Need help in policy map in switch

Chriskoh · ‎10-12-2019

Hi

Could anyone can assist in policy route map? I would like to apply the ip policy route map in VLAN300. Below, you see the port interfaces and static routes in switch as well as Router A & B. I would like have an “access list” for Vlan300 to route those “non RFC1918” traffic to go to Interface gig3/0/3. Now, vlan300 for non-RFC1918 traffic is going to interface gig3/0/2 (switch route ip route 0.0.0.0 0.0.0.0 172.30.48.1 ). Please show me how to use the access list and route map on this? Thanks in advance .

Cisco Switch

interface Vlan10

ip address 172.30.49.210 255.255.254.0

ip helper-address 172.30.48.17

no ip redirects

ntp broadcast

end

!

interface Vlan300

ip address 172.30.51.210 255.255.254.0

ip helper-address 172.30.48.17

end

!

interface GigabitEthernet3/0/1

description Firewall ASA Port1 ==== >router A

switchport access vlan 900

switchport mode access

end

!

interface GigabitEthernet3/0/2

description Firewall ASA Port2 => router A

switchport access vlan 10

switchport mode access

end

!

interface GigabitEthernet3/0/3

description Firewall ASA. Port3 è router A

switchport access vlan 300

switchport mode access

end

Switch#show run | i ip route

ip route 0.0.0.0 0.0.0.0 172.30.48.1 name default.via.firewall

ip route 10.0.0.0 255.0.0.0 172.30.49.252 name rfc1918a ==è router B

ip route 172.16.0.0 255.240.0.0 172.30.49.252 name rfc1918b ==è router B

ip route 192.168.0.0 255.255.0.0 172.30.49.252 name rfc1918c =è router B

Georg Pauwen · ‎10-13-2019

Hello,

which switch (e.g. 3850) do you have ? The basic configuration would be:

ip access-list extended RFC_ACL
permit ip 10.0.0.0 0.0.0.255 any
permit 172.16.0.0 0.15.155.155 any
permit 192.168.0.0 0.0.255.255 any
!
route-map RFC_MAP permit 10
match ip address RFC_ACL
set ip next-hop ?????
!
int vlan 300
ip address 172.30.51.210 255.255.254.0
ip helper-address 172.30.48.171
ip policy route-map RFC_MAP

You need to replace '?????' with the actual IP address of the next hop....

Chriskoh · ‎10-13-2019

Hi

The 172.30.51.210/23 (vlan300) traffic go through router B for RFC1918 traffic which the static routes are correct. The problem is 172.30.51.210/23 will be going to interface Gig3/0/2 for Non-RFC1918, which i want it to go to interface Gig3/0/3 .. How to achieve this?

Thanks

Deepak Kumar · ‎10-13-2019

Hi,

Here, you had configured which is not a Policy MAP. This is static routes but policy MAP will be different.

Here, My question is;

10.0.0.0 255.0.0.0 and 172.16.0.0 255.240.0.0 and 192.168.0.0 255.255.0.0 are source of the traffic or all are destination of the traffic?

If those are the destination subnet for a packet then it must be work. And If those are a source of the traffic then it will not work. It will help us to understand the issue. Also, we need the model number and IOS version of the switch.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎10-13-2019

Hello
You will only be able to policy route traffic originating from vlan 300, that is at most from i can see would be 172.30.50.1 -172.30.51.254 could be policy routed, and to specify specific source/destination addressing to policy route then an extended access-list would be applicable.

Example:
ip access-list extended RFC
permit ip 172.30.50.0 0.0.1.255 10.0.0.0 0.255.255.255
permit ip 172.30.50.0 0.0.1.255 172.16.0.0 0.15.255.255
permit ip 172.30.50.0 0.0.1.255 192.168.0.0 0.0.255.255

route-map NON-RFC permit 10
match ip address RFC
set ip next-hop x.x.x.x

int vlan 300
ip policy route-map NON-RFC

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul