Solved: Curious about correct setup of ACL / PBR or Static Routing - Page 2

TheGoob · ‎11-06-2025

Hello

I have a working system coming from another Thread which was solved but now I am curious if how I got it all to work was correct or a forceful band-aid.

https://community.cisco.com/t5/routing/can-not-get-internet-access-or-nat-translations-on-my-isrc1111/td-p/5342191

Now, some of that has changed as I was figuring out other things, but the result is to be the same; 7 vlans, 6 going towards ISP1 and 1 going towards ISP2 but all can communicate together through the SG350XG Switch in which they connect to without having to touch each Router then route back to the Switch [inter-vlan]. Not as simple as it seems as there are two initial routes for them to connect to their own ISP's.

What I have done is, vlan 2- 7 use the static route 0.0.0.0 0.0.0.0 10.0.1.1 to reach ISP1 and vlan 8 I can not utilize it's own static route to confuse the default static route so I created a PBR to reach ISP2. Works fine!! Until I realized they would all communicate but have to route to their respective routers then route back to communicate. This is important to me because my Network is 10G, 10G Nics, 10G Switch etc and so if/when I transfer from vlan 8 to let's say 5, it would slow down to 1G to route through the ISR. So I created the ACL to block vlan 2-7 but allow 8; which works. With default next-hop and PBR and ACL, is my setup legit?

switchbf585b
!
vlan database
vlan 2-8 
exit
ip dhcp server 
ip dhcp pool network 4.0
address low 192.168.4.2 high 192.168.4.100 255.255.255.0 
exit
ip dhcp pool network 5.0
address low 192.168.5.2 high 192.168.5.254 255.255.255.0 
dns-server 1.1.1.1
exit
ip dhcp pool network 6.0
address low 192.168.6.2 high 192.168.6.254 255.255.255.0 
exit
ip dhcp pool network fhc
address low 192.168.2.2 high 192.168.2.154 255.255.255.0 
exit
ip dhcp pool network ceyea
address low 192.168.3.6 high 192.168.3.254 255.255.255.0 
exit
ip dhcp pool network fbeye
address low 192.168.1.2 high 192.168.1.254 255.255.255.0 
exit
ip dhcp pool network starlink
address low 192.168.7.1 high 192.168.7.254 255.255.255.0 
dns-server 8.8.8.8
exit
bonjour interface range oob
ip access-list extended SL
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 ace-priority 5
permit ip 192.168.7.0 0.0.0.255 any ace-priority 10
exit
route-map sl 1 
 match ip address access-list SL 
 set ip next-hop 10.0.2.1 
exit
ip name-server  8.8.8.8 1.1.1.1 192.168.3.5
!
interface vlan 2
 name fbeye 
 ip address 192.168.1.1 255.255.255.0 
!
interface vlan 3
 name fhc 
 ip address 192.168.2.1 255.255.255.0 
!
interface vlan 4
 name ceyea 
 ip address 192.168.3.1 255.255.255.0 
!
interface vlan 5
 name 4.0 
 ip address 192.168.4.1 255.255.255.0 
!
interface vlan 6
 name 6.0 
 ip address 192.168.6.1 255.255.255.0 
!
interface vlan 7
 name home 
 ip address 192.168.5.1 255.255.255.0 
!
interface vlan 8
 name starlink 
 ip address 192.168.7.1 255.255.255.0 
 ip policy route-map sl 
!
interface TenGigabitEthernet1/0/1
 ip address 10.0.2.2 255.255.255.0 
 no switchport 
 switchport access vlan none 
 switchport trunk native vlan none 
!
interface TenGigabitEthernet1/0/2
 switchport access vlan 2 
 switchport trunk native vlan 2 
!
interface TenGigabitEthernet1/0/3
 switchport access vlan 3 
 switchport trunk native vlan 3 
!
interface TenGigabitEthernet1/0/4
 switchport access vlan 4 
 switchport trunk native vlan 4 
!
interface TenGigabitEthernet1/0/5
 switchport access vlan 5 
 switchport trunk native vlan 5 
!
interface TenGigabitEthernet1/0/6
 switchport access vlan 6 
 switchport trunk native vlan 6 
!
interface TenGigabitEthernet1/0/7
 switchport access vlan 7 
 switchport trunk native vlan 7 
!
interface TenGigabitEthernet1/0/8
 switchport access vlan 8 
 switchport trunk native vlan 8 
!
interface TenGigabitEthernet1/0/9
 ip address 10.0.0.2 255.255.255.0 
 no switchport 
 switchport access vlan none 
 switchport trunk native vlan none 
!
interface TenGigabitEthernet1/0/10
 switchport access vlan 8 
 switchport trunk native vlan 8 
 no macro auto smartport 
!
interface oob
 ip address 192.168.10.254 255.255.255.0 
 no ip address dhcp 
!
exit
ip default-gateway 10.0.0.1

Joseph W. Doherty · ‎11-23-2025

The way I've read your device configs, PBR should send any traffic not matching 192.168.0.0/16 to 10.0.2.1, and that router should send any traffic without a destination of 192.168.7.0/24 outbound to your ISP.

BTW, just tried to setup this up in PT, and PT doesn't support route-maps.

I have a copy of CML, but my PC doesn't have sufficient hardware resources to spin up a switch. I can, though, spin up routers,m and believe I could, somewhat, recreate your PBR configuration using them. That should, I think, confirm whether your PBR works as expected.

On the other hand, if have access to hosts on VLAN 8 and another VLAN, you should be able to validate, using traceroute, where their packets are going.

BTW, if you're trying to validate PBR, using/from the L3 switch, by default, PBR doesn't apply to packets sourced on that device.

TheGoob · ‎11-23-2025

Right now from 192.168.7.55 traceroute towards 192.168.1.180 I get ;

192.168.7.1

10.0.2.1

10.0.2.2

192.168.1.180

I assume actual data xfer would take the same path, thus dropping from 10G on Switch to 1G on ISR then back to Switch.

Joseph W. Doherty · ‎11-23-2025

Hmm, not what I expected.

I see if I can create a similar PBR using CML, tomorrow, if I have the time.

TheGoob · ‎11-24-2025

Morning

Yeah I am a little baffled myself. In playing around I removed the PBR directing x.7.0/24 to 10.0.2.1 but then it simply routes nowhere because naturally it will try try the ip route 10.0.1.1 which has no place for it.