cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
761
Views
5
Helpful
7
Replies

Policies based routing configuration

yeewensmc
Beginner
Beginner

Dear all,

FYI

10.1.18.71 (Firewall A)

10.1.2.1   (Firewal B) (connected through

I've one Cisco 3750G-12S with ip routing enable, the swtich is with IP Service firmware, with PRR support.

Currently set my default static route 0.0.0.0 0.0.0.0 10.1.18.71 to my Firewall A

Currently all of the VLAN for will be routed to 10.1.18.71

I've created a new VLAN 2 for my 10.1.2.0/24 network with the VLAN interface 2 ip address 10.1.2.10, my intention is to route 10.1.2.0/24 traffic to my 10.1.2.1 by creating the access list and route-map.

I've created an access-list & route-map as below.

access-list 101 permit ip 10.1.2.0 0.0.0.255 any

no cdp run

route-map route10traffic permit 10

match ip address 101

set ip next-hop 10.1.2.1

I've configure my test pc with a static ip and my gateway pointing to 10.1.2.10 (VLAN 2 gateway) , i'm not able to route to 10.1.2.1. Any idea ?

Thanks & Regards,

yeewensmc

7 REPLIES 7

Vivek Ganapathi
Enthusiast
Enthusiast

Hello,

Have you tried the below?

access-list 101 permit ip 10.1.2.0 0.0.0.255 any

no cdp run

route-map route10traffic permit 10

match ip address 101

set interface

interface

ip policy route-map route10traffic

Also, the configs which you posted doesn't show anything wrong. It should also work fine. To troubleshoot further, check if the 10.1.2.0/24 exists in the routing table. Could you please post me the show ip route output?

Vivek.

Dear Vivek,

I've enter the

set interface gigabitethernet 1/0/6 (interface trunk to my next firewall B)

but when i key in the

interface gigabitethernet 1/0/6

ip policy route-map route10traffic (don't have this command)

I've enter the this instead

access-list 101 permit ip 10.1.2.0 0.0.0.255 any

no cdp run

route-map route10traffic permit 10

match ip address 101

set ip next-hop 10.1.2.1

!

route-map route10trafic permit 10

match ip address 101

set interface GigabitEthernet1/0/6

interface GigabitEthernet1/0/6

switchport trunk encapsulation dot1q

switchport mode trunk

ip access-group 101 in

Is the ip access-group 101 in command will replace

ip policy route-map route10traffic ?

Here's the output of my coreswitch show ip route

CORE#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.18.71 to network 0.0.0.0

S    192.168.4.0/24 [1/0] via 10.1.18.6

     10.0.0.0/8 is variably subnetted, 22 subnets, 2 masks

S       10.10.0.0/16 [1/0] via 10.1.18.6

S       10.11.0.0/16 [1/0] via 10.1.18.6

C       10.1.9.0/24 is directly connected, Vlan9

S       10.1.8.0/24 [1/0] via 10.1.18.70

C       10.1.3.0/24 is directly connected, Vlan3

C       10.1.2.0/24 is directly connected, Vlan2

S       10.2.4.0/24 [1/0] via 10.1.18.6

C       10.1.7.0/24 is directly connected, Vlan7

C       10.1.6.0/24 is directly connected, Vlan6

C       10.1.5.0/24 is directly connected, Vlan5

C       10.1.4.0/24 is directly connected, Vlan4

C       10.1.18.0/24 is directly connected, Vlan18

S       10.20.2.0/24 [1/0] via 10.1.18.6

S       10.1.40.0/24 [1/0] via 10.1.18.6

S       10.1.33.0/24 [1/0] via 10.1.18.71

S       10.1.32.0/24 [1/0] via 10.1.18.6

S       10.1.36.0/24 [1/0] via 10.1.18.6

S       10.200.18.0/24 [1/0] via 10.1.18.6

S       10.200.19.0/24 [1/0] via 10.1.18.6

S       10.200.16.0/24 [1/0] via 10.1.18.6

S       10.200.17.0/24 [1/0] via 10.1.18.6

S       10.200.21.0/24 [1/0] via 10.1.18.6

C    192.168.1.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [1/0] via 10.1.18.71

Thanks Viviek for your reply, i'm looking forward for your reply soon.

Dear Yee Wen Low,

Pls try the below:

access-list 101 permit ip 10.1.2.0 0.0.0.255 any

no cdp run

route-map route10traffic permit 10

match ip address 101

set ip next-hop 10.1.2.1

interface vlan 2

ip policy route-map route10traffic

and why do you use trunk link between Switch 3750 and Firewall B?

Hi,


interface Vlan51
ip policy route-map Net-access1


route-map Net-access permit 10
match ip address 170
set ip default next-hop 10.28.1.100-


access-list 170 permit ip 10.1.2.0 0.0.0.255 any


Please rate the helpfull posts.
Regards,
Naidu.

Dear all,

I've encounter some problem while setting the command below,

interface vlan 2

ip policy route-map route10traffic

It prompt out

CORE(config-if)#

000252: *Aug 30 05:01:16.189 MYT: %PLATFORM_PBR-4-SDM_MISMATCH: PBR requires sdm template routing

I've google it and found out that there something to do with the SDM template

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_se/configuration/guide/swsdm.html

May i know would if be any problem if i change my SDM template from default to sdm prefer routing ? Since it didn't shutdown for almost 25 weeks = 175days

CORE(Config)# sdm prefer routing

Hi,

you'll have to reload in order to take effect.

Regards.

Alain

Don't forget to rate helpful posts.

Dear mr Anh

The trunk link is because the firewall B is located @ another location which is passing throught a switch. My switch is a 3750 12 fiber port switch. The interface 6 is the trunk link to my switch where my firewall B is located.

Thanks & regards,

yeewensmc

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: