Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PBR Problem on 3550 Switch

Upgraded to 12.2 Ipservicek9 44SE6.

I have 2 vlan 30 and 32. ip routing is enabled on 3550-24-PWR.

PC 192.168.30.10/24 on vlan 30 can talk to pc 192.168.32.2 /24 on vlan 32

There's a default router 192.168.30.100 on vlan 30 to go to public Internet.

ip route 0.0.0.0 0.0.0.0 192.168.30.100

both pc can go to internet by router 192.168.30.100.

Now vlan 32 users got its own public IP address. Added new router 192.168.32.100.

Now I need to setup the PBR to route internet traffic on vlan 30 by router 192.168.30.100

                                                route internet traffic on vlan 32 by router 192.168.32.100

So I removed default ip route to 192.168.30.100

setup 2 route-maps

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 20 permit 192.168.32.0 0.0.0.255

route-map vlan30 permit 10

match ip address 10

set ip next-hop 192.168.30.100

route-map vlan32 permit 20

match ip address 20

set ip next-hop 192.168.32.100

int vlan 30

ip policy route-map vlan30

int vlan 32

ip policy route-map vlan 32

sdm prefer routing extend-match

It works on the traffic to public internet. But pc 192.168.30.10 failed to ping 192.168.32.2

the inter-vlan routing failed.

I tried to use the command "set ip default next-hop" instead of "set ip next-hop"

I can't apply the route-map to vlan interface.

Got error "route-map vlan30 not supported by policy-based routing"

Can't find any docs about this situation. Please help.

Thanks,

Frank

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: PBR Problem on 3550 Switch

Can you try extended access-list and deny traffic to be qualified for policy routing ?

no access-list 10 permit 192.168.30.0 0.0.0.255

no access-list 20 permit 192.168.32.0 0.0.0.255

access-list 100 ext deny ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 100 ext per ip 192.168.30.0 0.0.0.255 any

access-list 101 ext deny ip 192.168.32.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 101 ext per ip 192.168.32.0 0.0.0.255 any

Don't know if this would work but you can try it

Manish

4 REPLIES

Re: PBR Problem on 3550 Switch

Can you try extended access-list and deny traffic to be qualified for policy routing ?

no access-list 10 permit 192.168.30.0 0.0.0.255

no access-list 20 permit 192.168.32.0 0.0.0.255

access-list 100 ext deny ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 100 ext per ip 192.168.30.0 0.0.0.255 any

access-list 101 ext deny ip 192.168.32.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 101 ext per ip 192.168.32.0 0.0.0.255 any

Don't know if this would work but you can try it

Manish

New Member

Re: PBR Problem on 3550 Switch

Thanks Manish. It works.

Re: PBR Problem on 3550 Switch

Upgraded to 12.2 Ipservicek9 44SE6.

I have 2 vlan 30 and 32. ip routing is enabled on 3550-24-PWR.

PC 192.168.30.10/24 on vlan 30 can talk to pc 192.168.32.2 /24 on vlan 32

There's a default router 192.168.30.100 on vlan 30 to go to public Internet.

ip route 0.0.0.0 0.0.0.0 192.168.30.100

both pc can go to internet by router 192.168.30.100.

Now vlan 32 users got its own public IP address. Added new router 192.168.32.100.

Now I need to setup the PBR to route internet traffic on vlan 30 by router 192.168.30.100

                                                route internet traffic on vlan 32 by router 192.168.32.100

So I removed default ip route to 192.168.30.100

setup 2 route-maps

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 20 permit 192.168.32.0 0.0.0.255

route-map vlan30 permit 10

match ip address 10

set ip next-hop 192.168.30.100

route-map vlan32 permit 20

match ip address 20

set ip next-hop 192.168.32.100

int vlan 30

ip policy route-map vlan30

int vlan 32

ip policy route-map vlan 32

sdm prefer routing extend-match

It works on the traffic to public internet. But pc 192.168.30.10 failed to ping 192.168.32.2

the inter-vlan routing failed.

I tried to use the command "set ip default next-hop" instead of "set ip next-hop"

I can't apply the route-map to vlan interface.

Got error "route-map vlan30 not supported by policy-based routing"

Can't find any docs about this situation. Please help.

Thanks,

Frank

Hi Frank,

As suggested by Manish try with extended ACL with local lan subnet denied for PBR and rest of the traffic should gow ith PBR,Genrally there command difference between set ip next hop and default next hop is

Set ip next-hop command is put the matching traffic  because a switch works on hardware based, The set ip next-hop is working all the time in hardware, because the routing table and process never get checked by the switch. It receives a packet and if that falls into the route-map statements then it is sent directly to the next hop that you specified, without checking the routing table.

Set ip default next-hop command first checks the entire routing table to see if there is another route to the destination. If no route is found, then the default next-hop is used.

Hope to Help !!

Ganesh.H

New Member

Re: PBR Problem on 3550 Switch

Thanks Ganesh,

According to Cisco Docs,the "set ip default next-hop" is the right one to use in my case. But system won't allow me to aplly the route-map to vlan interface. I don't know where's the conflict.

Anyway the deny destination extended ACLs worked.

Rgds//Frank

1595
Views
5
Helpful
4
Replies
CreatePlease login to create content