Solved: Policy Based Routing with multiple interfaces

nelsonda · ‎05-11-2021

I have pbr working based on a source network to route through a secondary internet link. The issue i am having is the source network is not able to access the other local vlans. Because of the pbr all traffic is being routed through to the ISP.

Is there somewhere on the route map to exempt traffic that needs to route between the local interfaces.

This is the pbr I implemented. 2 other interfaces on the Cisco are configured in their own VLANS

access-list 37_Range extended permit ip 172.16.37.0 255.255.255.0 any

route-map 37_Route permit 2
match ip address 37_Range
set ip next-hop 192.168.8.1

interface GigabitEthernet1/5
nameif DR_VLAN5
security-level 100
ip address 172.16.37.1 255.255.255.0
policy-route route-map 37_Route

nat (DR_VLAN5,Rain) 2 source dynamic any interface

Deepak Kumar · ‎05-11-2021

Hi,

Yes it is possible. You have to add deny statements in your acl on top of permit any statements

access-list 37_Range extended deny ip 172.16.37.0 255.255.255.0 192.168.1.0 x.x.x.x.

access-list 37_Range extended permit ip 172.16.37.0 255.255.255.0 any

Let me know if you need more details.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

nelsonda · ‎05-11-2021

I have managed to get it working. There was conflicting entries in the ACL. I cleaned out everything and setup from scratch.

View solution in original post

Deepak Kumar · ‎05-11-2021

Hi,

Yes it is possible. You have to add deny statements in your acl on top of permit any statements

access-list 37_Range extended deny ip 172.16.37.0 255.255.255.0 192.168.1.0 x.x.x.x.

access-list 37_Range extended permit ip 172.16.37.0 255.255.255.0 any

Let me know if you need more details.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

nelsonda · ‎05-11-2021

I ran this command and got the following message

access-list 37_Range extended deny ip 172.16.37.0 255.255.255.0 172.16.33.0 255.255.255.0

WARNING: If access-list 37_Range having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without any\any4\any6 in destination.

access-list 37_Range extended permit ip 172.16.37.0 255.255.255.0 any

Access to 172.16.33.0 range still not working

Deepak Kumar · ‎05-11-2021

Hi,

Share your configuration and I can see that your acl is wrong. Acl uses wildcard mask but you are giving a subnet mask.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

nelsonda · ‎05-11-2021

Maybe let me know how to setup the PBR with the below config.

NVTECH needs to route over Liguid_Fibre and DR_Vlan5 needs to route over Rain and then there must still be access between NVTECH and DR_VLAN5.

I can get the internet access working where DR_VLAN5 routes over the Rain interface for internet breakout and the NVTECH over the Liquid_Fibre but the NVTECH and DR_VLAN5 can't see each other

interface GigabitEthernet1/1
nameif NVTECH
security-level 100
ip address 172.16.33.1 255.255.255.0
!

interface GigabitEthernet1/4
nameif Rain
security-level 0
ip address 192.168.8.10 255.255.255.0
!
interface GigabitEthernet1/5
nameif DR_VLAN5
security-level 100
ip address 172.16.37.1 255.255.255.0
policy-route route-map 37_Route
!
interface GigabitEthernet1/8
nameif Liquid_Fibre
security-level 0
ip address 1.1.1.1 255.255.255.248

nelsonda · ‎05-11-2021

I have managed to get it working. There was conflicting entries in the ACL. I cleaned out everything and setup from scratch.