Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cat 4500 and PBR on VLAN

Hi,

I am trying to implement PBR on a VLAN on a Cat 4500 running cat4500e-ENTSERVICESK9-M, Version 12.2(53)SG2.  I have been able to successfully implement PBR on a GRE tunnel so far, but applying the same policy to the VLAN doesn't work - show access-list 199 is showing no matches.  Here's the config:

access-list 199 permit ip any host 199.7.48.190

access-list 199 permit ip any host 199.7.51.190

access-list 199 permit ip any host 199.7.52.190

access-list 199 permit ip any host 91.203.99.57

access-list 199 permit ip any host 199.16.83.72

access-list 199 permit ip any host 199.7.48.72

access-list 199 permit ip any host 199.7.50.72

access-list 199 permit ip any host 199.7.51.72

access-list 199 permit ip any host 199.7.52.72

access-list 199 permit ip any host 199.7.54.72

access-list 199 permit ip any host 199.7.55.72

access-list 199 permit ip any host 199.7.57.72

access-list 199 permit ip any host 199.7.59.72

access-list 199 permit ip any host 199.7.71.72

!

route-map NAT_400_300_via_VODPOS permit 10

match ip address 199

set interface TenGigabitEthernet1/1 TenGigabitEthernet1/2

set ip next-hop 172.16.11.5

!

interface Vlan400

description STB VLAN

ip address 10.10.24.1 255.255.252.0

ip access-group 120 in

ip helper-address 172.16.11.5

no ip proxy-arp

ip pim sparse-mode

ip policy route-map NAT_400_300_via_VODPOS

end

I know that the pings that I am sending from a device in VLAN 400 are reaching the switch, and are permitted by the inbound ACL on the VLAN:

zzgvcars01c45#sh access-list 120 | incl icmp

    90 permit icmp 10.10.24.0 0.0.7.255 any (559 estimate matches)

But the ACL applied to the policy is showing zero matches:

zzgvcars01c45#sh access-list 199

Extended IP access list 199

    10 permit ip any host 199.7.48.190

    20 permit ip any host 199.7.51.190

    30 permit ip any host 199.7.52.190

    40 permit ip any host 91.203.99.57

    50 permit ip any host 199.16.83.72

    60 permit ip any host 199.7.48.72

    70 permit ip any host 199.7.50.72

    80 permit ip any host 199.7.51.72

    90 permit ip any host 199.7.52.72

    100 permit ip any host 199.7.54.72

    110 permit ip any host 199.7.55.72

    120 permit ip any host 199.7.57.72

    130 permit ip any host 199.7.59.72

    140 permit ip any host 199.7.71.72

Running deb ip packet 199 also fails to show any of the ping packets being processed, just as deb ip packet 120 also doesn't show them.

The output of deb ip policy doesn't show the ping packets being processed either, when the policy is applied to the VLAN.  However, it does show the packets being processed when applied to the GRE Tunnel.

So, is what I am trying to do, by applying PBR to the VLAN, possible?  If so, what am I missing?

Regards,

Brett.

Everyone's tags (4)
1038
Views
0
Helpful
0
Replies
CreatePlease to create content