route-map question (how to policy route for all destinations except few subnets?)

Discussion in 'Cisco' started by binand@gmail.com, Aug 13, 2005.

  1. Guest

    Hi All,

    I have a setup like this:

    192.168.100.0/24 is a VLAN with internet connection via ISP1.
    172.16.100.0/24 is a VLAN with internet connection via ISP2.

    Right now, I have these VLANs on separate (Catalyst 4506) switches. I
    am trying to combine them onto a single switch, with route-maps. Here
    is my configuration:

    access-list 160 permit ip 172.16.100.0 0.0.0.255 any
    route-map ISP2 permit 20
    match ip address 160
    set ip next-hop 172.16.100.254
    int vlan 50
    desc ISP2
    ip address 172.16.100.1 255.255.255.0
    ip policy route-map ISP2
    int vlan 25
    desc ISP1
    ip address 192.168.100.1 255.255.255.0

    This works fine. Now, I'd like to have IP connectivity between the two
    VLANs. How should I modify my ACL for that? I tried:

    access-list 160 deny ip 172.16.100.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 160 permit ip 172.16.100.0 0.0.0.255 any

    Which didn't work. I thought if the route-map encountered a deny ACL,
    default routing would take place, but that does not seem to be the
    case.

    The default routing table on the switch looks like:

    C 192.168.100.0/24 is directly connected, Vlan25
    C 172.16.100.0/24 is directly connected, Vlan50
    S* 0.0.0.0/0 [1/0] via 192.168.100.254

    192.168.100.254 and 172.16.100.254 are my firewalls (two Netscreens).

    TIA,

    Binand
    , Aug 13, 2005
    #1
    1. Advertising

  2. In article <>,
    "" <> wrote:

    > Hi All,
    >
    > I have a setup like this:
    >
    > 192.168.100.0/24 is a VLAN with internet connection via ISP1.
    > 172.16.100.0/24 is a VLAN with internet connection via ISP2.
    >
    > Right now, I have these VLANs on separate (Catalyst 4506) switches. I
    > am trying to combine them onto a single switch, with route-maps. Here
    > is my configuration:
    >
    > access-list 160 permit ip 172.16.100.0 0.0.0.255 any
    > route-map ISP2 permit 20
    > match ip address 160
    > set ip next-hop 172.16.100.254
    > int vlan 50
    > desc ISP2
    > ip address 172.16.100.1 255.255.255.0
    > ip policy route-map ISP2
    > int vlan 25
    > desc ISP1
    > ip address 192.168.100.1 255.255.255.0
    >
    > This works fine. Now, I'd like to have IP connectivity between the two
    > VLANs. How should I modify my ACL for that? I tried:


    Change "set ip next-hop" to "set ip default next-hop". Then the policy
    route will only override the default route. Connected routes, static
    routes, and routes learned via a routing protocol will still be used
    between the VLANs.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Aug 13, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    4
    Views:
    643
    headsetadapter.com
    Jan 12, 2007
  2. Corbin O'Reilly

    PIX 515 - Open all ports except a few

    Corbin O'Reilly, Aug 15, 2008, in forum: Cisco
    Replies:
    6
    Views:
    972
    Walter Roberson
    Aug 16, 2008
  3. Replies:
    4
    Views:
    1,398
    Trendkill
    Aug 29, 2008
  4. Giuen
    Replies:
    0
    Views:
    726
    Giuen
    Sep 12, 2008
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    506
    bod43
    Jul 27, 2009
Loading...

Share This Page