[c-nsp] policy routing
Charles J. Boening
charlieb at cot.net
Fri Mar 30 23:51:54 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Typical. I think I figured it out after I asked the question. Didn't
think about it before, but looks like I can match both the source IP and
the outbound interface and then set ip next-hop to force the traffic to
the right NAT router. Seems to prevent inter-vlan routing between
(2,3,4) and (4,5,6) and gets me my desired result.
I also saw I had two vlan4 in my example. The 10.1.x.0/24 should have
all been in the 5,6,7 vlans.
Thanks to any who read and considered answering. I am interested if
anyone has a better or more proper solution though. :)
I ended up with something like this. Typed it out by hand so I hope
there are no mistakes. :)
!
Interface vlan 2
Ip address 192.168.0.1 255.255.255.0
Ip policy route-map private-192
!
Interface vlan 2
Ip address 192.168.1.1 255.255.255.0
Ip policy route-map private-192
!
Interface vlan 2
Ip address 192.168.2.1 255.255.255.0
Ip policy route-map private-192
!
Interface vlan 5
Ip address 10.1.0.1 255.255.255.0
Ip policy route-map private-10
!
Interface vlan 6
Ip address 10.1.1.1 255.255.255.0
Ip policy route-map private-10
!
Interface vlan 7
Ip address 10.1.2.1 255.255.255.0
Ip policy route-map private-10
!
Access-list 5 permit 192.168.0.0 0.0.0.255
Access-list 5 permit 192.168.1.0 0.0.0.255
Access-list 5 permit 192.168.2.0 0.0.0.255
Access-list 6 permit 10.1.0.0 0.0.0.255
Access-list 6 permit 10.1.1.0 0.0.0.255
Access-list 6 permit 10.1.2.0 0.0.0.255
!
Route-map private-192 permit 10
Match ip address 5
Match interface vlan5 vlan6 vlan7
Set ip next-hop 192.168.0.254
!
Route-map private-10 permit 10
Match ip address 6
Match interface vlan2 vlan3 vlan4
Set ip next-hop 10.1.0.254
Thanks,
Charlie
- -----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Charles J.
Boening
Sent: Friday, March 30, 2007 9:11 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] policy routing
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is it possible to have a routing policy that ignores connected
interfaces for certain subnets or vlans yet honors others?
Take this example:
Vlan 2: 192.168.0.0/24
Vlan 3: 192.168.1.0/24
Vlan 4: 192.168.2.0/24
Vlan 5: 10.1.0.0/24
Vlan 6: 10.1.1.0/24
Vlan 7: 10.1.2.0/24
Let's say that vlan 2 and vlan 4 each have a NAT router to a different
provider. I don't wan the vlan 4,5,6 traffic to ever enter the vlan
2,3,4 networks and vice versa. I know I can do a policy map that sets
the ip default next-hop but that won't keep vlan 2,3,4 traffic from
entering vlan 4,5,6 directly and vice versa. My goal is to completely
separate these subnets and vlans as if they were truly in separate
routers/switches. Also, in all this, routing between the 192.168.x.0/24
subnets should occur and the same between the 10.1.x.0/24 subnets.
Again, just not between the 192.168.x.0/24 networks and the 10.1.x.0/24
networks.
I hope that makes sense. Any way to accomplish this within the same
chassis? My switch is a 4507 with redundant SUP IV.
Thanks,
Charlie
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
iD8DBQFGDd8/cGGHuFdGSWARApJ4AJ9lJ1YQhqpWVupwQR+uq435dCzsBgCdF3mI
YyRt9RV3y8B+ivqheJnemhY=
=JDRY
- -----END PGP SIGNATURE-----
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
iD8DBQFGDejpcGGHuFdGSWARAqcbAJ9Bse44V7TdS3FOIiMawcc3f0Id4QCeOQzL
MgjOoYiDLwAcrdu5kV6NpE8=
=hXzG
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list