10-31-2012 05:24 AM - edited 03-07-2019 09:46 AM
Hi,
My question is wrt policy-based routing on my network. Our switch is a 3560G 24PS running Adv Ip Services image. It is connected to an 1841 and an 1811 each with a dual-wan connection . The 3560 defines 6 vlans and we are using PBR to route some vlans via the 1841 and some vlans via the 1811.
From a client on one vlan a traceroute to a client on another vlan goes through the 1811 before being routed back to the 3560. Is it possible to use PBR to detect traffic that is destined for another vlan on the same switch and then route it directly?
Im trying to paste in the config from my putty seesion, but am unable at this time?
Solved! Go to Solution.
10-31-2012 06:05 AM
Anything you match to ACL you can policy route.You do need to be careful with policy routing because it is easy to create assyemtric routing issues.
Currently your PBR looks to be routing by the source IP.
You might need to deny the local VLAN subnets to other local VLAN subnets on the same switch, make sure those deny rules are placed before the permit statement. So enter ACL config mode and change your ACLs that might help. Keep in mind though your PBR is doing exactly what is was configured to do.
http://ccie-or-null.net/2012/01/09/working-with-cisco-access-control-lists-acls/
--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/
10-31-2012 05:25 AM
Here are the relevant parts of the config on the 3560
interface GigabitEthernet0/1
description Cisco 1811 Router at 192.168.5.3
!
interface GigabitEthernet0/3
description Cisco 1841 Router at 192.168.5.1
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.10.6
ip pim sparse-dense-mode
ip policy route-map RM_IMD
ntp broadcast
!
interface Vlan25
ip address 192.168.25.2 255.255.255.0
ip helper-address 192.168.10.6
ip pim sparse-dense-mode
ip policy route-map RM_IMDGuest
ntp broadcast
!
...
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 125 permit ip 192.168.25.0 0.0.0.255 any
...
route-map RM_IMD permit 10
match ip address 110
set ip next-hop 192.168.5.1
!
route-map RM_IMDGuest permit 10
match ip address 125
set ip next-hop 192.168.5.1
!
10-31-2012 06:05 AM
Anything you match to ACL you can policy route.You do need to be careful with policy routing because it is easy to create assyemtric routing issues.
Currently your PBR looks to be routing by the source IP.
You might need to deny the local VLAN subnets to other local VLAN subnets on the same switch, make sure those deny rules are placed before the permit statement. So enter ACL config mode and change your ACLs that might help. Keep in mind though your PBR is doing exactly what is was configured to do.
http://ccie-or-null.net/2012/01/09/working-with-cisco-access-control-lists-acls/
--
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide