03-02-2016 08:01 PM - edited 03-08-2019 04:48 AM
Hi, folks. Looking at a L3 switch that has the following config:
route-map TO_SITE permit 10
match ip address 100
set ip next-hop 10.10.10.254
route-map TO_SITE permit 20
match ip address 101
set ip next-hop 10.10.11.254
interface vlan 10
10.10.10.200 255.255.255.0
ip policy route-map TO_SITE
interface vlan 11
10.10.11.200 255.255.255.0
ip policy route-map TO_SITE
I don't understand two things:
1.) There are 2 foundational ACLs for this route map, ACL 100 and 101. That route map is applied to 2 interfaces, vlan 10 and vlan 11, BUT ACL 100 is the foundational ACL that really applies to vlan 10 and ACL 101 for VLAN 11. Seems like they should be part of 2 different route maps.
2.) The ACL entries in foundational ACL 100 itself dont quite make sense. Although the first 3 do, the red ones do not. I am referring to the 10.30.10.5 and 172.16.5.65 addresses. These source addresses do NOT fall within the range of directly connected interfaces for VLAN 10. In other words, packets from those 2 addresses will never arrive at VLAN 10's interface for them to have to be PBR'd in the first place. CORRECT? Packets that arrive at the VLAN interface will have a source address in the 10.10.10.0/24 range and then they should get PBR'd, so what are those other ACL entries about? Or am I thinking about this wrong?
I'm thinking its just some sloppiness in the config.
Thanks
Solved! Go to Solution.
03-02-2016 08:22 PM
If it was me I would probably have created a PBR per interface, but that is the way I like doing it. Then if you need to change something in the future you can understand the impact quickly. When it is applied to lots of interfaces you need to take more care.
Correct, if access-list 100 can never see those source IP addresses then those two lines have no impact and can be removed.
03-02-2016 08:22 PM
If it was me I would probably have created a PBR per interface, but that is the way I like doing it. Then if you need to change something in the future you can understand the impact quickly. When it is applied to lots of interfaces you need to take more care.
Correct, if access-list 100 can never see those source IP addresses then those two lines have no impact and can be removed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: