Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
354
Views
0
Helpful
2
Replies

PBR on Catalyst 3750x query

commsrbrad
Level 1
Level 1

ā€Ž10-26-2021 04:17 PM

I Have PBR on  a 3750X, It is applied just to Interface Vlan2, and seemed to work as required, but when we applied it not all devices on Vlan2 could talk to each other, so we added to the ACL a deny Vlan2 to Vlan2. then everything was ok.

BTW the switch running PBR also had HSRP configured

So my question is why was it required? surely traffic within Vlan2 would not be hitting the Outbound interface of Vlan2,it is all Layer 2 within the Vlan

Can somebody explain

Labels:
0 Helpful
2 Replies 2

pman
Spotlight
Spotlight

ā€Ž10-26-2021 11:02 PM

Is HSRP the default gateway for devices on vlan 2?
please Attach a topology scheme

also please share next configuration for both 3750-X:
- interface vlan 2
- All relevant access-list
- All relevant route maps

0 Helpful

commsrbrad
Level 1
Level 1
In response to pman

ā€Ž10-26-2021 11:39 PM

Here is the relavent information

Primary sw

interface Vlan2
ip address 10.170.2.11 255.255.254.0
ip helper-address 10.170.2.104
ip helper-address 10.170.2.108
ip helper-address 10.170.2.105
standby 2 ip 10.170.2.3
standby 2 priority 120
standby 2 preempt
ip policy route-map vlan2-to-otw-fw

 

Secondary sw

interface Vlan2
ip address 10.170.2.5 255.255.254.0
ip helper-address 10.170.2.104
ip helper-address 10.170.2.108
ip helper-address 10.170.2.105
standby 2 ip 10.170.2.3
standby 2 priority 110
standby 2 preempt
end

Route map only applied to primary at present

 

ip access-list extended vlan2-to-otw-fw
deny ip host 10.170.3.34 any
deny ip 10.170.2.0 0.0.1.255 192.168.31.0 0.0.0.255
deny ip 10.170.1.0 0.0.0.255 10.170.2.0 0.0.1.255
deny ip 10.170.2.0 0.0.1.255 10.170.1.0 0.0.0.255
deny ip 10.170.2.0 0.0.1.255 172.16.108.0 0.0.0.255
deny ip 10.170.2.0 0.0.1.255 10.170.4.0 0.0.1.255
deny ip 10.170.2.0 0.0.1.255 10.170.6.0 0.0.1.255
deny ip 10.170.2.0 0.0.1.255 10.170.2.0 0.0.1.255  < this line added to stop the problem
deny ip 10.170.2.0 0.0.1.255 10.170.96.0 0.0.15.255
deny ip 10.170.2.0 0.0.1.255 10.170.112.0 0.0.7.255
deny ip 10.170.2.0 0.0.1.255 10.170.119.0 0.0.0.255
deny ip 10.170.2.0 0.0.1.255 10.170.208.0 0.0.7.255
deny ip 10.170.2.0 0.0.1.255 10.160.0.0 0.0.255.255
deny ip 10.170.2.0 0.0.1.255 10.216.0.0 0.0.255.255
permit ip 10.170.2.0 0.0.1.255 host 172.20.20.236
permit ip 10.170.2.0 0.0.1.255 any
permit ip 10.170.1.0 0.0.0.255 any


route-map vlan2-to-otw-fw permit 10
match ip address vlan2-to-otw-fw
set ip next-hop 10.170.2.1 < do you think this might be the problem the next hop on the same Vlan?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card