Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
15
Helpful
6
Replies

a Q about PBR behavior

baselzind
Level 6
Level 6

‎01-04-2023 02:37 AM - edited ‎01-04-2023 02:56 AM

let us say we have vlan 1 which is  192.168.1.0/24 and we apply under interface vlan 1 a PBR with a route map that have the below access list and routes to a difference ip

deny ip  192.168.1.0 0.0.0.255 any

permit ip any any

which means any incoming  traffic originating from vlan1 will not be affected by the PBR. But what about the traffic coming from other networks and subnets into interface vlan1? like internet traffic coming back with source public ip? how it isn't affected by the PBR and able to reach users in vlan1

 

 

 

Labels:
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎01-04-2023 02:42 AM

PBR check the inbound not outbound traffic. 
this PBR I think is wrong, because the specify the subnet of this VLAN SVI as destination not as source. 

baselzind
Level 6
Level 6

‎01-04-2023 02:57 AM

I think you are correct i corrected it. but also when traffic comes back to vlan1 users it is inbound to vlan1?

0 Helpful

MHM Cisco World
VIP
VIP
In response to baselzind

‎01-04-2023 03:01 AM

hghgfhfghhgfgh.png
review this image 

baselzind
Level 6
Level 6
In response to MHM Cisco World

‎01-04-2023 03:08 AM

so outbound traffic means the traffic coming back to answer the inbound traffic?

MHM Cisco World
VIP
VIP
In response to baselzind

‎01-04-2023 03:12 AM

Yes correct 

0 Helpful

paul driver
VIP
VIP

‎01-04-2023 08:54 AM - edited ‎01-04-2023 08:55 AM

Hello 

ip access-list extended ACL
deny ip  192.168.1.0 0.0.0.255 any
permit ip any any

Int vlan 1
ip access-group ACL IN/OUT

SVI ACL logic
IN =  traffic originating from withIN the vlan 
OUT = egress traffic towards the vlan, originating OUTside


However if the above ACL is not applied directly under the SVI and is ONLY being called upon within a Policy Base Routing route-map stanza that has a permit stanza then all traffic from subnet 192.168.1.0/24 will NOT be policy routed (so normal routing) but it should policy route any other traffic (if there is any)

route-map PBR permit 10
match ip address ACL
set ip/interface/default....etc


Int vlan 1
ip policy route-map PBR


So the above logic = ACL deny RM permit = deny task

other logic
ACL permit RM permit = permit task
ACL deny RM deny = deny task


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card