Re: Per Vlan IP Route - Page 2

Dav1787 · ‎05-03-2019

Hi guys

I've been asked to put in a transparent proxy to web filter certain vlans. Im trying to set my vlans to use different static routes.

If I set my global static route to the below everything works fine.

If I set per vlan im not able to ping out to the gateway

is there any other switch configurations I need to set?

Dav1787 · ‎05-17-2019

thank you that helps alot.

Should my ACL for the PBR be like:

ip access-list extended vlan_21_ACL
deny ip 192.168.16.0 0.0.0.3 any
permit ip 192.168.21.0 0.0.0.255 any
!

Richard Burts · ‎05-17-2019

No your ACL would not be like that. First I am not clear why you have 192.168.16.0 in the ACL. When you include that subnet in the ACL it implies that packets with source address in that subnet will enter the switch on this interface. We do not know about your topology but I doubt that packets from 192.168.16.0 will enter the switch on vlan 21. My guess is that you include this in the ACL believing that it would enable DHCP. But that is not the case. The ACL is using 192.168.16.0 as the source address and for DHCP traffic 192.168.16.0 would be the destination. So remove 192.168.16.0 from the ACL.

Second what you need to do is to deny traffic for DHCP before you permit traffic from 192.168.21.0. Your ACL might look something like this

ip access-list extended vlan_21_ACL
deny udp any any eq 67
permit ip 192.168.21.0 0.0.0.255 any

HTH

Rick

HTH

Rick