• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 649
  • Last Modified:

Cisco 3750 Policy Based Routing

I have a network where all my workstations are conncted to a Cisco 3750 and we use VLANs to segment areas.

All vlans have gateways set to their respecitve VLAN interface IP.

I am trying to use Policy Base Routing to send traffic from the 10.0.12.x network out through the ASA 5505 and the traffice from the 10.0.13.x network out through the Cisco 5510.

I also use Policy based routing in the Cisco perimeter router (2811) do direct ASA5505 traffic out to the Spirnt ISP and the ASA 5510 traffic out through the Comcast ISP.

I cannot get the policy based routing to work in the Cisco 3750. Everything works well in the 2811.

For testing purposes I have set the ACL to accept traffic from one host in the 10.0.13.x network instead of the whole range of ip addresses.




 Network Diagram
interface Vlan1
 ip address 10.0.66.6 255.255.0.0
 ip policy route-map FiberTraffic
!
 ip policy-list route-map permit
!
!
ip access-list extended FiberTraffic
 permit ip host 10.0.13.10 any
!
logging 10.0.13.10
route-map FiberRouteMap permit 10
 match ip address FiberTraffic
 set ip next-hop 172.31.1.1

Open in new window

0
spencerturbine
Asked:
spencerturbine
  • 5
  • 3
  • 2
  • +2
1 Solution
 
SouljaCommented:
Shouldn't

ip policy route-map FiberTraffic

be

ip policy route-map FiberRouteMap
0
 
jmeggersSr. Network and Security EngineerCommented:
Yes, it should.
0
 
rochey2009Commented:
Hi,

You only need one route-map

access-list 1 permit a.b.c.d

access-list 2 permit e.f.g.h

route-map PBR permit 10
 match ip address 1
 set ip next-hop i.j.k.l

route-map PBR permit 20
 match ip address 2
 set ip next-hop m.n.o.p

apply to each ingress interface

int vlan 1
 ip policy route-map PBR
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
spencerturbineAuthor Commented:
This type of config seems to interrupt intra VLAN traffic. I am also getting next hop rejected messages.

Maybe I should have been more clear in that I want all internet traffic to go though the ASA 5505 with the exception of the 10.0.13.x/24 range of ip addresses within VLAN 1
0
 
spencerturbineAuthor Commented:
Oh... and I want the 10.0.13.x/24 range of IP addresses to go through the ASA 5510

0
 
rochey2009Commented:
please can you post latest config.
0
 
ipajonesCommented:
The routed port on the switch (172.31.1.2) and the 5510 inside interface (172.16.31.1) are not in the same subnet unless the diagram is incorrect ?

So with this "set ip next-hop 172.31.1.1" you're setting the next hop to 172.31.1.1 BUT the according to the diagram the inside interface in the 5510 is 172.16.31.1.

Can you clarify the IP addresses assigned to the interfaces and post your config ?

--IJ
0
 
spencerturbineAuthor Commented:
Sorry that was a typo on the diagram. I got too used to typing 172.16   I have never used 173.31 before now.

Here is a sanitized version of the config.

Current configuration : 15687 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname x
!
enable secret 5 x
!
no aaa new-model
clock timezone UTC x
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
switch 1 provision ws-c3750g-24t
switch 2 provision ws-c3750-48ts
switch 3 provision ws-c3750-48ts
switch 4 provision ws-c3750-48ts
udld aggressive

ip subnet-zero
ip routing
ip name-server x
ip name-server x
!
!
mls qos map cos-dscp 0 8 16 26 32 46 46 56
!
!
macro global description cisco-global
dot1x system-auth-control
errdisable recovery cause link-flap
errdisable recovery interval 60
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/1
 no switchport
 ip address 172.31.1.2 255.255.255.252
 no mdix auto
!
interface FastEthernet2/0/1
 no switchport
 ip address 10.10.0.1 255.255.255.252
!
interface Vlan1
 ip address 10.0.66.6 255.255.0.0
 ip policy route-map FiberTraffic
!
interface Vlan2
 ip address 10.2.0.1 255.255.0.0
!
interface Vlan3
 ip address 10.3.0.1 255.255.0.0
!
interface Vlan4
 ip address 10.4.0.1 255.255.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.0.2
ip http server
!
ip policy-list route-map permit
!
!
ip access-list extended FiberTraffic
 permit ip host 10.0.13.10 any
!

route-map FiberRouteMap permit 10
 match ip address FiberTraffic
 set ip next-hop 172.31.1.1
!
!
control-plane
!
end
0
 
ipajonesCommented:
This command "ip policy route-map FiberTraffic" under the VLAN1 SVI needs to be "ip policy route-map FiberRouteMap" (as per @Soulja's first post) so the route map is assigned to the interface not the name of the ACL.  Have you tried changing this and then testing ?
--IJ
0
 
spencerturbineAuthor Commented:
Any suggestions or comments on how I should award the points?

Soulja's answer was correct, I thought I made that fix but apparently I did not. Now that I have made sure FiberRouteMap was used instead of FIberTraffic, everything seems to be working ok.

I am leaning towards awarding all the points to Soulja unless anyone feels different.
0
 
SouljaCommented:
Of course they don't feel different. ;-)
0
 
ipajonesCommented:
Not a problem as far as I'm concerned - as I indicated in my post I was only reitterating what @Soulja had already stated.

Glad it's now working and hope you fixed your diagram too!
--IJ
0
 
spencerturbineAuthor Commented:
Thanks for the help everyone!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now