05-03-2019 10:31 AM
Hi guys
I've been asked to put in a transparent proxy to web filter certain vlans. Im trying to set my vlans to use different static routes.
If I set my global static route to the below everything works fine.
If I set per vlan im not able to ping out to the gateway
is there any other switch configurations I need to set?
05-17-2019 02:49 AM
thank you that helps alot.
Should my ACL for the PBR be like:
ip access-list extended vlan_21_ACL
deny ip 192.168.16.0 0.0.0.3 any
permit ip 192.168.21.0 0.0.0.255 any
!
05-17-2019 05:35 AM
No your ACL would not be like that. First I am not clear why you have 192.168.16.0 in the ACL. When you include that subnet in the ACL it implies that packets with source address in that subnet will enter the switch on this interface. We do not know about your topology but I doubt that packets from 192.168.16.0 will enter the switch on vlan 21. My guess is that you include this in the ACL believing that it would enable DHCP. But that is not the case. The ACL is using 192.168.16.0 as the source address and for DHCP traffic 192.168.16.0 would be the destination. So remove 192.168.16.0 from the ACL.
Second what you need to do is to deny traffic for DHCP before you permit traffic from 192.168.21.0. Your ACL might look something like this
ip access-list extended vlan_21_ACL
deny udp any any eq 67
permit ip 192.168.21.0 0.0.0.255 any
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide