Configuring Policy Based Routing on a Cisco 3750G EMI

Posted on September 8, 2013 by jbernec

So we recently restructured the Company network from a flat network to multiple Vlans. The need has arisen to route traffic for specific vlans through a different ISP for business reasons.

This means routing traffic to a path different from the default route configured on the Core switch , which in this case is a Cisco 3750G running the Enhanced Multilayer Image. After doing some research, I found that this objective could be achieved by implementing Policy Based Routing via Route Maps.

I originally tried configuring Route Maps on the Cisco 3560G SMI(Standard Image). Turns out it’s not supported. Following are the steps that enabled me setup PBR:

1) Log in to the Cisco 3750. Enter Privileged mode:
Switch>enable
Assuming an exec password has been set, enter the password.

2) Enter the config mode:
Switch# Config t
Switch(config)#
The first configuration change involves changing the switch database management preference to from the desktop default routing:
Switch(config)#sdm prefer routing
Restart the switch after this change.

3) After the restart, log in to the switch and back in configuration mode. First check to make sure sdm prefer routing is enabled. From config mode, type the following:
Switch(config)#do show sdm prefer

4) After verifying this, create an access list for the vlan/subnet to be routed to a different ISP/Firewall
Switch(config)#ip access-list extended ACL_PBR_VLAN6
Switch(config-ext-nacl)#permit ip 10.0.6.0 0.0.0.127 any

5) Exit out of the access list mode and create the new route map using the route-map command:
Switch(config)#route-map ISP2_PBR permit 10
match ip address ACL_PBR_VLAN6
set ip next-hop 10.0.0.6

6) Apply the policy to the specific Switch virtual interface(SVI), which is the gateway for the vlan of interest:
Switch(config)interface Vlan6
ip address 10.0.6.2 255.255.255.128
ip helper-address 10.0.0.14
ip policy route-map ISP2_PBR

Your configuration is complete. Save the config and test configuration and traffic for the vlan with the tracert command or pathping. You could also open a browser in the vlan of interest and browse to http://whatismyip.com. This should display your public IP to confirm you are routing through the correct firewall.

Advertisement
This entry was posted in ASA, Cisco, Firewall, IOS, Router, Switch. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s