Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

3560 policy-based-routing


i'm trying to accomplish the following scenario with a pbr. Pls do share your thoughts if the approach i'm taking can accomplish this.

Basically i want some workstations in my LAN to not be able to reach several IP addresses that's hosted in a another country. Now i tried vlan access maps with the usual acl to deny all these ips but somehow they just didn't do a gd job (probably trunking issues on the edge switches)

What i was thinking is:

-create a new vlan with a new scope.

-create an acl with the permit statements for the remote ips

-create a pbr which sends any attempts to this remote ips to a null interface

-have this policy-route tied to the newly created vlan.

Hall of Fame Super Blue

Re: 3560 policy-based-routing


This does sound a bit more complicated than it has to be. Are the source IP addresses in a different vlan than the destination IP addresses.

If they are i would use a normal acl and apply it to the layer 3 interface for that vlan.

If they aren't, yes you could put them into a separate vlan but then i would still use an acl on the L3 vlan interface.



Hall of Fame Super Bronze

Re: 3560 policy-based-routing

Are you extending your VTP domain over the WAN connection ?

In order to configure VACL, you need to share the same VTP domain between src/dst - else just configure your typical ACL with access-group on the ingress/egress interface.

Re: 3560 policy-based-routing

In addition, if you are going to use ACLs on the SVI to block the traffic, there is no need for the PBR to route to null0

for all the denied IPs.

The traffic would anyway be dropped and u can also use the deny any any log parameter to see the counts violating the permission.



CreatePlease to create content