Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ip policy route-map

Sir,

I have the following conf on a 3750X.

interface Vlan250

ip address 172.16.252.10 255.255.255.0

ip policy route-map INTERNET_ONLY

!

access-list 10 deny   10.0.0.0 0.0.0.255

access-list 10 deny   172.16.0.0 0.15.255.255

access-list 10 deny   192.168.0.0 0.0.255.255

access-list 10 permit any

!

route-map INTERNET_ONLY permit 10

match ip address 10

set ip next-hop 192.168.70.2

The purpose is to direct all traffic from non-private IP to 192.168.70.2. But the route-map figure is zero. Is there anything wrong with it?

Thank you.

4 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

ip policy route-map

Perhaps it would help if we had a better understanding of your topology. But here is what I see so far. You have configured PBR on a vlan interface which has subnet 172.16.252.0/24. So I would expect traffic coming into that interface to have source addresses of 172.16.252.x. And your access list is denying any traffic with source address in 172.16.0.0 0.15.255.255. So is there traffic coming into interface vlan 250 whose source address is not 172.16.252.x?

HTH

Rick

ip policy route-map

Hello Joseph,,

Totally agree with Richard Burts

The only thing that would make this route-map to take effect is if you have all of the pivate subnet ranges (or at least some) reachable via this VLAN interface.

You know what I mean,

Otherwise you are not going to match it, to make it happen with the current setup do

access-list 13 permit  172.16.252.0 0.0.0.255

route-map INTERNET_ONLY permit 10

no match ip address 10

match ip address 13

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Hall of Fame Super Silver

ip policy route-map

If there is traffic being sent into vlan 250 that has source addresses that are public Internet addresses then the PBR that you have configured should redirect that traffic to 192.168.70.2.

HTH

Rick

Silver

ip policy route-map

Unfortunately on Catalyst switches from my experience the counters can't be trusted. It might have to do with that it's a hardware based platform using ASICs so counters might not always be increased as long as the traffic is CEF switched.

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
8 REPLIES
Hall of Fame Super Silver

ip policy route-map

Perhaps it would help if we had a better understanding of your topology. But here is what I see so far. You have configured PBR on a vlan interface which has subnet 172.16.252.0/24. So I would expect traffic coming into that interface to have source addresses of 172.16.252.x. And your access list is denying any traffic with source address in 172.16.0.0 0.15.255.255. So is there traffic coming into interface vlan 250 whose source address is not 172.16.252.x?

HTH

Rick

ip policy route-map

Hello Joseph,,

Totally agree with Richard Burts

The only thing that would make this route-map to take effect is if you have all of the pivate subnet ranges (or at least some) reachable via this VLAN interface.

You know what I mean,

Otherwise you are not going to match it, to make it happen with the current setup do

access-list 13 permit  172.16.252.0 0.0.0.255

route-map INTERNET_ONLY permit 10

no match ip address 10

match ip address 13

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ip policy route-map

Thanks for both.

The objective is to seperate the Internet traffic from the Internal LAN traffic while all traffic will be received on the VLAN250 interface.

Assumptions:

1) The internal LAN traffic is sourced from any of the priviate IP range only.

2) The Internet traffic should be sourced from none of the private IP range.

What I want to achieve are:

1) Let internal LAN traffice follow the routing table on the switch as usual.

2) Force received internet traffic to 192.168.70.2.

If I permit the VLAN traffic(172.16.252.0 0.0.0.255), it will break the logic above.

Any idea? Thank you all.

Hall of Fame Super Silver

ip policy route-map

I asked some questions which you have chosen to not answer. Until you are willing to tell us whether there are devices sending traffic "inbound" to vlan 250 whose IP address is not in 172.16.252.x we will not be able to offer very good advice.

HTH

Rick

New Member

Re: ip policy route-map

Hello Rick,

Yes, "there are devices sending traffic "inbound" to vlan 250 whose IP address is not in 172.16.252.x". Actually, the interface is receiving traffic from both private IP and public IP ranges.

Thank you.

PS: a diagram is added.      

Hall of Fame Super Silver

ip policy route-map

If there is traffic being sent into vlan 250 that has source addresses that are public Internet addresses then the PBR that you have configured should redirect that traffic to 192.168.70.2.

HTH

Rick

New Member

ip policy route-map

Thanks Rick, it seems working.

But I see the counter in "show route-map" is zero.

SW#sh route-map all

STATIC routemaps

route-map INTERNET_ONLY, permit, sequence 10

  Match clauses:

    ip address (access-lists): 10

  Set clauses:

    ip next-hop 192.168.70.2

  Policy routing matches: 0 packets, 0 bytes

DYNAMIC routemaps

Also, from "show access-list", the counter of "permit any" entry always shows zero.

Any idea why?

Thank you.

Silver

ip policy route-map

Unfortunately on Catalyst switches from my experience the counters can't be trusted. It might have to do with that it's a hardware based platform using ASICs so counters might not always be increased as long as the traffic is CEF switched.

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
214
Views
20
Helpful
8
Replies