Cisco L3 switch Policy Routing for network access and Traffic Distribution
I. Description of the solution environment 1. There are two groups of Group1 and Group2 in the environment, respectively, to access the Internet from two different network outlets. 2. The core network is a Cisco 3560G layer-3 Switch with four VLANs. VLAN10/VLAN20 belongs to Group1 and VLAN30/VLAN40 belongs to group2. 3. the LAN IPs of the two access routers are 10.10.10.254 (used by Group1), 10.10.255.254 (used by Group2), and 3-layer switch 1. divide the VALN and enable ip routing. For example, VLAN10 ip adderss 172.16.10.1/24VLAN20 ip address 172.16.20.1/24VLAN30 ip address 172.16.30.1/24VLAN40 ip address 172.16.40.1/242. configure layer-3 interface 3560 # conf t3560 (config) # int g0/13560 (config-if) # no switchport/is defined as layer-3 Port 3560 (config-if) # ip address 10.10.10.1 255.255.255.0/define the layer-3 Port IP address and subnet 3560 (config-if) # int g0/23560 (config- If) # no switchport3560 (config-if) # ip address 10.10.20.1 255.20.03. define ACL3560 (config) # ip access-list extended vlan10acl2map/define the ACL name 3560 (config-ext-nacl) # deny ip 172.16.10.0 0.0.0.255 172.16.0.0 0.0.255.2553560 (config-ext-nacl) # deny ip 172.16.10.0 0.0.0.255 10.10.0.0 0.0.255.2553560 (config-ext-nacl) # permit ip 172.16.10.0 0.0.0.255 any3560 (config) # ip access-list extended vlan20acl2map3560 (config- Ext-nacl) # deny ip 172.16.20.0 0.0.0.255 172.16.0.0 0.0.255.2553560 (config-ext-nacl) # deny ip 172.16.20.0 0.0.0.255 10.10.0.0 0.0.255.2553560 (config-ext-nacl) # permit ip 172.16.20.0 0.0.255 any3560 (config) # ip access-list extended partition (config-ext-nacl) # deny ip 172.16.30.0 0.0.0.255 172.16.0.0 0.0.255.2553560 (config-ext-nacl) # deny ip 172.16.30.0 0.0.0.255 10.10.0.0 0.0.255.2553560 (config -Ext-nacl) # permit ip 172.16.30.0 0.0.255 any3560 (config) # ip access-list extended vlan40acl2map3560 (config-ext-nacl) # deny ip 172.16.40.0 0.0.255 172.16.0.0 restart (config-ext-nacl) # deny ip 172.16.40.0 0.0.255 10.10.0.0 restart (config-ext-nacl) # permit ip 172.16.40.0 0.0.0.255 any note: the deny part is the network segment that requires exceptions. 172.16.0.0/16 can contain 172.16.10.0/24-172.16.40.0-24. I am too lazy to write too many articles. 10.10.0.0/16 is two three-layer ports. considering which of the two lines is disconnected, we can take the other line out. We will discuss this method for mutual backup next time. 4. define policy route 3560 (config) # route-map vlan10map/define route-map Name 3560 (config-route-map) # match ip address vlan10acl2map/match ACL3560 (config-route-map) # set ip next-hop 10.10.10.254/define next hop route 3560 (config) # route-map vlan20map3560 (config-route-map) # match ip address vlan20acl2map3560 (config-route-map) # set ip next-hop 10.10.10.254/is in the same group as VLAN10, connect to Internet 3560 (config) # route-map vlan30map3560 (config-route-map) # match ip address vlan30acl2map3560 (config-route-map) from the same interface) # set ip next-hop 10.10.20.2543560 (config) # route-map vlan40map3560 (config-route-map) # match ip address vlan40acl2map3560 (config-route-map) # set ip next-hop 10.10.20.2545. call policy route 3560 (config) # int vlan 103560 (config-if) # ip policy route-map vlan10map3560 (config) # int vlan 203560 (config) # ip policy route-map vlan20map3560 (config) # int vlan 303560 (config) # ip policy route-map vlan30map3560 (config) # int vlan 403560 (config) # ip policy route-map vlan40map