07-20-2012 08:12 AM - edited 03-04-2019 05:01 PM
I have a 6509 with 100's of vlans on it, but in this case I am only concerned about 4
My default vlan is
VLAN 1
10.168.100.0 /23 with the 6509 interface ip address of 10.168.100.1
VLAN 10
10.168.110.0 /24 with the 6509 interface ip address of 10.168.110.1
VLAN 20
10.168.120.0 /24 with the 6509 interface ip address of 10.168.120.1
The default gateway for all the above VLANs (my firewall) is at ip address 10.168.120.254.
VLAN 301 - partner connection vlan
10.190.10.0 /24 with the 6509 interface ip address of 10.190.10.1
This is a connection to a partner and has a router on it at 10.190.10.254
The default gateway for this vlan is the partner router at 10.190.10.254
There are 2 IP addresses at the customer site 192.168.42.100 and 10.100.10.1 but I only want systems on vlan 20 to be able to access them.
How do I define the ACL and the policy for those 2 explicit routes for only vlan 10?
Thanks,
Graham
Solved! Go to Solution.
07-20-2012 08:35 AM
Hello Graham,
from your description I would say that you don't need PBR, but just an IP ACL to be applied on SVI vlan 301 to allow only traffic from permitted subnet to the partner IP routes.
In the following example I assume that IP subnet of SVI vlan10 is the one to be allowed to reach partner destinations.
int vlan 301
ip access-group 121 out
access-list 121 remark allowed traffic to partner X
access-list 121 permt ip 10.168.110.0 0.0.0.255 host 192.168.42.100
access-list 121 permt ip 10.168.110.0 0.0.0.255 host 10.100.10.1
assuming routing to the partner is performed with static routes as follows:
ip route 192.168.42.100 255.255.255.255 10.190.10.254
ip route 10.100.10.1 255.255.255.255 10.190.10,254
Hope to help
Giuseppe
07-20-2012 08:35 AM
Hello Graham,
from your description I would say that you don't need PBR, but just an IP ACL to be applied on SVI vlan 301 to allow only traffic from permitted subnet to the partner IP routes.
In the following example I assume that IP subnet of SVI vlan10 is the one to be allowed to reach partner destinations.
int vlan 301
ip access-group 121 out
access-list 121 remark allowed traffic to partner X
access-list 121 permt ip 10.168.110.0 0.0.0.255 host 192.168.42.100
access-list 121 permt ip 10.168.110.0 0.0.0.255 host 10.100.10.1
assuming routing to the partner is performed with static routes as follows:
ip route 192.168.42.100 255.255.255.255 10.190.10.254
ip route 10.100.10.1 255.255.255.255 10.190.10,254
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide