Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
5
Helpful
3
Replies

Policy-based Routing and Secondary Interfaces

Go to solution
TODD BEERS
Level 1
Level 1

‎02-22-2017 12:39 PM - edited ‎03-05-2019 08:05 AM

In order to do non-intrusive testing with an inline device between router and switch, we've set up the following:

Router

Int g0/0

ip address 10.1.1.1 255.255.255.252

ip address 192.168.1.2 255.255.255.248 secondary

Switch

int vl638

ip address 10.1.1.2 255.255.255.252

ip address 192.168.1.1 255.255.255.248 secondary

(Pending) ip route 10.17.0.0 255.255.0.0 192.168.1.2

The remote subnet we're using for testing is 10.17.0.0/16 and its destination subnets are in 10.1.0.0/16. I created the following PBR to avoid asymmetrical routing, but I haven't applied it yet. Most of the traffic is originated from the 10.17.0.0/16 end. 

access-list 113 permit 10.17.0.0 0.0.255.255 any

route-map Testing permit 10
match ip address 113
set ip next-hop 192.168.1.1

int g0/0
ip policy route-map Testing

Will this ensure that all of the traffic flowing between 10.17.0.0/16 and 10.1.0.0/16 will hit 192.168.1.1 on the way in 1 and 92.168.1.2 on the way back out and not affect any other traffic?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Diana Karolina Rojas
Cisco Employee
Cisco Employee

‎02-22-2017 12:51 PM

Your configuration only ensure that all the traffic (to any subnet) from 10.17.0.0/16 hit 192.168.1.1, no more, If you only want to ensure the traffic from 10.17.0.0/16 to 10.1.0.0/16 hit the ip 192.168.1.1 you have to use an extended access list like this:

access-list 130

permit ip 10.17.0.0  0.0.255.255 10.1.0.0 0.0.255.255

PD: Remember rate useful answers.

Regards,

View solution in original post

3 Replies 3

Go to solution
Diana Karolina Rojas
Cisco Employee
Cisco Employee

‎02-22-2017 12:51 PM

Your configuration only ensure that all the traffic (to any subnet) from 10.17.0.0/16 hit 192.168.1.1, no more, If you only want to ensure the traffic from 10.17.0.0/16 to 10.1.0.0/16 hit the ip 192.168.1.1 you have to use an extended access list like this:

access-list 130

permit ip 10.17.0.0  0.0.255.255 10.1.0.0 0.0.255.255

PD: Remember rate useful answers.

Regards,

Go to solution
TODD BEERS
Level 1
Level 1
In response to Diana Karolina Rojas

‎02-23-2017 11:34 AM

Yeah I figured that would be the case. I'm actually going to start very narrow, then expand, so my initial ACL will be:

access-list 113

permit ip 10.17.3.0 0.0.0.255 10.1.0.0 0.0.255.255

0 Helpful

Go to solution
TODD BEERS
Level 1
Level 1
In response to Diana Karolina Rojas

‎02-23-2017 12:36 PM

Can't get any hits to the route map/acl even though I'm generating traffic that should match. Wondering if this just doesn't work with secondary addresses.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card