Solved

CISCO Policy Based Routing

Posted on 2014-09-30
9
449 Views
Last Modified: 2014-09-30
Hi,

I have a quick question on PBR.  if I have multiple IPs that I want use PBR, do I need to create a policy for each unique IP or can I do the following.  we want to do load balancing between ISPs and the following have NAT policies.  Or do I need to create a policy for each IP and assign it to my vlan

access-list 10 deny ip host 192.16.1.1 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.2.2 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 deny ip host 192.16.3.3 10.2.0.4 255.255.255.255 (deny this gateway)
access-list 10 permit 192.168.1.1 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.2.2 any (added any so that it can get to other vlans)
access-list 10 permit 192.168.3.3 any (added any so that it can get to other vlans)

Created policy:
route-map OldASA permit 10
match ip address 10
set ip next-hop 10.2.0.3 (orgonal gateway with NAT policies)

Assigned policy to vlan16

ip policy route-map OldASA

Thank you for your help in advance
0
Comment
Question by:thomasm1948
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 29

Expert Comment

by:Predrag Jovic
ID: 40352587
You can use ACL but not extended ACL with signature of standard :)

If you use standard access list (access-list 10) you can't have any at the end of command  
:)

access-list 10 permit 192.168.1.1
access-list 10 permit 192.168.2.2
access-list 10 permit 192.168.3.3  

you apply ACL to interface
interface vlan 16
ip policy route-map OldASA

And you need also do next (on L3 switch) if you want PBR to work on VLAN

Switch(config)# sdm prefer routing
Switch(config)# end
Switch# reload
0
 

Author Comment

by:thomasm1948
ID: 40352706
How could I configure the route map.  Would it be the same as
route-map OldASA permit 10
 match ip address 10
 set ip next-hop 10.2.0.3

and then apply it to the vlan

int policy route-map OldASA

Switch(config)# sdm prefer routing
 Switch(config)# end
 Switch# reload
0
 

Author Comment

by:thomasm1948
ID: 40352708
also would the those ip addresses still have access to all of the other vlans that are configured on the core l3 switch
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 29

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40352935
If you ask, can you use ACL as address, yes you can.
It is usual way to configure route-map.

You can't apply policy based routing to VLAN, as much as I know.
Applying route map to VLAN interface is applying route-map to VLAN.

If you don't do carefully your PBR and your ACL's, you can end up with routing like one on the picture.
So I can't really tell you will you still be able to access to other VLAN's, that depends on other parts of configuration, not just on PBR.

PBR and what can happen later :)
0
 

Author Comment

by:thomasm1948
ID: 40352956
I do not see int policy route-map under the global confg.  If I go to int vlan 16 then I see ip policy route-map
0
 
LVL 29

Expert Comment

by:Predrag Jovic
ID: 40352961
That is what I'm trying to tell you.

Applying route map to VLAN interface is applying route-map to VLAN.

you wrote
Vlan 16
int policy route-map OldASA

Probably just bad communication, and we talk about same thing. :)
0
 

Author Comment

by:thomasm1948
ID: 40352985
sorry I misread your statement.

so I might want to use then access-list permit extended 192.168.1.1 any.  just to make sure.  I confused on this one I have to admit
0
 
LVL 29

Expert Comment

by:Predrag Jovic
ID: 40353004
Yes, you can use ACL it that manner.
0
 

Author Closing Comment

by:thomasm1948
ID: 40353074
Thank you for all of your help
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question