10-21-2022 06:11 AM - edited 10-21-2022 07:28 AM
We have a unique situation that has traffic from four (4) subnets (not trunked) entering a switch port. The switch is a layer 3 switch. This traffic needs to be separated based on its source IP subnet and redirected to the appropriate external gateway. For example:
10.0.0.0/24, 10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24 --> GbE 0/0
10.0.0.0/24 --> 192.168.0.1/24 (directly connected to GbE 0/1)
10.1.0.0/24 --> 192.168.1.1/24 (directly connected to GbE 0/2)
10.2.0.0/24 --> 192.168.2.1/24 (directly connected to GbE 0/3)
10.3.0.0/24 --> 192.168.3.1/24 (directly connected to GbE 0/4)
At first we thought policy based routing would be able to accomplish this but then discovered during lab configuration that only one route-map may be assigned to the source (GbE 0/0) interface.
Can PBR be configured in such a way that the switch evaluates the traffic by 'falling through' multiple 'match' statements in the same route-map policy, and forwards the traffic to the appropriate next-hop IP when if it finds a match? For instance:
L3switch(config)#ip access-list extended 100 L3switch(config-ext-nacl)#permit ip 10.0.0.0 0.0.0.255 any
L3switch(config)#ip access-list extended 101
L3switch(config-ext-nacl)#permit ip 10.1.0.0 0.0.0.255 any
L3switch(config)#ip access-list extended 102
L3switch(config-ext-nacl)#permit ip 10.2.0.0 0.0.0.255 any
L3switch(config)#ip access-list extended 103
L3switch(config-ext-nacl)#permit ip 10.3.0.0 0.0.0.255 any
L3switch(config)#route-map multiSourceSubnet L3switch(config-route-map)#match ip address 100 L3switch(config-route-map)#set ip next-hop 192.168.0.1
L3switch(config-route-map)#match ip address 101
L3switch(config-route-map)#set ip next-hop 192.168.1.1
L3switch(config-route-map)#match ip address 102
L3switch(config-route-map)#set ip next-hop 192.168.2.1
L3switch(config-route-map)#match ip address 103
L3switch(config-route-map)#set ip next-hop 192.168.3.1
L3switch(config)#interface g0/0 L3switch(config-if)#ip policy route-map multiSourceSubnet
If PBR can't be used for this, is there another solution? Unfortunately, the source traffic cannot be separated (e.g. using VLANs) prior to entering the GbE 0/0 port, it is simply being dumped to the port at layer 2.
10-21-2022 06:19 AM
Hello,
To answer your question, yes Route-maps work similar to ACLs in the fact that they process top down. Keep in mind also the default deny at the end. Make sure you're permitting what you need to.
If you are able to lab the complete topology before implementing, I would take that approach.
-David
10-21-2022 07:09 AM
Ok thanks for your input. I believe we already tried this but we'll go back and take another shot and update this thread with the result.
10-21-2022 06:26 AM
Hello all,
I apologize that I do not have much to offer you in the way of a solution, as I'm still trying to grow myself, through reading these forums. So I was a bit confused when you said you had for subnets coming into the switch that were not trunked, yet they all look like they are going to the same G0/0 interface. How is this possible? or did I misunderstand something.
10-21-2022 07:08 AM
I know, it is unusual. The software running on the network host directly connected to G0/0 is responsible. However, from an OSI model standpoint, there is nothing preventing multiple IP subnets from residing on the same L2 network. Messy to be sure, but doable.
10-21-2022 07:56 AM
""Can PBR be configured in such a way that the switch evaluates the traffic by 'falling through' multiple 'match' statements in the same route-map policy""??
Yes you can use multi match in single PBR
10-21-2022 07:58 AM
Hello,
can you post the full running configuration of that layer 3 switch ? Where are the default gateways for these subnets configured ?
10-21-2022 08:38 AM
Seems other posters have indicated a possible PBR approach, but just wondering did you consider G0/0..G0/4 all in the same VLAN and use its SVI (with secondaries IPs) with PBR.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide