Serious problem with PBR and Inter-VLAN routing

MJ.Khaani · ‎06-18-2016

Hi.

I have problem with inter-vlan routing and pbr on Cisco switch 3750G. Previously i posted topic for this problem and it fixed for short time.

I tried every possible solution that i know of, but nothing worked.

Here is my network diagram.

I have 3 vlan and each vlan have different internet. each client must see clients in other vlans. So i used inter vlan routing for local routes and PBR for internet routing but on any circumstances local traffic go through mikrotik router not inter-vlan routing.

So please help me out to config this switch.

My mind is going to explode.

Francesco Molino · ‎06-18-2016

Hi

could you send the final config?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

MJ.Khaani · ‎06-18-2016

Hi

this is final config

Francesco Molino · ‎06-18-2016

Hi

I've made a quick documentation as lot of people are asking for PBR.

In my example PBR is done on R5. If you don't have this R5 in your environment, you can do the PBR on the L3 switch but you need to be careful to deny the communication between LANs. You will see on my ACL.

Hope this helps.

PS: Please don't forget to rate and mark as correct answer if this solved your issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

MJ.Khaani · ‎06-19-2016

Hi

Thanks for your documentation

In your example (R5) you have two router one of them for inter-vlan routing(R1) and the next one used for pbr, but i have one L3 switch for pbr and inter-vlan routing.

Francesco Molino · ‎06-19-2016

It's the same thing. You can configure everything on your multilayer switch. The only thing on multilayer is (if I remember good for 3750 as example) that it will not support deny statement on ACL. Otherwise the rest is fine.

In your config, I see that you are applying some acl as well inbound on your SVI. You are missing 1 statement. Let's take an example with acl 103:

This is your acl

access-list 103 permit udp any eq bootpc any eq bootps
access-list 103 permit ip 192.168.3.0 0.0.0.255 any

Before the last statement I will add 1 line:

access-list 103 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255 ==> This will allow intervlan communication.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

MJ.Khaani · ‎06-19-2016

Hi

Thanks for reply.

I think the acl that you add is no different from the last acl, both of them will match local traffic and send it to next hop.

Francesco Molino · ‎06-20-2016

The acl 103 you've applied inbound on your SVI drops traffic coming from other subnets.

That's why if you had a statement that allows all internal subnets your intervlan traffic will not be dropped.

To test, on your acl 103, if you had a deny ip any any log at the end you will be able to see that traffic from another Vlan is dropped.

Hope this more clear.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

paul driver · ‎06-18-2016

Hello

but on any circumstances local traffic go through mikrotik router not inter-vlan routing.

In that case have the router perform the inter-vlan routing using sub-interfaces for each vlan and the 3750 as a layer 2 host switch

Res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul