Using Access Control Lists (ACLs)
December 2000 13 - 29
• Packets from 209.157.23.x are sent to 192.168.2.1.
• Packets from 209.157.24.x are sent to 192.168.2.2.
• Packets from 209.157.25.x are sent to 192.168.2.3.
The following commands configure three standard ACLs. Each ACL contains one of the ACLs listed above.
Make sure you specify permit instead of deny in the ACLs, so that the Layer 3 Switch permits the traffic that
matches the ACLs to be further evaluated by the route map. If you specify deny, the Layer 3 Switch denies the
traffic from further evaluation and instead drops the packets. Notice that these ACLs specify any for the
destination address.
BigIron(config)# access-list 1 permit 209.157.23.0 0.0.0.255
BigIron(config)# access-list 2 permit 209.157.24.0 0.0.0.255
BigIron(config)# access-list 3 permit 209.157.25.0 0.0.0.255
The following commands configure three entries in a route map called “test-route”. The first entry (permit 1)
matches on the IP address information in ACL 1 above. For IP traffic from sub-net 209.157.23.0/24, this route
map entry sets the next-hop IP address to 192.168.2.1.
BigIron(config)# route-map test-route permit 1
BigIron(config-routemap test-route)# match ip address 1
BigIron(config-routemap test-route)# set ip next-hop 192.168.2.1
BigIron(config-routemap test-route)# exit
The following commands configure the second entry in the route map. This entry (permit 2) matches on the IP
address information in ACL 2 above. For IP traffic from sub-net 209.157.24.0/24, this route map entry sets the
next-hop IP address to 192.168.2.2.
BigIron(config)# route-map test-route permit 2
BigIron(config-routemap test-route)# match ip address 2
BigIron(config-routemap test-route)# set ip next-hop 192.168.2.2
BigIron(config-routemap test-route)# exit
The following commands configure the third entry in the test-route route map. This entry (permit 3) matches on
the IP address information in ACL 3 above. For IP traffic from sub-net 209.157.25.0/24, this route map entry sets
the next-hop IP address to 192.168.2.3.
BigIron(config)# route-map test-route permit 3
BigIron(config-routemap test-route)# match ip address 3
BigIron(config-routemap test-route)# set ip next-hop 192.168.2.3
BigIron(config-routemap test-route)# exit
The following command enables PBR by globally applying the test-route route map to all interfaces.
BigIron(config)# ip policy route-map test-route
Alternatively, you can enable PBR on specific interfaces, as shown in the following example. The commands in
this example configure IP addresses in the three source sub-nets identified in ACLS 1, 2, and 3, then apply route
map test-route the interface.
BigIron(config)# interface ve 1
BigIron(config-vif-1)# ip address 209.157.23.1/24
BigIron(config-vif-1)# ip address 209.157.24.1/24
BigIron(config-vif-1)# ip address 209.157.25.1/24
BigIron(config-vif-1)# ip policy route-map test-route
Setting the Next Hop When no Next Hop Is Explicitly Configured
The following commands configure a PBR to set the next-hop gateway for traffic, but only if the Layer 3 Switch
does not already have a next-hop gateway specified for the traffic. In this example, a route map specifies the
next-hop gateway for packets from sub-net 192.168.1.x.
The following command configures a standard ACL for the sub-net.
BigIron(config)# access-list 4 permit 192.168.1.0 0.0.0.255 any
To Next Page
Loading...
Need help?
General
