1/0] via 10.1.18.6

S       10.11.0.0/16 [1/0] via 10.1.18.6

C       10.1.9.0/24 is directly connected, Vlan9

S       10.1.8.0/24 [1/0] via 10.1.18.70

C       10.1.3.0/24 is directly connected, Vlan3

C       10.1.2.0/24 is directly connected, Vlan2

S       10.2.4.0/24 [1/0] via 10.1.18.6

C       10.1.7.0/24 is directly connected, Vlan7

C       10.1.6.0/24 is directly connected, Vlan6

C       10.1.5.0/24 is directly connected, Vlan5

C       10.1.4.0/24 is directly connected, Vlan4

C       10.1.18.0/24 is directly connected, Vlan18

S       10.20.2.0/24 [1/0] via 10.1.18.6

S       10.1.40.0/24 [1/0] via 10.1.18.6

S       10.1.33.0/24 [1/0] via 10.1.18.71

S       10.1.32.0/24 [1/0] via 10.1.18.6

S       10.1.36.0/24 [1/0] via 10.1.18.6

S       10.200.18.0/24 [1/0] via 10.1.18.6

S       10.200.19.0/24 [1/0] via 10.1.18.6

S       10.200.16.0/24 [1/0] via 10.1.18.6

S       10.200.17.0/24 [1/0] via 10.1.18.6

S       10.200.21.0/24 [1/0] via 10.1.18.6

C    192.168.1.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [1/0] via 10.1.18.71


Thanks Viviek for your reply, i'm looking forward for your reply soon.

mr Anh Sun, 03/11/2012 - 21:50
User Badges:

Dear Yee Wen Low,

Pls try the below:

access-list 101 permit ip 10.1.2.0 0.0.0.255 any

no cdp run

route-map route10traffic permit 10

match ip address 101

set ip next-hop 10.1.2.1


interface vlan 2

ip policy route-map route10traffic


and why do you use trunk link between Switch 3750 and Firewall B?

Latchum Naidu Mon, 03/12/2012 - 00:09
User Badges:
  • Blue, 1500 points or more

Hi,


interface Vlan51
ip policy route-map Net-access1


route-map Net-access permit 10
match ip address 170
set ip default next-hop 10.28.1.100-


access-list 170 permit ip 10.1.2.0 0.0.0.255 any


Please rate the helpfull posts.
Regards,
Naidu.

yeewensmc Mon, 03/12/2012 - 00:50
User Badges:

Dear all,


I've encounter some problem while setting the command below,


interface vlan 2

ip policy route-map route10traffic


It prompt out

CORE(config-if)#

000252: *Aug 30 05:01:16.189 MYT: %PLATFORM_PBR-4-SDM_MISMATCH: PBR requires sdm template routing


I've google it and found out that there something to do with the SDM template


http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swsdm.html


May i know would if be any problem if i change my SDM template from default to sdm prefer routing ? Since it didn't shutdown for almost 25 weeks = 175days


CORE(Config)# sdm prefer routing

cadet alain Mon, 03/12/2012 - 01:18
User Badges:
  • Purple, 4500 points or more

Hi,


you'll have to reload in order to take effect.


Regards.


Alain

yeewensmc Mon, 03/12/2012 - 00:59
User Badges:

Dear mr Anh


The trunk link is because the firewall B is located @ another location which is passing throught a switch. My switch is a 3750 12 fiber port switch. The interface 6 is the trunk link to my switch where my firewall B is located.


Thanks & regards,

yeewensmc

Actions

This Discussion