Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PBR on cisco 3560

Hello all

I'm having a problem configuring PBR on a switch......

we have a 3560 with the IPservices IOS installed an SDM set to routing, we need 3 vlans (each has their own router / ISP) and they all need to share a single printer / copier.

so:

vlan1 (users and isp1)

vlan2 (users and isp2)

vlan3 (users and isp3)

all the users in all vlans need to access the same printer / copier, any ideas?

I posted a similar question a while back but we found the ios was incompatable with pbr, we now have a switch with ipservices ios installed
(12.2(53)SE1 )

cheers

Graham

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: PBR on cisco 3560

If those routers cannot deal with static routes I don't think they are routers at all.....

Anyway.....

The 3560 will not intercept the packets for this reason:
When a host on VLAN x sends traffic to a host on another VLAN (VLAN y), it will send the packets to the default gateway.
The default is the router (so the switch will not intercept this traffic).
The 3560 will just switch frames (as a L2 switch).

In other words,
You have an scenario where you have VLANs, and the InterVLAN routing is being done by the routers.
So, in order to have communication between VLANs, traffic must go through the router.
The router will then decide what to do with the traffic (not the 3560)

I can imagine some workarounds, for example:
Enter a static route on the machine to send traffic intended to the printer to the 3560 (and have the 3560 route traffic)
In CLI on a Windows machine:
route ADD x.x.x.x mask 255.255.255.255 3560's_IP

If you add the above route on a windows computer, then it will send traffic to x.x.x.x to the 3560 instead than to the default gateway.
The 3560 must have IP routing configured and must be able to route between VLANs as well.

Federico.

26 REPLIES

Re: PBR on cisco 3560

Hello Graham,

You have 3 VLANs on the 3560.
Each VLAN has its default gateway as the 3560?
If so, what's the problem that you're having?

Where is the printer that needs to be accesible from all VLANs?
The 3560 can do InterVLAN routing as well, please specify what is that you need.

Federico.

Community Member

Re: PBR on cisco 3560

hi there

thanks for your reply....

like you say we already have 3 vlans and each has their own router / internet access, the users are given the ip address of the router on their vlan as default gateway so i am told we will need pbr (these are not cisco routers so its making life a little awkward). we now need to add a printer that they all need to be able to use.

do i need a 4th vlan? or do i just drop the printer into one of the existing vlans?

then once I have the printer on the network how do i ensure that they can all print to it but not access each others vlans.

Cheers

Graham

Re: PBR on cisco 3560

Hi,

You only need PBR when you need to be able to manipulate the routing in some way so that it won't rely solely
on the IP routing table.

If you need to access a printer (on another VLAN), then you can simply have a static route on the router for that.

PBR is only if the routing needs to be controlled not only on destination IP, but on source IP for instance.
I don't see a reason for PBR.

The printer can be on a separate VLAN (VLAN 4), or on one of the existing VLANs.

Federico.

Community Member

Re: PBR on cisco 3560

HI and again thanks for your time on this....

so even though each VLAN has a router (that the users of that vlan use as their default gateway) I dont need PBR?

these routers are the dhcp and dns server for their respective vlan,so just to be clear (i might be wrong here so please correct me):

vlan1

192.168.1.x

192.168.1.1 (is the default gateway / router IP for vlan1 users)

vlan2

192.168.2.x

192.168.2.1  (is the default gateway / router IP for vlan2 users)

vlan3

192.168.3.x

192.168.3.1 (is the default gateway / router IP for vlan3 users)

vlan4 (created to hold the printer they all neeed to print to)

192.168.4.x

192.168.4.2 is the ip address for the printer they all need to print to

users are given their IP by DHCP from the respective router attached to their VLAN and this cannot be changed, they will see 192.168.4.x as a subnet not local to the vlan and so will attempt to route the traffic "off site" and so push the traffic out the WAN interface. would PBR not be needed to route packets before the router on the VLAN try's to forward the traffic to the internet?

E.G a user on vlan 1 would see 192.168.4.2 as external to its LAN and so try to fire this out of its WAN connection.

cheers

Graham

Re: PBR on cisco 3560

If you have access to the routers (default gateways for the VLANs), then you don't need PBR.

All you need is the appropiate static routes to reach each other VLANs.

i.e.

User on VLAN 1 tries to access the printer (VLAN 4)

The packet is intended to a separate subnet.

The packet is sent to the default gatway.

The default gateway (the router) will send the packet to the other router so that it can be delivered to the appropiate destination subnet.

