ā10-26-2021 04:17 PM
I Have PBR on a 3750X, It is applied just to Interface Vlan2, and seemed to work as required, but when we applied it not all devices on Vlan2 could talk to each other, so we added to the ACL a deny Vlan2 to Vlan2. then everything was ok.
BTW the switch running PBR also had HSRP configured
So my question is why was it required? surely traffic within Vlan2 would not be hitting the Outbound interface of Vlan2,it is all Layer 2 within the Vlan
Can somebody explain
ā10-26-2021 11:02 PM
Is HSRP the default gateway for devices on vlan 2?
please Attach a topology scheme
also please share next configuration for both 3750-X:
- interface vlan 2
- All relevant access-list
- All relevant route maps
ā10-26-2021 11:39 PM
Here is the relavent information
Primary sw
interface Vlan2
ip address 10.170.2.11 255.255.254.0
ip helper-address 10.170.2.104
ip helper-address 10.170.2.108
ip helper-address 10.170.2.105
standby 2 ip 10.170.2.3
standby 2 priority 120
standby 2 preempt
ip policy route-map vlan2-to-otw-fw
Secondary sw
interface Vlan2
ip address 10.170.2.5 255.255.254.0
ip helper-address 10.170.2.104
ip helper-address 10.170.2.108
ip helper-address 10.170.2.105
standby 2 ip 10.170.2.3
standby 2 priority 110
standby 2 preempt
end
Route map only applied to primary at present
ip access-list extended vlan2-to-otw-fw
deny ip host 10.170.3.34 any
deny ip 10.170.2.0 0.0.1.255 192.168.31.0 0.0.0.255
deny ip 10.170.1.0 0.0.0.255 10.170.2.0 0.0.1.255
deny ip 10.170.2.0 0.0.1.255 10.170.1.0 0.0.0.255
deny ip 10.170.2.0 0.0.1.255 172.16.108.0 0.0.0.255
deny ip 10.170.2.0 0.0.1.255 10.170.4.0 0.0.1.255
deny ip 10.170.2.0 0.0.1.255 10.170.6.0 0.0.1.255
deny ip 10.170.2.0 0.0.1.255 10.170.2.0 0.0.1.255 < this line added to stop the problem
deny ip 10.170.2.0 0.0.1.255 10.170.96.0 0.0.15.255
deny ip 10.170.2.0 0.0.1.255 10.170.112.0 0.0.7.255
deny ip 10.170.2.0 0.0.1.255 10.170.119.0 0.0.0.255
deny ip 10.170.2.0 0.0.1.255 10.170.208.0 0.0.7.255
deny ip 10.170.2.0 0.0.1.255 10.160.0.0 0.0.255.255
deny ip 10.170.2.0 0.0.1.255 10.216.0.0 0.0.255.255
permit ip 10.170.2.0 0.0.1.255 host 172.20.20.236
permit ip 10.170.2.0 0.0.1.255 any
permit ip 10.170.1.0 0.0.0.255 any
route-map vlan2-to-otw-fw permit 10
match ip address vlan2-to-otw-fw
set ip next-hop 10.170.2.1 < do you think this might be the problem the next hop on the same Vlan?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide