Create a new Policy Based Routing Policy

Policy based routing is used on the core switch to route traffic from each VLAN to the appropriate default (default route), aka the appropriate interface on the firewall.

In this tutorial, PBR will be used to assign the default route address of to VLAN 110, whose subnet is Command examples will first show the format for the command and then the command used for this example policy.

To exit a config level, type exit.

There are three steps to create a new PBR.

  1. First, a class needs to be created. This class determines which criteria is used to match traffic being routed. All traffic coming in from the VLAN will have an IP in the VLAN's subnet range, so class will be an ipv4 class which classifies traffic based on IPv4 information.
    1. Create the new class and name it according to the naming convention in use (use show class config to see existing class names).
      1. class ipv4 <name>
      2. class ipv4 v110
    2. Create a rule to determine which traffic is matched.
      1. <int> match ip <subnet address> <mask> <destination address (for default route use> <destination mask>
      2. 10 match ip
    3. Then, exit the class config.
  2. Next, the PBR policy needs to be created. This policy will use the newly created class to determine which traffic to match. It will then assign the address to use as the default gateway (the default next hop).
    1. Create the policy and name it according to the naming convention in use (use show policy vlan all to see the existing policy names).
      1. policy pbr <name>
      2. policy pbr v110
    2. Assign the new class to the PBR policy.
      1. <int> class ipv4 "<class name>"
      2. 10 class ipv4 "v110"
    3. Finally, define the action to be taken once traffic is matched to the class. In this case, it will be specifing the default next-hop.
      1. action ip default-next-hop <IP address>
      2. action ip default-next-hop
    4. Exit the policy config.
  3. The last step is to assign the new PBR policy to the desired VLAN.
    1. vlan <VLAN ID> service-policy <policy name> in
    2. vlan 110 service-policy v110 in

write memory to save the config.

Traffic coming from the specified VLAN with a destination unknown to the switch will now be routed to the appropriate default gateway.

You can double check the class and policy by using the following commands to view their configurations and VLAN assignments.

show class ipv4 <class name>
show class ipv4 config
show class vlan <VLAN ID>
show policy <policy name>
show policy config
show policy vlan <VLAN ID|all>
  • switches/create_a_new_pbr.txt
  • Last modified: 2019/03/15 18:05
  • by ericclaus