07-06-2010 11:34 AM - edited 03-06-2019 11:55 AM
I want to keep inter-VLAN routing on the switch (about 10 vlans with L3 routing) and for some VLANs I need different gateway.
I tried to run PBR on incoming vlan.
interface Vlan10
ip address 10.10.10.1 255.255.255.128
ip policy route-map test
interface Vlan11
ip address 10.10.10.129 255.255.255.128
interface Vlan100
ip address 200.200.200.1 255.255.255.252
access-list 111 permit ip 10.10.10.0 0.0.0.127 any
route-map test permit 10
match ip address 111
set ip next-hop 200.200.200.2
In this scenerio all packets from vlan 10 are policy routed to 200.200.200.2. even traffic to vlan11.
I want policy routing for packets that aren't in local routing table.
Cisco recommended that cannot match ACLs with deny ACEs.
* The switch does not support route-map deny statements for PBR
* When configuring match criteria in a route map, follow these guidelines:
– Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping.
– Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization.
07-06-2010 12:33 PM
Hello Ho,
>> I want policy routing for packets that aren't in local routing table
try to use
set ip default next-hop
as action
in the route-map in this way the device will consult the routing table before attempting to divert traffic and it will do it only for those packets without an explicit route in routing table
Hope to help
Giuseppe
07-06-2010 01:01 PM
What is your default gateway pointing to? I guess your default route also points to the same IP as the policy route. If you have two static routes pointing to two different next hops, either remove one (one related to policy route) or increase its cost. Hope this helps.
Regards,
NT
07-06-2010 01:14 PM
Do you already have a "default Route" defined? If not:
ip route 0.0.0.0 0.0.0.0 200.200.200.2
Then all traffic that is not destined to a route in the routing table will be sent to 200.200.200.2
Dan
07-06-2010 01:22 PM
The default route is configured and points to the IP that is different than the policy route. I want the traffic from VLAN 10 to go through different gateway than the default route, which I defined in the route policy. But the inter-VLAN traffic should stay not route through the policy route. If I can put the deny statement in the ACEs, then I can specify the VLAN subnets in the ACEs.
i.e.
interface Vlan20
ip address 10.10.20.2 255.255.255.252
ip route 0.0.0.0 0.0.0.0 10.10.20.1
sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.10.20.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
C 10.10.10.0/25 is directly connected, Vlan10
C 10.10.10.128/25 is directly connected, Vlan11
C 10.10.20.2/30 is directly connected, Vlan20
C 10.10.30.0/24 is directly connected, Vlan30
C 10.10.40.0/24 is directly connected, Vlan40
C 10.10.50.0/24 is directly connected, Vlan50
C 200.200.200.1/30 is directly connected, Vlan100
S* 0.0.0.0/0 [1/0] via 10.10.20.1
07-06-2010 01:33 PM
Try the following:
access-list 110 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
route-map test deny 5
match ip address 110
route-map test permit 10
match ip address 111
set ip next-hop 200.200.200.2
This will ensure that the route map is not applied to the local traffic. Hope this helps.
Regards,
NT
07-06-2010 01:35 PM
I forgot to say that the PBR is configured on the 3750s with IPService image running. The route map deny statement is not support.
07-06-2010 01:55 PM
What code version you are running? Seems like the "route-map
07-06-2010 01:59 PM
The 3750 is running 12.2(44)SE5. c3750-ipservicesk9-mz.122-53.SE1.bin
Refer to Cisco doc:
•The switch does not support route-map deny statements for PBR.
07-06-2010 02:51 PM
Do you have another layer 3 switch? If yes, we could probably work around the limitations and route all local traffic to second switch for local routing and all other traffic to the outside device.
access-list 110 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
route-map test permit 5
match ip address 110
set ip next-hop
route-map test permit 10
match ip address 111
set ip next-hop 200.200.200.2
On the second switch, you need to create SVI for all the vlans and turn on IP routing. Hope this helps.
Regards,
NT
07-06-2010 05:27 PM
This seams like a lot of work for a "work around". Why not just use 10 or less static routes? For example, if you want to route the following subnets:
10.10.100.0/24
10.10.101.0/24
10.10.102.0/24
10.10.103.0/24
10.10.104.0/24
10.10.105.0/24
10.10.106.0/24
10.10.107.0/24
10.10.108.0/24
10.10.109.0/24
you can use:
ip route 10.10.100.0 255.255.255.0 200.200.200.2
ip route 10.10.101.0 255.255.255.0 200.200.200.2
ip route 10.10.102.0 255.255.255.0 200.200.200.2
ip route 10.10.103.0 255.255.255.0 200.200.200.2
ip route 10.10.104.0 255.255.255.0 200.200.200.2
ip route 10.10.105.0 255.255.255.0 200.200.200.2
ip route 10.10.106.0 255.255.255.0 200.200.200.2
ip route 10.10.107.0 255.255.255.0 200.200.200.2
ip route 10.10.108.0 255.255.255.0 200.200.200.2
ip route 10.10.109.0 255.255.255.0 200.200.200.2
or
ip route 10.10.100.0 255.255.252.0 200.200.200.2
ip route 10.10.104.0 255.255.252.0 200.200.200.2
ip route 10.10.108.0 255.255.254.0 200.200.200.2
So, as long as the subnets are contiguous, we can summarize them. If you post the subnets we can help with the mask.
Dan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: