Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1763
Views
30
Helpful
23
Replies

PBR seems to be not implemented

Go to solution
robad
Level 1
Level 1

‎07-13-2022 04:35 AM - last edited on ‎07-26-2022 10:14 PM by Community Manager

Hi Guys, It's probably going to be long, but it's something that is very important for my team.

We are working in company in few Lab's environment that is connected to IT.

Our Gateway for all labs is currently 2 old 6500 working with VSS.

Each lab is connected to the 6500, and each lab have is own gateway to IT, I mean that for each lab, there are 2 links from our Gateway to IT Gateways. Now we are working with

route-maps

 

We should start use 2 9600 instead of the 6500. right now we got only 1 9600, so we have time to test it. we have 2 unused labs that we can 'play' with and check the configs.

I'll tell you what we are trying to do, and please, let me know if it should work like that, and also, if you think you have some better way - we'll glad to hear.

 

The 9600 is : 9606R

Version : (CAT9K_IOSXE), Version 17.3.4

ACLs & Route-maps :


 

 

 

 

Extended IP access list A-to-B
10 permit ip 43.43.43.0 0.0.0.255 40.40.40.0 0.0.0.255
Extended IP access list A-to-any
10 permit ip 43.43.43.0 0.0.0.255 any

Extended IP access list B-to-A
10 permit ip 40.40.40.0 0.0.0.255 43.43.43.0 0.0.0.255
Extended IP access list B-to-any
10 permit ip 40.40.40.0 0.0.0.255 any

route-map A sequence 5
match ip add A-to-B
set ip next-hop 40.40.40.1

route-map A sequence 10
match ip add A-to-any
set ip next-hop [IT uplink address]


route-map B sequence 5
match ip add B-to-A
set ip next-hop 43.43.43.1

route-map B sequence 10
match ip add B-to-any
set ip next-hop [IT uplink address]

 

 

 

 

 

 The strange thing that is for example the Group B to any is working, because I can ping 8.8.8.8 for example, and then move the

ip policy route-map

command from the int vlan, it's not working. so the

route-map

is working [at least for 'outside']

 

Pings between Group A to Group B not working....

It might be something with directly connected route or something, but I'm not sure...

Please advise . Thanks in advance

Labels:
Preview file
39 KB
0 Helpful
23 Replies 23

Go to solution
MHM Cisco World
VIP
VIP
In response to robad

‎07-17-2022 07:20 AM - last edited on ‎07-26-2022 10:31 PM by Community Manager

if he plug PC and config static IP that IP if it in same subnet of VLAN config with port he plug in then no issue at all, IF the ip is different then there is sure connectivity issue.
and the think is worse if you disable

proxy-arp

under the SVI of VLAN.

0 Helpful

Go to solution
robad
Level 1
Level 1

‎07-17-2022 08:39 AM - last edited on ‎07-26-2022 10:32 PM by Community Manager

Paul & MHM,

Let me see if I understand

1. If a user from some group will use another IP, that it's not part of my subnets , like 192.x.x.x , he won't be able to communicate - right ?

2. If the answer is Yes - so please tell me if the next idea is good  :

For interlab communication, I'll use static routes, like configuring on the 9600 this :

43.43.43.0 255.255.255.255.0 43.43.43.1

44.44.44.0 255.255.255.255.0 43.43.43.1

45.45.45.0 255.255.255.255.0 43.43.43.1

All group's A subnets will be routed via 'vlan 10' because it's allowed on the trunk with the 9600, and then the packet will go to the Group's Gateway, and from there to the specific SVI [for vlan 10/20/30].

 

And then use

route-map

only for packets that are going to IT [I must that each lab will get out from specific IT link]

 

thanks again guys

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to robad

‎07-18-2022 12:10 AM - last edited on ‎07-26-2022 10:33 PM by Community Manager

Hello
Would it not make sense to relocate the

intervlan-rotuing

onto the 9300 for Vlan 40-43 or use dynamic routing such as ospf between each IT group, this would then provide better administrative control over your network and negate having to add complexing routing policy’s and static routes.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
robad
Level 1
Level 1
In response to paul driver

‎07-18-2022 12:42 AM

Paul,

So sorry, but what you are suggesting ? not sure fully understand.

[maybe config/draw will help me. or wider explanation]

 

Thanks in advance !

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to robad

‎07-18-2022 05:28 AM

can you more elaborate you new design?

0 Helpful

Go to solution
robad
Level 1
Level 1

‎07-19-2022 12:13 AM - last edited on ‎07-26-2022 10:34 PM by Community Manager

Hi, here is the draw of my wanted network design [and this is how it works today with our old 6500 ]

NOTICE that I've changed the IPs and vlans name in order it'll be more separated and more clear .

****

 

new_network_design.PNG

*** 

My goal is that when a packet from any vlan from Group-A, wants to go to Group-B, it'll pass throw 9600 only and not go throw IT.

Now we are achieving it by

route-map

that sends any traffic from subnets in group-A to Group's B vlan 20 gateway [20.20.20.1], because this vlan is in trunk from the 9600 to Group's-B gateway. [and that's why we need route between labs. I think  that @paul driver  ask that, and said we don't need any route, because the 9600 have interface vlans for all lab's vlan. but we don't, we have on the 9600 one  "main" interface vlan for each group]

 

I think that who did it, , is to prevent some clients to connect PC/host to Group-A Gateway, and give it some other IP that is not part of our subnets, and he'll be able to harm the whole broadcast domain for his vlan or something like that that I'm not so clear with that....

So we have access-lists "groupA-to-GroupB" and "GroupB-to-GroupA" and then we are giving only the allowed subnets to go out to other labs...

 

In our new 9600 it didn't worked for some reason, so I tried to understand why is that, and also thought if it can be replaced by something else. like static route for each subnet, something like that [on the 9600, for group-B for example] :

ip route 20.20.20.0 255.255.255.0 20.20.20.1

ip route 21.21.21.0 255.255.255.0 20.20.20.1

ip route 22.22.22.0 255.255.255.0 20.20.20.1


sorry for the mismatch and complexity. not fully sure what I can/need to do to make things work better.

Thanks again guys for your time

Go to solution
MHM Cisco World
VIP
VIP
In response to robad

‎07-19-2022 05:03 AM

you dont mention me so I dont see your reply until now.
you config is excellent except some point 
in Core SW you need only one VLAN for example VLAN 100
you all VLAN in trunk between access SW and Core
you need to add VLAN 100 to access SW also.
Now do routing policy or doing static route toward the SVI of VLAN 100 in core
and that it.

one more point
please select different VLAN number in both Access SW I see VLAN 20 in both Acces SW that wrong.

0 Helpful

Go to solution
robad
Level 1
Level 1

‎07-21-2022 12:38 AM - last edited on ‎07-26-2022 10:35 PM by Community Manager

Hi,

Thanks @MHM Cisco World  and @paul driver  for your great assistant !

At the end, we've chose to use a different vlan for routing between labs, and keep

route-maps

only for outgoing packets to IT

 

Thanks a lot !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card