11-03-2010 04:21 PM - edited 03-06-2019 01:52 PM
Upgraded to 12.2 Ipservicek9 44SE6.
I have 2 vlan 30 and 32. ip routing is enabled on 3550-24-PWR.
PC 192.168.30.10/24 on vlan 30 can talk to pc 192.168.32.2 /24 on vlan 32
There's a default router 192.168.30.100 on vlan 30 to go to public Internet.
ip route 0.0.0.0 0.0.0.0 192.168.30.100
both pc can go to internet by router 192.168.30.100.
Now vlan 32 users got its own public IP address. Added new router 192.168.32.100.
Now I need to setup the PBR to route internet traffic on vlan 30 by router 192.168.30.100
route internet traffic on vlan 32 by router 192.168.32.100
So I removed default ip route to 192.168.30.100
setup 2 route-maps
access-list 10 permit 192.168.30.0 0.0.0.255
access-list 20 permit 192.168.32.0 0.0.0.255
route-map vlan30 permit 10
match ip address 10
set ip next-hop 192.168.30.100
route-map vlan32 permit 20
match ip address 20
set ip next-hop 192.168.32.100
int vlan 30
ip policy route-map vlan30
int vlan 32
ip policy route-map vlan 32
sdm prefer routing extend-match
It works on the traffic to public internet. But pc 192.168.30.10 failed to ping 192.168.32.2
the inter-vlan routing failed.
I tried to use the command "set ip default next-hop" instead of "set ip next-hop"
I can't apply the route-map to vlan interface.
Got error "route-map vlan30 not supported by policy-based routing"
Can't find any docs about this situation. Please help.
Thanks,
Frank
Solved! Go to Solution.
11-03-2010 05:53 PM
Can you try extended access-list and deny traffic to be qualified for policy routing ?
no access-list 10 permit 192.168.30.0 0.0.0.255
no access-list 20 permit 192.168.32.0 0.0.0.255
access-list 100 ext deny ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255
access-list 100 ext per ip 192.168.30.0 0.0.0.255 any
access-list 101 ext deny ip 192.168.32.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 ext per ip 192.168.32.0 0.0.0.255 any
Don't know if this would work but you can try it
Manish
11-03-2010 05:53 PM
Can you try extended access-list and deny traffic to be qualified for policy routing ?
no access-list 10 permit 192.168.30.0 0.0.0.255
no access-list 20 permit 192.168.32.0 0.0.0.255
access-list 100 ext deny ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255
access-list 100 ext per ip 192.168.30.0 0.0.0.255 any
access-list 101 ext deny ip 192.168.32.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 ext per ip 192.168.32.0 0.0.0.255 any
Don't know if this would work but you can try it
Manish
11-04-2010 07:49 AM
Thanks Manish. It works.
11-04-2010 03:28 AM
Upgraded to 12.2 Ipservicek9 44SE6.
I have 2 vlan 30 and 32. ip routing is enabled on 3550-24-PWR.
PC 192.168.30.10/24 on vlan 30 can talk to pc 192.168.32.2 /24 on vlan 32
There's a default router 192.168.30.100 on vlan 30 to go to public Internet.
ip route 0.0.0.0 0.0.0.0 192.168.30.100
both pc can go to internet by router 192.168.30.100.
Now vlan 32 users got its own public IP address. Added new router 192.168.32.100.
Now I need to setup the PBR to route internet traffic on vlan 30 by router 192.168.30.100
route internet traffic on vlan 32 by router 192.168.32.100
So I removed default ip route to 192.168.30.100
setup 2 route-maps
access-list 10 permit 192.168.30.0 0.0.0.255
access-list 20 permit 192.168.32.0 0.0.0.255
route-map vlan30 permit 10
match ip address 10
set ip next-hop 192.168.30.100
route-map vlan32 permit 20
match ip address 20
set ip next-hop 192.168.32.100
int vlan 30
ip policy route-map vlan30
int vlan 32
ip policy route-map vlan 32
sdm prefer routing extend-match
It works on the traffic to public internet. But pc 192.168.30.10 failed to ping 192.168.32.2
the inter-vlan routing failed.
I tried to use the command "set ip default next-hop" instead of "set ip next-hop"
I can't apply the route-map to vlan interface.
Got error "route-map vlan30 not supported by policy-based routing"
Can't find any docs about this situation. Please help.
Thanks,
Frank
Hi Frank,
As suggested by Manish try with extended ACL with local lan subnet denied for PBR and rest of the traffic should gow ith PBR,Genrally there command difference between set ip next hop and default next hop is
Set ip next-hop command is put the matching traffic because a switch works on hardware based, The set ip next-hop is working all the time in hardware, because the routing table and process never get checked by the switch. It receives a packet and if that falls into the route-map statements then it is sent directly to the next hop that you specified, without checking the routing table.
Set ip default next-hop command first checks the entire routing table to see if there is another route to the destination. If no route is found, then the default next-hop is used.
Hope to Help !!
Ganesh.H
11-04-2010 08:01 AM
Thanks Ganesh,
According to Cisco Docs,the "set ip default next-hop" is the right one to use in my case. But system won't allow me to aplly the route-map to vlan interface. I don't know where's the conflict.
Anyway the deny destination extended ACLs worked.
Rgds//Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide