Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3987
Views
0
Helpful
10
Replies

PBR and Inter-VLAN Routing

Ho yin Chan
Level 1
Level 1

‎07-06-2010 11:34 AM - edited ‎03-06-2019 11:55 AM

I want to keep inter-VLAN routing on the switch (about 10 vlans with L3 routing) and for some VLANs I need different gateway.

I tried to run PBR on incoming vlan.

interface Vlan10
ip address 10.10.10.1 255.255.255.128
ip policy route-map test

interface Vlan11
ip address 10.10.10.129 255.255.255.128


interface Vlan100
ip address 200.200.200.1 255.255.255.252

access-list 111 permit ip 10.10.10.0 0.0.0.127 any
route-map test permit 10
match ip address 111
set ip next-hop 200.200.200.2


In this scenerio all packets from vlan 10 are policy routed to 200.200.200.2. even traffic to vlan11.

I want policy routing for packets that aren't in local routing table.

Cisco recommended that cannot match ACLs with deny ACEs.

* The switch does not support route-map deny statements for PBR
* When configuring match criteria in a route map, follow these guidelines:

  – Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping.

  – Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization.

Labels:
0 Helpful
10 Replies 10

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-06-2010 12:33 PM

Hello Ho,

>> I want policy routing for packets that aren't in local routing table

try to use

set ip default next-hop

as action

in the route-map in this way the device will consult the routing table before attempting to divert traffic and it will do it only for those packets without an explicit route in routing table

Hope to help

Giuseppe

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-06-2010 01:01 PM

What is your default gateway pointing to? I guess your default route also points to the same IP as the policy route. If you have two static routes pointing to two different next hops, either remove one (one related to policy route) or increase its cost. Hope this helps.

Regards,

NT

0 Helpful

danrya
Level 1
Level 1

‎07-06-2010 01:14 PM

Do you already have a "default Route" defined?  If not:

ip route 0.0.0.0 0.0.0.0 200.200.200.2

Then all traffic that is not destined to a route in the routing table will be sent to 200.200.200.2

Dan

0 Helpful

Ho yin Chan
Level 1
Level 1
In response to danrya

‎07-06-2010 01:22 PM

The default route is configured and points to the IP that is different than the policy route. I want the traffic from VLAN 10 to go through different gateway than the default route, which I defined in the route policy. But the inter-VLAN traffic should stay not route through the policy route. If I can put the deny statement in the ACEs, then I can specify the VLAN subnets in the ACEs.

i.e.

interface Vlan20

ip address 10.10.20.2 255.255.255.252

ip route 0.0.0.0 0.0.0.0 10.10.20.1

sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.20.1 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks

C       10.10.10.0/25 is directly connected, Vlan10

C       10.10.10.128/25 is directly connected, Vlan11

C       10.10.20.2/30 is directly connected, Vlan20

C       10.10.30.0/24 is directly connected, Vlan30

C       10.10.40.0/24 is directly connected, Vlan40

C       10.10.50.0/24 is directly connected, Vlan50

C       200.200.200.1/30 is directly connected, Vlan100

S*   0.0.0.0/0 [1/0] via 10.10.20.1

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to Ho yin Chan

‎07-06-2010 01:33 PM

Try the following:

access-list 110 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

route-map test deny 5
match ip address 110
route-map test permit 10
match ip address 111
set ip next-hop 200.200.200.2

This will ensure that the route map is not applied to the local traffic. Hope this helps.

Regards,

NT

0 Helpful

Ho yin Chan
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-06-2010 01:35 PM

I forgot to say that the PBR is configured on the 3750s with IPService image running. The route map deny statement is not support.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to Ho yin Chan

‎07-06-2010 01:55 PM

What code version you are running? Seems like the "route-map deny" is supported on the IPServices image.

0 Helpful

Ho yin Chan
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-06-2010 01:59 PM

The 3750 is running 12.2(44)SE5. c3750-ipservicesk9-mz.122-53.SE1.bin

Refer to Cisco doc:

The switch does not support route-map deny statements for PBR.

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swiprout.html#wp1210866

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to Nagaraja Thanthry

‎07-06-2010 02:51 PM

Do you have another layer 3 switch? If yes, we could probably work around the limitations and route all local traffic to second switch for local routing and all other traffic to the outside device.

access-list 110 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

route-map test permit 5
match ip address 110

set ip next-hop
route-map test permit 10
match ip address 111
set ip next-hop 200.200.200.2

On the second switch, you need to create SVI for all the vlans and turn on IP routing. Hope this helps.

Regards,

NT

0 Helpful

danrya
Level 1
Level 1

‎07-06-2010 05:27 PM

This seams like a lot of work for a "work around".  Why not just use 10 or less static routes?  For example, if you want to route the following subnets:

10.10.100.0/24

10.10.101.0/24

10.10.102.0/24

10.10.103.0/24

10.10.104.0/24

10.10.105.0/24

10.10.106.0/24

10.10.107.0/24

10.10.108.0/24

10.10.109.0/24

you can use:

ip route 10.10.100.0 255.255.255.0 200.200.200.2

ip route 10.10.101.0 255.255.255.0 200.200.200.2

ip route 10.10.102.0 255.255.255.0 200.200.200.2

ip route 10.10.103.0 255.255.255.0 200.200.200.2

ip route 10.10.104.0 255.255.255.0 200.200.200.2

ip route 10.10.105.0 255.255.255.0 200.200.200.2

ip route 10.10.106.0 255.255.255.0 200.200.200.2

ip route 10.10.107.0 255.255.255.0 200.200.200.2

ip route 10.10.108.0 255.255.255.0 200.200.200.2

ip route 10.10.109.0 255.255.255.0 200.200.200.2

or

ip route 10.10.100.0 255.255.252.0 200.200.200.2

ip route 10.10.104.0 255.255.252.0 200.200.200.2

ip route 10.10.108.0 255.255.254.0 200.200.200.2

So, as long as the subnets are contiguous, we can summarize them.  If you post the subnets we can help with the mask.

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card