cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
604
Views
5
Helpful
7
Replies

Separation of multiple source IP subnets entering single interface

net.enthusiast
Level 1
Level 1

We have a unique situation that has traffic from four (4) subnets (not trunked) entering a switch port. The switch is a layer 3 switch. This traffic needs to be separated based on its source IP subnet and redirected to the appropriate external gateway. For example:

10.0.0.0/24, 10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24 --> GbE 0/0

10.0.0.0/24 --> 192.168.0.1/24 (directly connected to GbE 0/1)

10.1.0.0/24 --> 192.168.1.1/24 (directly connected to GbE 0/2)

10.2.0.0/24 --> 192.168.2.1/24 (directly connected to GbE 0/3)

10.3.0.0/24 --> 192.168.3.1/24 (directly connected to GbE 0/4)

At first we thought policy based routing would be able to accomplish this but then discovered during lab configuration that only one route-map may be assigned to the source (GbE 0/0) interface.

Can PBR be configured in such a way that the switch evaluates the traffic by 'falling through' multiple 'match' statements in the same route-map policy, and forwards the traffic to the appropriate next-hop IP when if it finds a match? For instance:

L3switch(config)#ip access-list extended 100
L3switch(config-ext-nacl)#permit ip 10.0.0.0 0.0.0.255 any
L3switch(config)#ip access-list extended 101
L3switch(config-ext-nacl)#permit ip 10.1.0.0 0.0.0.255 any
L3switch(config)#ip access-list extended 102
L3switch(config-ext-nacl)#permit ip 10.2.0.0 0.0.0.255 any
L3switch(config)#ip access-list extended 103
L3switch(config-ext-nacl)#permit ip 10.3.0.0 0.0.0.255 any

L3switch(config)#route-map multiSourceSubnet
L3switch(config-route-map)#match ip address 100
L3switch(config-route-map)#set ip next-hop 192.168.0.1
L3switch(config-route-map)#match ip address 101
L3switch(config-route-map)#set ip next-hop 192.168.1.1
L3switch(config-route-map)#match ip address 102
L3switch(config-route-map)#set ip next-hop 192.168.2.1
L3switch(config-route-map)#match ip address 103
L3switch(config-route-map)#set ip next-hop 192.168.3.1
L3switch(config)#interface g0/0
L3switch(config-if)#ip policy route-map multiSourceSubnet

If PBR can't be used for this, is there another solution? Unfortunately, the source traffic cannot be separated (e.g. using VLANs) prior to entering the GbE 0/0 port, it is simply being dumped to the port at layer 2.

7 Replies 7

Hello,

 

To answer your question, yes Route-maps work similar to ACLs in the fact that they process top down. Keep in mind also the default deny at the end. Make sure you're permitting what you need to.

If you are able to lab the complete topology before implementing, I would take that approach.

-David

Ok thanks for your input. I believe we already tried this but we'll go back and take another shot and update this thread with the result.

MichaelMcCoy
Level 1
Level 1

Hello all,

I apologize that I do not have much to offer you in the way of a solution, as I'm still trying to grow myself, through reading these forums.  So I was a bit confused when you said you had for subnets coming into the switch that were not trunked, yet they all look like they are going to the same G0/0 interface.  How is this possible?  or did I misunderstand something.  

I know, it is unusual. The software running on the network host directly connected to G0/0 is responsible. However, from an OSI model standpoint, there is nothing preventing multiple IP subnets from residing on the same L2 network. Messy to be sure, but doable.

""Can PBR be configured in such a way that the switch evaluates the traffic by 'falling through' multiple 'match' statements in the same route-map policy""??
Yes you can use multi match in single PBR

7805_38_22.jpg

Hello,

can you post the full running configuration of that layer 3 switch ? Where are the default gateways for these subnets configured ?

Joseph W. Doherty
Hall of Fame
Hall of Fame

Seems other posters have indicated a possible PBR approach, but just wondering did you consider G0/0..G0/4 all in the same VLAN and use its SVI (with secondaries IPs) with PBR.

Review Cisco Networking for a $25 gift card