Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Difficult PBR question (at least for me)

I have a 6509 with 100's of vlans on it, but in this case I am only concerned about 4

My default vlan is

VLAN 1

10.168.100.0 /23 with the 6509 interface ip address of 10.168.100.1

VLAN 10

10.168.110.0 /24 with the 6509 interface ip address of 10.168.110.1

VLAN 20

10.168.120.0 /24 with the 6509 interface ip address of 10.168.120.1

The default gateway for all the above VLANs (my firewall) is at ip address 10.168.120.254.

VLAN 301 - partner connection vlan

10.190.10.0 /24 with the 6509 interface ip address of 10.190.10.1

This is a connection to a partner and has a router on it at 10.190.10.254

The default gateway for this vlan is the partner router at 10.190.10.254

There are 2 IP addresses at the customer site 192.168.42.100 and 10.100.10.1 but I only want systems on vlan 20 to be able to access them.

How do I define the ACL and the policy for those 2 explicit routes for only vlan 10?

Thanks,

Graham

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Difficult PBR question (at least for me)

Hello Graham,

from your description I would say that you don't need PBR, but just an IP ACL to be applied on SVI vlan 301 to allow only traffic from permitted subnet to the partner IP routes.

In the following example I assume that IP subnet of SVI vlan10 is the one to be allowed to reach partner destinations.

int vlan 301

ip access-group 121 out

access-list 121 remark allowed traffic to partner X

access-list 121 permt ip 10.168.110.0 0.0.0.255 host 192.168.42.100

access-list 121 permt ip 10.168.110.0 0.0.0.255 host 10.100.10.1

assuming routing to the partner is performed with static routes as follows:

ip route 192.168.42.100 255.255.255.255 10.190.10.254

ip route 10.100.10.1 255.255.255.255 10.190.10,254

Hope to help

Giuseppe

1 REPLY
Hall of Fame Super Silver

Difficult PBR question (at least for me)

Hello Graham,

from your description I would say that you don't need PBR, but just an IP ACL to be applied on SVI vlan 301 to allow only traffic from permitted subnet to the partner IP routes.

In the following example I assume that IP subnet of SVI vlan10 is the one to be allowed to reach partner destinations.

int vlan 301

ip access-group 121 out

access-list 121 remark allowed traffic to partner X

access-list 121 permt ip 10.168.110.0 0.0.0.255 host 192.168.42.100

access-list 121 permt ip 10.168.110.0 0.0.0.255 host 10.100.10.1

assuming routing to the partner is performed with static routes as follows:

ip route 192.168.42.100 255.255.255.255 10.190.10.254

ip route 10.100.10.1 255.255.255.255 10.190.10,254

Hope to help

Giuseppe

285
Views
0
Helpful
1
Replies