Re: Policy Based Routing on Catalyst

MaximBudyonny · ‎10-25-2006

Hi All,

I have Catalyst 3750 which operates as L3 switch.

8 routed VLANs 10.0.111.0/27 are configured on it.

All these VLANs were created for different types of guest: WiFi, wired and so on. ACLs on Catalyst 3750 protect my LAN from guests and also protect different type of guests from each other.

But guests want to access Internet.

Corporate security policy requires that guests Internet traffic must go through MS ISA server. With Cisco router I can do it with a help of PBR

Something like:

route-map to-isa permit 10

match ip address ACL_THAT_MATCHES_INET_TRAFFIC

set ip next-hop MS_ISA_IP

But how can I do it with Catalyst switch?

michaelc0n · ‎10-25-2006

PBR will work on a cat switch 3750 provided you have the EMI IMAGE...might be worth getting.

interface Vlan2

ip address 10.0.111.1 255.255.255.224

ip policy route-map pbr

access-list 10 permit 10.0.111.0 0.0.0.31

route-map pbr permit 10

match ip address 10

set ip next-hop "isa server"

If that doesn't work how bout VACLs?

jlkeys · ‎10-25-2006

Stick with VACL's if you can, PBR can be process intensive.

MaximBudyonny · ‎10-27-2006

Than you for advices, but as I know only EMI version of a Catalyst IOS supports this feature.

My C3750-IPSERVICESK9-M, Version 12.2(25)SEC doesn't support this feature.