I have a Cisco Catalyst 4500 and i want to associate a route map for PBR to one of his interfaces.
1) i found out that i can only associate it to interface vlans and not to regular Gigabit interfaces - is it impossible to associate a route map to a layer 2 (switchport) interface?
2) And if it is impossible to associate a route map to a layer 2 (switchport) interface how where should o associate the route map on the switch in order to inspect all outgoing traffic?
3) How to add a general permit to a route map - is it enough to add the line "route-map test permit 40" without anything else or should i add an access list that match anything?
1) A route map is a layer 3 concept and as such it is not possible to associate a route map with a layer 2 switchport.
2) A route map for PBR is configured on the interface where traffic enters the switch. So which SVI does the traffic arrive on? If there is more than 1 SVI where the traffic arrives then you configure the route map on each of the SVIs.
3) I am not sure what you are trying to accomplish here. But the answer to the specific question that you ask is that route-map test permit 40 with no match clause will permit everything.
I am a bit puzzled at the part of your question about inspecting all outgoing trffic. PBR works on incoming traffic and provides the ability to make routing decisions for it that are different from the normal routing table decisions. It does not inspect outgoing traffic. If you want to inspect outgoing traffic then you probably need something different from PBR.
Hi, Thanks a lot for the answer. I did mean incoming traffic, sorry about the confusion.
The switch I am talking about connects my LAN (one of several) and does layer 3 routing for the clients on the LAN (it has layer 3 interface vlans for them), but it doesn't have a layer 3 physical interface (not one that I could fond - is there a command to show layer 3 interfaces only?).
Anyway - if I attach the route map to all the interface vlans, will incoming traffic be inspected against the route map in this instance for traffic destined to those vlans?
If you want to use PBR for clients in a vlan on a L3 then you would apply the route map to the L3 vlan interface for that vlan.
Once you apply it all traffic coming from clients on that vlan will checked against the acls in your PBR config. Whether or not it is policy routed depends on whether the traffic matches an entry in the acls in your PBR config. If it does then the action specified in your PBR config will be applied. If it doesn't then the traffic will be route using the routing table.
But i want traffic coming to the clients "from outside" to be examined against the PBR, not traffic from the clients - will associating the route map to the interface vlan accomplish that as well?
No it won't. PBR works on traffic arriving on an interface and not leaving an interface.
Perhaps if you could describe in a bit more detail what exactly you are trying to do. Where is the traffic coming from, how does this relate to the 4500, what are you trying to achieve ?
I am trying to route using PBR traffic that's incoming to the LAN to a certain address or via a certain TCP port to a specific host in the LAN. But the switch which is under my control doesn’t have layer 3 physical interface towards the infrastructure that goes to the internet – so it receives the traffic from there via layer 3 port, at least I think so. Is there a command that checks for layer 3 interfaces and what solution can I use for that scenario?
You can do a "sh ip int br | exclude Vlan" to see all the physical ports. If any of these ports have an IP assigned to then it is a L3 routed port.
But how does the switch connect to the rest of the infrastructure. It doesn't have to be a routed port, it could be a L3 vlan interface on your switch in which case you could apply PBR on that interface. But if the link to the rest of the infrastructure is in the same vlan as the client(s) you want to send PBR traffic to then you can't do it.
So how does your switch connect to the rest of the infrastructure ? If you have a default route on your switch which points to a next hop device then you should be able to work out the 4500 end of that connection.
So if there is a connectivity vlan to the infrastructure i can apply the route map there in order to go over all the incoming traffic?
Yes if you have a L3 vlan interface for that vlan that connects to the other infrastructure you could apply the route map on that interface and you could then do PBR to the rest of the client vlans on the 4500 switch.
Just to add to Rick's post -
3) If you mean how do you account for traffic that you do not want to use for PBR you do not need to have a permit all in your route-map because with PBR any traffic that is not matched in the route-map acl(s) will not be policy routed but will use the routing table to forward packets.
There have been several posts in which the original poster has been associating PBR with physical ports. I want to be sure that we are clear that when Jon and I talk about PBR and route maps on the layer 3 interface that this is not restricted to physical interfaces. Any layer 3 interface, including SVI interface vlan x, can have the route map applied to do PBR.
I would also like a better understanding of what the original poster is wanting to accomplish. I am not completely sure that PBR is the right tool but need a better understanding of the environment and of the objectives to be sure about it.
As i have explained earlier I am trying to route using PBR traffic that's incoming to the LAN to a certain address or via a certain TCP port to a specific host in the LAN. But the switch which is under my control doesn’t have layer 3 physical interface towards the infrastructure that goes to the internet – so it receives the traffic from there via layer 2 port or more likely a connectivity clan that i found, at least I think so. So i want to associate the route map to that vlan so all incoming traffic to the switch will be examined against it before routed to the LAN.
Thanks for the additional information. Perhaps it is just confusion about terminology, but I am still not sure that we are understanding each other. So let me try for a bit of clarification.
I understand that you are telling us that you do not have a physical interface on the switch where this traffic is arriving. I think that I am understanding that the traffic is coming in on a VLAN. I am not clear whether there is an SVI (an interface vlan x) on the switch for that VLAN.
If there is not an interface vlan x on the switch then I do not understand what is doing the intervlan routing to get the traffic from the outside VLAN where it is arriving and get it to the VLAN where the destination hosts are connected. Can you provide some clarification of this?
I believe that Jon and I have been making some assumptions about the topology of your network and making suggestions based on what seems logical to us. If the topology is different from what we have assumed then our suggestions need to be changed. So please help us understand the topology of your network.
There is a connectivity interface vlan on the switch to the IT that all traffic from the IT is being routed to suing static routes, but when i checked the ARP table for that vlan there were only 2 mac addresses there (1 of my switch and another of a switch that i don't have access to) – is that ok? Can I associate the route map there and be done with it?
If not, please read the following between brackets:
(There are also interface vlans on that switch for all the client segments in the LAN - this switch functions as a Default Gateway for them after all, so it has to have them.
But the question is - if i associate the route map to those interface vlans will the traffic incoming to the switch be examined against it?
Also - i don't want traffic coming from the LAN to be examined against the route map.
So which traffic - incoming to the switch from the outside or incoming from the LAN or both will be examined against the route map?)
* Question about route maps - when traffic is examined against a route map - which ip is checked at the match close - the packets destination or source address?