05-11-2021 01:06 AM
I have pbr working based on a source network to route through a secondary internet link. The issue i am having is the source network is not able to access the other local vlans. Because of the pbr all traffic is being routed through to the ISP.
Is there somewhere on the route map to exempt traffic that needs to route between the local interfaces.
This is the pbr I implemented. 2 other interfaces on the Cisco are configured in their own VLANS
access-list 37_Range extended permit ip 172.16.37.0 255.255.255.0 any
route-map 37_Route permit 2
match ip address 37_Range
set ip next-hop 192.168.8.1
interface GigabitEthernet1/5
nameif DR_VLAN5
security-level 100
ip address 172.16.37.1 255.255.255.0
policy-route route-map 37_Route
nat (DR_VLAN5,Rain) 2 source dynamic any interface
Solved! Go to Solution.
05-11-2021 01:32 AM
Hi,
Yes it is possible. You have to add deny statements in your acl on top of permit any statements
access-list 37_Range extended deny ip 172.16.37.0 255.255.255.0 192.168.1.0 x.x.x.x.
access-list 37_Range extended permit ip 172.16.37.0 255.255.255.0 any
Let me know if you need more details.
05-11-2021 04:20 AM
I have managed to get it working. There was conflicting entries in the ACL. I cleaned out everything and setup from scratch.
05-11-2021 01:32 AM
Hi,
Yes it is possible. You have to add deny statements in your acl on top of permit any statements
access-list 37_Range extended deny ip 172.16.37.0 255.255.255.0 192.168.1.0 x.x.x.x.
access-list 37_Range extended permit ip 172.16.37.0 255.255.255.0 any
Let me know if you need more details.
05-11-2021 02:00 AM
I ran this command and got the following message
access-list 37_Range extended deny ip 172.16.37.0 255.255.255.0 172.16.33.0 255.255.255.0
WARNING: If access-list 37_Range having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without any\any4\any6 in destination.
access-list 37_Range extended permit ip 172.16.37.0 255.255.255.0 any
Access to 172.16.33.0 range still not working
05-11-2021 02:50 AM
Hi,
Share your configuration and I can see that your acl is wrong. Acl uses wildcard mask but you are giving a subnet mask.
05-11-2021 03:14 AM
Maybe let me know how to setup the PBR with the below config.
NVTECH needs to route over Liguid_Fibre and DR_Vlan5 needs to route over Rain and then there must still be access between NVTECH and DR_VLAN5.
I can get the internet access working where DR_VLAN5 routes over the Rain interface for internet breakout and the NVTECH over the Liquid_Fibre but the NVTECH and DR_VLAN5 can't see each other
interface GigabitEthernet1/1
nameif NVTECH
security-level 100
ip address 172.16.33.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif Rain
security-level 0
ip address 192.168.8.10 255.255.255.0
!
interface GigabitEthernet1/5
nameif DR_VLAN5
security-level 100
ip address 172.16.37.1 255.255.255.0
policy-route route-map 37_Route
!
interface GigabitEthernet1/8
nameif Liquid_Fibre
security-level 0
ip address 1.1.1.1 255.255.255.248
05-11-2021 04:20 AM
I have managed to get it working. There was conflicting entries in the ACL. I cleaned out everything and setup from scratch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide