Solved: Re: PBR Problem on 3550 Switch

frank_zhai · ‎11-03-2010

Upgraded to 12.2 Ipservicek9 44SE6.

I have 2 vlan 30 and 32. ip routing is enabled on 3550-24-PWR.

PC 192.168.30.10/24 on vlan 30 can talk to pc 192.168.32.2 /24 on vlan 32

There's a default router 192.168.30.100 on vlan 30 to go to public Internet.

ip route 0.0.0.0 0.0.0.0 192.168.30.100

both pc can go to internet by router 192.168.30.100.

Now vlan 32 users got its own public IP address. Added new router 192.168.32.100.

Now I need to setup the PBR to route internet traffic on vlan 30 by router 192.168.30.100

route internet traffic on vlan 32 by router 192.168.32.100

So I removed default ip route to 192.168.30.100

setup 2 route-maps

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 20 permit 192.168.32.0 0.0.0.255

route-map vlan30 permit 10

match ip address 10

set ip next-hop 192.168.30.100

route-map vlan32 permit 20

match ip address 20

set ip next-hop 192.168.32.100

int vlan 30

ip policy route-map vlan30

int vlan 32

ip policy route-map vlan 32

sdm prefer routing extend-match

It works on the traffic to public internet. But pc 192.168.30.10 failed to ping 192.168.32.2

the inter-vlan routing failed.

I tried to use the command "set ip default next-hop" instead of "set ip next-hop"

I can't apply the route-map to vlan interface.

Got error "route-map vlan30 not supported by policy-based routing"

Can't find any docs about this situation. Please help.

Thanks,

Frank

manish arora · ‎11-03-2010

Can you try extended access-list and deny traffic to be qualified for policy routing ?

no access-list 10 permit 192.168.30.0 0.0.0.255

no access-list 20 permit 192.168.32.0 0.0.0.255

access-list 100 ext deny ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 100 ext per ip 192.168.30.0 0.0.0.255 any

access-list 101 ext deny ip 192.168.32.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 101 ext per ip 192.168.32.0 0.0.0.255 any

Don't know if this would work but you can try it

Manish

View solution in original post

manish arora · ‎11-03-2010

Can you try extended access-list and deny traffic to be qualified for policy routing ?

no access-list 10 permit 192.168.30.0 0.0.0.255

no access-list 20 permit 192.168.32.0 0.0.0.255

access-list 100 ext deny ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 100 ext per ip 192.168.30.0 0.0.0.255 any

access-list 101 ext deny ip 192.168.32.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 101 ext per ip 192.168.32.0 0.0.0.255 any

Don't know if this would work but you can try it

Manish

frank_zhai · ‎11-04-2010

Thanks Manish. It works.

Ganesh Hariharan · ‎11-04-2010

Upgraded to 12.2 Ipservicek9 44SE6.
I have 2 vlan 30 and 32. ip routing is enabled on 3550-24-PWR.
PC 192.168.30.10/24 on vlan 30 can talk to pc 192.168.32.2 /24 on vlan 32
There's a default router 192.168.30.100 on vlan 30 to go to public Internet.
ip route 0.0.0.0 0.0.0.0 192.168.30.100
both pc can go to internet by router 192.168.30.100.
Now vlan 32 users got its own public IP address. Added new router 192.168.32.100.
Now I need to setup the PBR to route internet traffic on vlan 30 by router 192.168.30.100
                                                route internet traffic on vlan 32 by router 192.168.32.100
So I removed default ip route to 192.168.30.100
setup 2 route-maps
access-list 10 permit 192.168.30.0 0.0.0.255
access-list 20 permit 192.168.32.0 0.0.0.255
route-map vlan30 permit 10
match ip address 10
set ip next-hop 192.168.30.100
route-map vlan32 permit 20
match ip address 20
set ip next-hop 192.168.32.100
int vlan 30
ip policy route-map vlan30
int vlan 32
ip policy route-map vlan 32
sdm prefer routing extend-match
It works on the traffic to public internet. But pc 192.168.30.10 failed to ping 192.168.32.2
the inter-vlan routing failed.
I tried to use the command "set ip default next-hop" instead of "set ip next-hop"
I can't apply the route-map to vlan interface.
Got error "route-map vlan30 not supported by policy-based routing"
Can't find any docs about this situation. Please help.
Thanks,
Frank

Hi Frank,

As suggested by Manish try with extended ACL with local lan subnet denied for PBR and rest of the traffic should gow ith PBR,Genrally there command difference between set ip next hop and default next hop is

Set ip next-hop command is put the matching traffic because a switch works on hardware based, The set ip next-hop is working all the time in hardware, because the routing table and process never get checked by the switch. It receives a packet and if that falls into the route-map statements then it is sent directly to the next hop that you specified, without checking the routing table.

Set ip default next-hop command first checks the entire routing table to see if there is another route to the destination. If no route is found, then the default next-hop is used.

Hope to Help !!

Ganesh.H

frank_zhai · ‎11-04-2010

Thanks Ganesh,

According to Cisco Docs,the "set ip default next-hop" is the right one to use in my case. But system won't allow me to aplly the route-map to vlan interface. I don't know where's the conflict.

Anyway the deny destination extended ACLs worked.

Rgds//Frank