Solved: Re: 2 ISP on 2 Different ASA - PBR on Core Switch 3750

Sheraiz Ahmad · ‎11-28-2012

Hi

I have 1 ISP connection that goes to a Router - ASA and then to the core switch 3750.

I have 1 more new ISP link, that goes to a different Router - then to ASA and to the same 3750 switch. On the 3750 I have many Vlans and I would like to configure PBR whereby all the Traffic from Vlan 120 and Vlan 140 goes to this New ISP Internet Line.

Could you please help me with the configuration

John Blakley · ‎11-29-2012

If you don't have a ton of traffic then I wouldn't worry about resource allocation. From what I've read, it seems that if resources start to get exhausted, routing happens in software instead of getting added to the tcam for intervlan routing. So, my understanding is that the switch won't stop routing traffic but instead software can hold more entries than the tcam table:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00801e7bb9.shtml#topic5

Overall, you can do a "show sdm prefer" to see what template you're using before making the change. You'll need the routing template in order to use pbr on the 3750. You can see in the above link that the article shows the three templates that you can use: Default, Routing, and Vlan. The row "PBR aces" is only supported under the routing template.

HTH,

John

**** Please rate all useful posts ****

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎11-28-2012

The quick way would be to create an access-list on the 3750 for the subnets that are associated to each vlan:

vlan 120 = 10.120.0.0/24

vlan 140 = 10.140.0.0/24

access-list 120 permit ip 10.120.0.0 0.0.0.255 any

access-list 140 permit ip 10.140.0.0 0.0.0.255 any

Create a policy that matches on these acls:

route-map NewISP permit 10

match ip address 120

set ip next-hop

route-map NewISP permit 20

match ip address 140

set ip next-hop

Then apply to your vlan interfaces:

int vlan 120

ip policy route-map NewISP

int vlan 140

ip policy route-map NewISP

You can also split this route map into two different ones, but what doesn't match gets routed normally. In theory, your 140 source address will never be seen as a source on vlan 120, so the single map should be fine.

You'll also possibly need to enable "sdm prefer routing" and reload the switch in order to get policy routing on the 3750 to work.

HTH,

John

HTH, John *** Please rate all useful posts ***

Sheraiz Ahmad · ‎11-29-2012

Hi John

Thanks for your Email. I already have these 2 Vlans created in the current switch, which is going to the current ISP..so I can just route these.

I was woundering if I enable sdm prefer routing, will that make my 3750 exhausted.

The 3750 I am using is on the switch stack, I was woundering if that would be fine.

Thank you

John Blakley · ‎11-29-2012

If you don't have a ton of traffic then I wouldn't worry about resource allocation. From what I've read, it seems that if resources start to get exhausted, routing happens in software instead of getting added to the tcam for intervlan routing. So, my understanding is that the switch won't stop routing traffic but instead software can hold more entries than the tcam table:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00801e7bb9.shtml#topic5

Overall, you can do a "show sdm prefer" to see what template you're using before making the change. You'll need the routing template in order to use pbr on the 3750. You can see in the above link that the article shows the three templates that you can use: Default, Routing, and Vlan. The row "PBR aces" is only supported under the routing template.

HTH,

John

**** Please rate all useful posts ****

HTH, John *** Please rate all useful posts ***

Sheraiz Ahmad · ‎11-29-2012

Hi John

Thanks for your Email. I have connect the ASA 5520 on the Core Switch Port and configured it following :

# no switch port

IP address x.x.x.x.x.x.x.

I also have a default route in the core 3750 that sends all the traffic to the Old ISP - Do I have to change this as well.

This address is same as the LAN of the ASA...

The place where I am stuck is that, Vlan 120 and Vlan140 are already configure in the switch and the Traffic is going to the Old ISP..

Inorder for these 2 Vlan Traffic to go to New ISP, do I have to remove those to route and add new one.

I have also checked the Template that we are using is Desktop Routing Template. so I think PBR is already enable in this switch.

Please advise.

Thank you

John Blakley · ‎11-30-2012

PBR will take precedence over any routes that you have on the box now. The switch will do policy routing first and then regular routing. You won't need to remove any static routes to get this to work. It does look like you're good to go with policy maps and your sdm template.

HTH,

John

HTH, John *** Please rate all useful posts ***

Sheraiz Ahmad · ‎12-02-2012

Hi John

Good Morning

My New Internet is Hook in a Cisco 2951 Router - That router is Hooked to a ASA 5520 Firewall and the ASA is hooked to the core switch.

The port where the ASA is hooked I have configured that as a no switch port and given the IP.

what I cannot work out is do I have to configure some route on the 3750, where by packets can go to ASA..Once the Traffic can go to Router, I think I I can configure the PBR.

Below is the details

I have 2 router connected to a 3750. Router A is hooked up with Internet and Router B is also hooked up with Internet

Current all the Traffic is going to Router A, I have connected the Router B on the 3750 and configured as no switch port and given a IP.

I was woundering how can I determine or change some traffice to go to Router B as all are going to Router A.

Below is the configuration that I have :

ip default-gateway 192.168.100.1

!

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.100.1

!

ip sla enable reaction-alerts

access-list 20 permit 0.0.0.0 255.255.255.0

access-list 40 permit 0.0.0.0 255.255.255.0

access-list 100 remark GUEST NETWORK CONTROL

access-list 100 permit udp 172.20.20.0 0.0.0.255 host 192.168.171.1 eq domain

access-list 100 permit udp 172.20.20.0 0.0.0.255 host 192.168.171.30 eq domain

access-list 100 permit udp any any eq bootps

access-list 100 permit udp any any eq bootpc

access-list 100 deny ip 172.20.20.0 0.0.0.255 192.168.168.0 0.0.3.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 192.168.10.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 192.168.30.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 192.168.40.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 192.168.50.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 192.168.60.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 192.168.70.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 192.168.90.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 172.20.10.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 172.20.30.0 0.0.0.255 log

access-list 100 deny ip 172.20.20.0 0.0.0.255 172.20.40.0 0.0.0.255 log

access-list 100 permit ip 172.20.20.0 0.0.0.255 any

access-list 100 remark