Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need Help with Policy based routing on 6500 switch with FWSM.

I have 2 incoming vlans.

interface Vlan2

ip address 10.0.0.11 255.255.255.0

ip flow ingress

ip policy route-map split

standby 2 ip 10.0.0.3

standby 2 priority 110

standby 2 preempt

!

interface Vlan3

ip address 10.0.1.11 255.255.255.0

ip flow ingress

standby 3 ip 10.0.1.3

standby 3 priority 110

standby 3 preempt

!

The above 2 are internet facing vlans and i have some internal vlans behind the fwsm. There is a default route in the fwsm which directs all the traffic to vlan 2 and from there depending on the following route-maps it goes out of either vlan2 or vlan3.

route-map split permit 10

match ip address 120

set ip next-hop 10.0.0.10

!

route-map split permit 20

match ip address 130

set ip next-hop 10.0.1.10

!

access-list 120 permit ip 172.16.0.0 0.0.0.255 any

access-list 120 permit ip any 172.16.0.0 0.0.0.255

access-list 130 permit ip 172.16.1.0 0.0.0.255 any

access-list 130 permit ip any 172.16.1.0 0.0.0.255

Now i have added another internet facing vlan into the switch which is a vrf.

interface Vlan4

ip vrf forwarding data

ip address 192.168.10.1 255.255.255.0

!

Now to get some of the traffic to go out of this vrf vlan I made the following changes.

access-list 140 permit ip 172.16.2.0 0.0.0.255 any

access-list 140 permit ip any 172.16.2.0 0.0.0.255

route-map split permit 30

match ip address 140

set vrf data

!

Also, added the "ip vrf receive data" command on the Vlan2.

After making all the above changes i am still unable to route the 172.16.2.0 network out of the vlan 4.

Can someone help me, if i am doing something wrong. Any help is highly appreciated.

According to me, the mistake i am doing is, if i have to ping out of the vrf, i need to mention the source ip and it should be in the subnet of vrf vlan, But in my case it will be different is the PBR is applied to a different vlan. This is my assumption. If i am correct then can anyone help me out how to correct it or if there is some other issue can anyone let me know how to fix that.

Thanks

Jeff

277
Views
0
Helpful
0
Replies
CreatePlease login to create content