So, all you need is the appropiate static routes on the routers.

The problem is if you don't control the routers.

Then you will need to control the routing internally.

Federico.

Community Member

Re: PBR on cisco 3560

Thanks for the info

the issue is like you have said there, the routers are all different and I know that atleast one of them does not allow me to add static routes back into the lan. none of them support trunk ports either.

these are just low end ISP supplied routers with minimal functionality.

I'll try again to have the routers do the routing internally (well on the ones that can handle staic routes back into the LAN) and see what happens.

cheers

Graham

Re: PBR on cisco 3560

The easiest way then, is to have the 3560 to be the default gateway for all VLANs and do the InterVLAN routing.

In this case, the 3560 will have to do PBR to send the default gateway to the correct router based on source VLAN.

VLAN 1-4 will have default gateway the 3560.

The 3560 routes between VLANs.

The 3560 uses PBR to send the packets to the correct default gateway.

Federico.

Community Member

Re: PBR on cisco 3560

OK i'll look at doing this tonight (im taking the switch home), i have never configured PBR before so I got some learning to do.

Cheers

Graham

Re: PBR on cisco 3560

Community Member

Re: PBR on cisco 3560

thanks for the link.....

think i'm starting to get lost now

ok here goes:

on vlan1 we have:

router: 192.168.1.1 (this supplys dhcp and dns and is the default gateway for users on vlan1)

int vlan1 is set to 192.168.1.2

on vlan2

router: 192.168.2.1 (this supplys dhcp and dns and is the default gateway for users on  vlan2)

int vlan2 is set to 192.168.2.2

on vlan3

router: 192.168.3.1 (this supplys dhcp and dns and is the default gateway for users on  vlan3)

int vlan3 is set to 192.168.3.2

to save hassle im going to add the printer to vlan 3 (lets give it an address of 192.168.3.3) also.

I cannot change the default gateway for any of the users on any of the vlans (they are assigned by the routers and they are not intelligent enough to have trunks and routes to do the routing on the lan for me)

how do i get the switch to allow vlans 1 and 2 to access the printer in vlan 3?

what do i need to do to configure PBR, if i disconnect the routers and point all users to the gefault gateway of the vlan ip address then it works, as soon as we connect the routers it stops working (due to the dhcp server setting the router as the default gateway).

sorry about this, think im being stupid now

Re: PBR on cisco 3560

No need for apologies.
The thing is basically this:


If the hosts point to the routers as their default gateway, then the 3560 is not doing any routing (and therefore cannot
manipulate the routing)

In this scenario that you describe, the 3560 is only going to switch frames and not look at the routing.

When hosts on VLAN x want to talk to hosts on VLAN x, the traffic stay local.
When hosts on VLAN x want to talk to hosts on VLAN y, the traffic is sent to the router

I see two solutions:
1. Control the routers to manipulate the routing
2. Control the routing in the 3560

Which is more feasible?

Don't hesitate asking if it's not clear, english is not my native language ;-)

Federico.

Community Member

Re: PBR on cisco 3560

The routers are not capable of dealing with the routing (static routes and trunk ports) so we must use the 3560, so how do i get the switch to do routing if the routers are supplying there own IP as the default gateway?


the routers automatically set the default gateway and i cannot change it, now if there was a way to have pbr to "intercept" the traffic on its way to the routers and route it before it get to the default gateway......

would this not allow me to get the users to the printer and still allow the router to be the default gateway?

Re: PBR on cisco 3560

If those routers cannot deal with static routes I don't think they are routers at all.....

Anyway.....

The 3560 will not intercept the packets for this reason:
When a host on VLAN x sends traffic to a host on another VLAN (VLAN y), it will send the packets to the default gateway.
The default is the router (so the switch will not intercept this traffic).
The 3560 will just switch frames (as a L2 switch).

In other words,
You have an scenario where you have VLANs, and the InterVLAN routing is being done by the routers.
So, in order to have communication between VLANs, traffic must go through the router.
The router will then decide what to do with the traffic (not the 3560)

I can imagine some workarounds, for example:
Enter a static route on the machine to send traffic intended to the printer to the 3560 (and have the 3560 route traffic)
In CLI on a Windows machine:
route ADD x.x.x.x mask 255.255.255.255 3560's_IP

If you add the above route on a windows computer, then it will send traffic to x.x.x.x to the 3560 instead than to the default gateway.
The 3560 must have IP routing configured and must be able to route between VLANs as well.

Federico.

