Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
1
Replies

Quick Question on ACL and PBR

Go to solution
visitor68
Level 4
Level 4

‎03-02-2016 08:01 PM - edited ‎03-08-2019 04:48 AM

Hi, folks. Looking at a L3 switch that has the following config:

access-list 100 permit ip host 10.10.10.5 any

access-list 100 permit ip host 10.10.10.8 any

access-list 100 permit ip host 10.10.10.45 any

access-list 100 permit ip host 172.16.5.65 any

access-list 100 permit ip host 10.30.10.5 any

access-list 101 permit ip host 192.168.2.3 any

access-list 101 permit ip host 192.168.2.4 any

access-list 101 permit ip host 192.168.2.22 any

route-map TO_SITE permit 10
match ip address 100
set ip next-hop 10.10.10.254

route-map TO_SITE permit 20
match ip address 101
set ip next-hop 10.10.11.254

interface vlan 10

10.10.10.200 255.255.255.0

ip policy route-map TO_SITE

interface vlan 11

10.10.11.200 255.255.255.0

ip policy route-map TO_SITE

I don't understand two things:

1.) There are 2 foundational ACLs for this route map, ACL 100 and 101. That route map is applied to 2 interfaces, vlan 10 and vlan 11, BUT ACL 100 is the foundational ACL that really applies to vlan 10 and ACL 101 for VLAN 11. Seems like they should be part of 2 different route maps. 

2.) The ACL entries in foundational ACL 100 itself dont quite make sense. Although the first 3 do, the red ones do not. I am referring to the 10.30.10.5 and 172.16.5.65 addresses. These source addresses do NOT fall within the range of directly connected interfaces for VLAN 10. In other words, packets from those 2 addresses will never arrive at VLAN 10's interface for them to have to be PBR'd in the first place. CORRECT? Packets that arrive at the VLAN interface will have a source address in the 10.10.10.0/24 range and then they should get PBR'd, so what are those other ACL entries about? Or am I thinking about this wrong?

I'm thinking its just some sloppiness in the config.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-02-2016 08:22 PM

If it was me I would probably have created a PBR per interface, but that is the way I like doing it.  Then if you need to change something in the future you can understand the impact quickly.  When it is applied to lots of interfaces you need to take more care.

Correct, if access-list 100 can never see those source IP addresses then those two lines have no impact and can be removed.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-02-2016 08:22 PM

If it was me I would probably have created a PBR per interface, but that is the way I like doing it.  Then if you need to change something in the future you can understand the impact quickly.  When it is applied to lots of interfaces you need to take more care.

Correct, if access-list 100 can never see those source IP addresses then those two lines have no impact and can be removed.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card