Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

CISCO Policy Based Routing

Posted on 2014-09-30
9
Medium Priority
?
470 Views
Last Modified: 2014-09-30
Hi,

I have a quick question on PBR.  if I have multiple IPs that I want use PBR, do I need to create a policy for each unique IP or can I do the following.  we want to do load balancing between ISPs and the following have NAT policies.  Or do I need to create a policy for each IP and assign it to my vlan

access-list 10 deny ip host 192.16.1.1 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.2.2 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.3.3 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 permit 192.168.1.1 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.2.2 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.3.3 any (added any so that it can get to other vlans)

Created policy:
route-map OldASA permit 10
match ip address 10
set ip next-hop 10.2.0.3 (orgonal gateway with NAT policies)

Assigned policy to vlan16

ip policy route-map OldASA

Thank you for your help in advance
0
Comment
Question by:thomasm1948
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 31

Expert Comment

by:Predrag
ID: 40352587
You can use ACL but not extended ACL with signature of standard :)

If you use standard access list (access-list 10) you can't have any at the end of command  
:)

access-list 10 permit 192.168.1.1
access-list 10 permit 192.168.2.2
access-list 10 permit 192.168.3.3  

you apply ACL to interface
interface vlan 16
ip policy route-map OldASA

And you need also do next (on L3 switch) if you want PBR to work on VLAN

Switch(config)# sdm prefer routing
Switch(config)# end
Switch# reload
0
 

Author Comment

by:thomasm1948
ID: 40352706
How could I configure the route map.  Would it be the same as
route-map OldASA permit 10
 match ip address 10
 set ip next-hop 10.2.0.3

and then apply it to the vlan

int policy route-map OldASA

Switch(config)# sdm prefer routing
 Switch(config)# end
 Switch# reload
0
 

Author Comment

by:thomasm1948
ID: 40352708
also would the those ip addresses still have access to all of the other vlans that are configured on the core l3 switch
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 31

Accepted Solution

by:
Predrag earned 2000 total points
ID: 40352935
If you ask, can you use ACL as address, yes you can.
It is usual way to configure route-map.

You can't apply policy based routing to VLAN, as much as I know.
Applying route map to VLAN interface is applying route-map to VLAN.

If you don't do carefully your PBR and your ACL's, you can end up with routing like one on the picture.
So I can't really tell you will you still be able to access to other VLAN's, that depends on other parts of configuration, not just on PBR.

PBR and what can happen later :)
0
 

Author Comment

by:thomasm1948
ID: 40352956
I do not see int policy route-map under the global confg.  If I go to int vlan 16 then I see ip policy route-map
0
 
LVL 31

Expert Comment

by:Predrag
ID: 40352961
That is what I'm trying to tell you.

Applying route map to VLAN interface is applying route-map to VLAN.

you wrote
Vlan 16
int policy route-map OldASA

Probably just bad communication, and we talk about same thing. :)
0
 

Author Comment

by:thomasm1948
ID: 40352985
sorry I misread your statement.

so I might want to use then access-list permit extended 192.168.1.1 any.  just to make sure.  I confused on this one I have to admit
0
 
LVL 31

Expert Comment

by:Predrag
ID: 40353004
Yes, you can use ACL it that manner.
0
 

Author Closing Comment

by:thomasm1948
ID: 40353074
Thank you for all of your help
0

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Make the most of your online learning experience.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question