cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
688
Views
0
Helpful
1
Replies

Difficult PBR question (at least for me)

gacgac
Level 1
Level 1

I have a 6509 with 100's of vlans on it, but in this case I am only concerned about 4

My default vlan is

VLAN 1

10.168.100.0 /23 with the 6509 interface ip address of 10.168.100.1

VLAN 10

10.168.110.0 /24 with the 6509 interface ip address of 10.168.110.1

VLAN 20

10.168.120.0 /24 with the 6509 interface ip address of 10.168.120.1

The default gateway for all the above VLANs (my firewall) is at ip address 10.168.120.254.

VLAN 301 - partner connection vlan

10.190.10.0 /24 with the 6509 interface ip address of 10.190.10.1

This is a connection to a partner and has a router on it at 10.190.10.254

The default gateway for this vlan is the partner router at 10.190.10.254

There are 2 IP addresses at the customer site 192.168.42.100 and 10.100.10.1 but I only want systems on vlan 20 to be able to access them.

How do I define the ACL and the policy for those 2 explicit routes for only vlan 10?

Thanks,

Graham

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Graham,

from your description I would say that you don't need PBR, but just an IP ACL to be applied on SVI vlan 301 to allow only traffic from permitted subnet to the partner IP routes.

In the following example I assume that IP subnet of SVI vlan10 is the one to be allowed to reach partner destinations.

int vlan 301

ip access-group 121 out

access-list 121 remark allowed traffic to partner X

access-list 121 permt ip 10.168.110.0 0.0.0.255 host 192.168.42.100

access-list 121 permt ip 10.168.110.0 0.0.0.255 host 10.100.10.1

assuming routing to the partner is performed with static routes as follows:

ip route 192.168.42.100 255.255.255.255 10.190.10.254

ip route 10.100.10.1 255.255.255.255 10.190.10,254

Hope to help

Giuseppe

View solution in original post

1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Graham,

from your description I would say that you don't need PBR, but just an IP ACL to be applied on SVI vlan 301 to allow only traffic from permitted subnet to the partner IP routes.

In the following example I assume that IP subnet of SVI vlan10 is the one to be allowed to reach partner destinations.

int vlan 301

ip access-group 121 out

access-list 121 remark allowed traffic to partner X

access-list 121 permt ip 10.168.110.0 0.0.0.255 host 192.168.42.100

access-list 121 permt ip 10.168.110.0 0.0.0.255 host 10.100.10.1

assuming routing to the partner is performed with static routes as follows:

ip route 192.168.42.100 255.255.255.255 10.190.10.254

ip route 10.100.10.1 255.255.255.255 10.190.10,254

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: