Saturday, December 3, 2011

Cant add route-map to the Cisco 3750 vlan interface for policy based routing

Well, today I had quite a day re-doing a topology for a customer.  But there was one thing in particular that was worthy of writing about.  One of my goals was to add a route-map into a pair of 3750s that were acting as a redundant core.  They were merging two companies onto the same network, but wanted some boundaries.  They wanted to keep each other off each other's resources, but needed to share the network infrastructure because of the redundancy built in.  They were saving money by sharing resources, but still implementing security across the network.  One of the things they wanted to do was to still utilize their own Internet pipe.  Each of them had their own ASAs in place, with their own amount of bandwidth.  

So, with that said, the goal here was to add a route-map on the 3750 cores, and separate the Internet traffic from there, across each company's own firewalls.  Ok, so lets look at the route-map.

 Ok, here is the access list to determine what happens.  I want all traffic coming from and to go out Internet 2, unless they are going to each other.  Then, we dont want them to match the criteria.  The first four are denies (dont go to the Internet 2),  then the permits.  The permits say go to Internet 2 ASA.  Then a deny anything else. 
access-list 105 deny   ip
access-list 105 deny   ip
access-list 105 deny   ip
access-list 105 deny   ip
access-list 105 permit ip any
access-list 105 permit ip any
access-list 105 deny   ip any any
Now for the route-map.  The match 105 says to look at ACL 105 for the matching criteria.  Then if it matches, set the next hop to be, which is Internet 2.  
route-map SBS permit 10
 match ip address 105
 set ip next-hop
Now, lets apply the policy to the vlan we want to implement this on.  Lets look at the vlan interface:
interface Vlan102
 description *** Company 2 Network ***
 ip address
 ip helper-address
 ip policy route-map SBS    <--- *** Here is where it is implemented onto the vlan interface ***
 standby 102 ip

Now, here is the real reason Im writing this blog:  At first, and for the next two or three times, the policy would not apply.  AND, it never gave me any indication that it DIDNT apply.  I didnt know why, but it wasnt working.  When I went to, it wouldnt give me the public address of company 2.  So, what was wrong?  Well after some research, I found that I had to add a command on the 3750 (and probably any L3 switch Im guessing).  So, here is what I did:

Switch(config)# sdm prefer routing
Switch(config)# end
Switch# reload

I can not tell you exactly what this "sdm prefer routing" command does at this point, but I have every intention of reading more about this.  I know it refers to how resources are allocated within the 3750.  Here is what Im planning on reading: Thanks Cisco for explaining this.

So, after a reload, the 3750s come back up and I am now able to apply the route-map to the interface with the "ip policy route-map" command.  Give it a good read.  I know I will.