Community Member

Re: PBR on cisco 3560

Thanks for that, the routers are very low end things and there is no option to add static routes in the GUI on 2 of them and one dont even support telnet to allow config at the command line.

i was told that using pbr would enable a way to have the routing dealt with by policy before it was sent to the router as normal (apply route-map on the interface that the packets enter the switch to re-route data matching my requirements (allow printing to a different subnet) to the correct place, if the traffic does not match my requirements then just send it to the default gateway).

at least i know this is not possible now using the equipment we have purchased and the routers supplied by the ISP's

thanks for taking the time to help me with this.

Graham

Re: PBR on cisco 3560

Just for you to have it clear.

PBR (Policy-Based Routing) can be enabled on routers or switches that operate at Layer 3 of the OSI model.

It is a feature that allows you to manipulate how the routing decisiones are going to be made (instead of relying solely on the IP routing table).

So, when a packet reaches a router, instead of having the router look at the routing table (normal behavior), you can configure PBR to make the router take different decisions (prior to looking at the routing table).

i.e

You can tell a router to forward packets via interface1 when the packets come from VLAN1

You can tell the same router to forward packets via interface2 when the packets come from VLAN2

So, as you see, PBR allows routing decisions to be made on other factors beside the normal destination IP address (normal routing table).

PBR will intercept packets and apply these policies when PBR is enabled on the same device that makes the routing decisions.

That's why you cannot configure PBR on the 3560 if it is not involved in the routing path (only in the switching path)

Federico.

Community Member

Re: PBR on cisco 3560

ok i cant give up on this, we still need to get printing going on this site.

i have found a pair of routers that will allow me to add static routes........

what do i need to do?

Re: PBR on cisco 3560

Ok, that's better...

Sorry to insist, but you can't change the default gateway on the VLANs?

I insist because if the default gateway still goes to the routers that you don't control, there's no much to do.

Federico.

Community Member

Re: PBR on cisco 3560

i'm just looking into if i can change the gateway address assigned by dhcp on the routers
.

so assume that i can get the router to assign a gateway address of the vlan:

vlan1 192.168.1.2

vlan2 192.168.2.2

vlan3 192.168.3.2

cheers

Graham

Re: PBR on cisco 3560

If you can get the router to assign via DHCP the gateway 192.168.x.2 (where x is the VLAN number), then configure the new routers to have that IP.

So, the default gateway that the hosts are going to receive is the new router.

Since you manage this router, then you can configure the routes accordingly.

I will say to try this:

VLAN 1

VLAN 2

VLAN 3

All of them connected to the 3560.

Then the 3560 connects to the router.

This new router will do the InterVLAN routing between the VLANs, so that you have communication between the VLANs and you can print.

Let me know if you're going to do it like that to help you with the commands.

Federico.

Community Member

Re: PBR on cisco 3560

ok rember these are not cisco routers (i wish they were as I could have done the intervlan routing without issue on those).

they are thomson tg585v7 as supplied by the isp, they do dhcp and dns etc but as yet i find no config for vlan capability on this router.

the 3rd vlan has a 2wire router that i dont have access to at this time but i know that one also does static routes.

Re: PBR on cisco 3560

Ok, when the router is limited on its number of interfaces (only one for example), you need InterVLAN routing.

How many ports does this router has?

If you can have 1 physical port connection for each VLAN, then you don't need InterVLAN routing, only need static routes (the ports on the router has to be routed ports).

If this is not the case, the easiest solution is this:

Just point the default gateway to be the 3560 and we do the routing there.

Federico.

Community Member

Re: PBR on cisco 3560

i think we should do the routing on the switch, reason being that each on the vlans has its own connection to the internet.

they must all use their own internet connection but be able to print to the same copier.

so if i can get the dhcp to assign the vlan ip as its gateway....... we use the switch to do the routing and then use static any any routes pointing back to the internet routers?

Community Member

Re: PBR on cisco 3560

the ports are not routed, man i i could just use a cisco router and a single internet connection lol

Re: PBR on cisco 3560

Let's do the routing on the 3560, default gateway to the ISP routers, problem solved.

Federico.

Community Member

Re: PBR on cisco 3560

ok so i config the 3560 to do inter vlan routing and have the dhcp assign the

gateway address as the vlan interface ip

i then set static routes to say any any to the isp router and we are done?

Re: PBR on cisco 3560

Exactly.

We should have done this since we started ;-)

Federico.

4796
Views
0
Helpful
26
Replies
CreatePlease to create content