Re: selective PBR application in a VLAN

gekko2725 · ‎12-19-2018

Does anyone know what would happen if a policy route-map is applied to a VLAN when the access-list does not include all the members of the VLAN?

1) Do the other members of the VLAN get dropped, or
2) Do the other members inherit the default route for the switch?

I understand that PBRs take precedence over static and default routes. I'm curious what happens to the members of that segment that are not listed in the access-list.

Here is an example

- There is a network of 10.10.1.0/24 on VLAN 10
- The VLAN IP is 10.10.1.10
- The default switch gateway is 10.10.1.1
- There is an alternative gateway of 10.10.1.2

! Match HTTP & SSL traffic for a specific host
CAT3550(config)# access-list 100 permit tcp 10.10.1.11 0.0.0.0 any eq 80 443
CAT3550(config)# access-list 100 permit tcp 10.10.1.12 0.0.0.0 any eq 80 443

CAT3550(config)# route-map secureweb permit 10
CAT3550(config-route-map)# match ip address 100
CAT3550(config-route-map)# set ip next-hop 10.10.1.2
CAT3550(config-route-map)# end

CAT3550(config)# interface Vlan10
CAT3550(config-if)# ip policy route-map secureweb ***
CAT3550(config-if)# end

*** I am hoping this statement does not interfere with any other routing or extended access lists which have been applied to the VLAN and that all other members of the subnet can behave as if nothing has changed

mkazam001 · ‎12-19-2018

any other traffic would get dropped unless you added another permit statement to the route map, like below

route-map secureweb permit 20

if you want the routing table to be checked for any static routes before policy-routing is applied, you can use

set ip default next-hop 10.10.1.2

regards, mk