12-22-2005 05:59 AM - edited 03-03-2019 01:13 AM
Background:
I have a Cisco 3550-12G swtich as core and there're several VLANs created on this 3550-12G.
I have 2 ISPs connected,so I install 2 Firewalls as well to connect to different ISPs.The 2 Firewalls also connected to 3550-12 respectively.
My question:
1.Use route-map to deploy policy route to the 2 ISPs.
2.VLAN 1 goes to Firewall1 and VLAN 2 goes to Firewall2
Current Status:
I put a default route on 3550 now to direct all the Internet traffic to Firewall1,from both VLAN 1 and VLAN 2
IP Scheme:
1.3550 IP add:10.0.10.1
2.Firewall 1 IP add: 10.0.10.100
3.Firewall 2 IP add: 10.0.10.200
VLAN 1 IP scope: 10.0.1.0/24
VLAN 2 IP scope: 10.0.2.0/24
Looking forward to kind help...
Appreciated!
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(22)EA1a, RELEASE SOFTWARE (fc1)
12-22-2005 06:20 AM
Hi
You can try out something like this to force the traffic based on the source ip address.
route-map vlan1 permit 10
match ip address 100
set ip next-hop 10.0.10.100
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
interface VLAN 1
ip policy route-map vlan1
route-map vlan2 permit 10
match ip address 101
set ip next-hop 10.0.10.200
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
interface VLAN 2
ip policy route-map vlan2
regds
12-22-2005 06:26 AM
Hi,
there is some documentation with limitations to watch out for under
Hope this helps
Martin
12-22-2005 07:06 AM
Hey,Martin,
For the URL you put does mean there's some limitations with 3550 policy routing ?
12-22-2005 06:40 AM
My configuration:
interface Vlan1
ip address 10.0.1.1 255.255.255.0
interface Vlan2
ip address 10.0.2.1 255.255.255.0
ip policy route-map ISP2
interface Vlan10
ip address 10.0.10.1 255.255.255.0
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.10.100#Firewall 1
access-list 101 permit ip host 10.0.2.0 0.0.0.255 any
route-map ISP2 permit 10
match ip address 101
set ip default next-hop 10.0.10.200
12-22-2005 06:47 AM
Hi,
looks like your VLAN2 interface is missing the
"ip policy route-map ISP2" command.
And the access list should be
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
Hope this helps
12-22-2005 06:57 AM
Sorry,I missed type "ip policy route-map ISP2" command in my post here.
Actually,this command is put in my 3550,but it's still not working
12-22-2005 07:17 AM
Did you modify the TCAM SDM templates?
"The number of TCAM entries used by PBR depends on the route-map itself, the ACLs used, and the order of the ACLs and route-map entries.
•You must modify the SDM template to enable the switch to support the 144-bit Layer 3 TCAM. Use the sdm prefer extended-match, sdm prefer access extended-match, or the sdm prefer routing extended-match global configuration commands to reformat the TCAM space allocated to unicast routing in the default, access, or routing template, respectively. Reformatting the unicast routing TCAM reduces by half the number of supported unicast routes in the template."
Are there any error messages produced when you apply your config?
Martin
12-22-2005 07:59 AM
Did you mean that,I need to modify SDM template to activate VLAN layer 3 routing function or...?
Not quite understand this yet:
You must use the extended-match keyword to support 144-bit Layer 3 TCAM when WCCP or multi-VRF CE is enabled on the switch. This keyword is not supported on the VLAN template.
Appreciate you pls give me some light..
Thanks.
12-25-2005 05:40 PM
Hi Everyone,
Any updates?
In my current configuration,I use "RIP 2",is this the point?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: