Solved

CISCO Policy Based Routing

Posted on 2014-09-30
9
444 Views
Last Modified: 2014-09-30
Hi,

I have a quick question on PBR.  if I have multiple IPs that I want use PBR, do I need to create a policy for each unique IP or can I do the following.  we want to do load balancing between ISPs and the following have NAT policies.  Or do I need to create a policy for each IP and assign it to my vlan

access-list 10 deny ip host 192.16.1.1 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.2.2 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.3.3 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 permit 192.168.1.1 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.2.2 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.3.3 any (added any so that it can get to other vlans)

Created policy:
route-map OldASA permit 10
match ip address 10
set ip next-hop 10.2.0.3 (orgonal gateway with NAT policies)

Assigned policy to vlan16

ip policy route-map OldASA

Thank you for your help in advance
0
Comment
Question by:thomasm1948
  • 5
  • 4
9 Comments
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 40352587
You can use ACL but not extended ACL with signature of standard :)

If you use standard access list (access-list 10) you can't have any at the end of command  
:)

access-list 10 permit 192.168.1.1
access-list 10 permit 192.168.2.2
access-list 10 permit 192.168.3.3  

you apply ACL to interface
interface vlan 16
ip policy route-map OldASA

And you need also do next (on L3 switch) if you want PBR to work on VLAN

Switch(config)# sdm prefer routing
Switch(config)# end
Switch# reload
0
 

Author Comment

by:thomasm1948
ID: 40352706
How could I configure the route map.  Would it be the same as
route-map OldASA permit 10
 match ip address 10
 set ip next-hop 10.2.0.3

and then apply it to the vlan

int policy route-map OldASA

Switch(config)# sdm prefer routing
 Switch(config)# end
 Switch# reload
0
 

Author Comment

by:thomasm1948
ID: 40352708
also would the those ip addresses still have access to all of the other vlans that are configured on the core l3 switch
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 28

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40352935
If you ask, can you use ACL as address, yes you can.
It is usual way to configure route-map.

You can't apply policy based routing to VLAN, as much as I know.
Applying route map to VLAN interface is applying route-map to VLAN.

If you don't do carefully your PBR and your ACL's, you can end up with routing like one on the picture.
So I can't really tell you will you still be able to access to other VLAN's, that depends on other parts of configuration, not just on PBR.

PBR and what can happen later :)
0
 

Author Comment

by:thomasm1948
ID: 40352956
I do not see int policy route-map under the global confg.  If I go to int vlan 16 then I see ip policy route-map
0
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 40352961
That is what I'm trying to tell you.

Applying route map to VLAN interface is applying route-map to VLAN.

you wrote
Vlan 16
int policy route-map OldASA

Probably just bad communication, and we talk about same thing. :)
0
 

Author Comment

by:thomasm1948
ID: 40352985
sorry I misread your statement.

so I might want to use then access-list permit extended 192.168.1.1 any.  just to make sure.  I confused on this one I have to admit
0
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 40353004
Yes, you can use ACL it that manner.
0
 

Author Closing Comment

by:thomasm1948
ID: 40353074
Thank you for all of your help
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question