CISCO Policy Based Routing

Hi,

I have a quick question on PBR.  if I have multiple IPs that I want use PBR, do I need to create a policy for each unique IP or can I do the following.  we want to do load balancing between ISPs and the following have NAT policies.  Or do I need to create a policy for each IP and assign it to my vlan

access-list 10 deny ip host 192.16.1.1 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.2.2 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.3.3 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 permit 192.168.1.1 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.2.2 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.3.3 any (added any so that it can get to other vlans)

Created policy:
route-map OldASA permit 10
match ip address 10
set ip next-hop 10.2.0.3 (orgonal gateway with NAT policies)

Assigned policy to vlan16

ip policy route-map OldASA

Thank you for your help in advance
thomasm1948Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
You can use ACL but not extended ACL with signature of standard :)

If you use standard access list (access-list 10) you can't have any at the end of command  
:)

access-list 10 permit 192.168.1.1
access-list 10 permit 192.168.2.2
access-list 10 permit 192.168.3.3  

you apply ACL to interface
interface vlan 16
ip policy route-map OldASA

And you need also do next (on L3 switch) if you want PBR to work on VLAN

Switch(config)# sdm prefer routing
Switch(config)# end
Switch# reload
0
thomasm1948Author Commented:
How could I configure the route map.  Would it be the same as
route-map OldASA permit 10
 match ip address 10
 set ip next-hop 10.2.0.3

and then apply it to the vlan

int policy route-map OldASA

Switch(config)# sdm prefer routing
 Switch(config)# end
 Switch# reload
0
thomasm1948Author Commented:
also would the those ip addresses still have access to all of the other vlans that are configured on the core l3 switch
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

JustInCaseCommented:
If you ask, can you use ACL as address, yes you can.
It is usual way to configure route-map.

You can't apply policy based routing to VLAN, as much as I know.
Applying route map to VLAN interface is applying route-map to VLAN.

If you don't do carefully your PBR and your ACL's, you can end up with routing like one on the picture.
So I can't really tell you will you still be able to access to other VLAN's, that depends on other parts of configuration, not just on PBR.

PBR and what can happen later :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thomasm1948Author Commented:
I do not see int policy route-map under the global confg.  If I go to int vlan 16 then I see ip policy route-map
0
JustInCaseCommented:
That is what I'm trying to tell you.

Applying route map to VLAN interface is applying route-map to VLAN.

you wrote
Vlan 16
int policy route-map OldASA

Probably just bad communication, and we talk about same thing. :)
0
thomasm1948Author Commented:
sorry I misread your statement.

so I might want to use then access-list permit extended 192.168.1.1 any.  just to make sure.  I confused on this one I have to admit
0
JustInCaseCommented:
Yes, you can use ACL it that manner.
0
thomasm1948Author Commented:
Thank you for all of your help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.