VAN10, VLAN20, VLAN30
VLAN20 and 30 are required to access VLAN10, but they cannot access each other between 20 and 30.
1. Use Policy Routing control to route entries destined for VLAN10 to the correct interface. All others are sent to the discard port.
Access-list 100 permit ip any 192.168.10.0 0.0.255
Route-map tovlan1 permit 10
Match address 100
Set default interface f 0/0. 10
Route-map tovlan1 permit 20
Set default interface null0
Interface f0/0.20
Ip policy route-map tovlan1
Interface f0/0.30
Ip policy route-map tovlan1
The above configuration does not work due to the existence of explicit routing (direct connection) by default.
(In PBR:
Set ip next-hop does not check whether an explicit route exists. It only checks whether the next hop is reachable.
Set interface check whether there is an explicit route. It must exist before it can be normal
Set ip default next-hp check whether there is an explicit route. It must not exist before it is normal
Set default interface check whether there is an explicit route. It is normal only when it does not exist
)
* Mar 1 02:25:10. 443: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy match
* Mar 1 02:25:10. 443: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy rejected (explicit route)-normal forwarding
* Mar 1 02:25:10. 459: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy match
* Mar 1 02:25:10. 459: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1
R1 #, len 100, FIB policy rejected (explicit route)-normal forwarding
* Mar 1 02:25:10. 475: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy match
* Mar 1 02:25:10. 475: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy rejected (explicit route)-normal forwarding
* Mar 1 02:25:10. 551: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy match
* Mar 1 02:25:10. 551: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy rejected (explicit route)-normal forwarding
Changed:
Route-map govlan1 permit 10
Match address 100
Set interface f 0/0. 10
Route-map govlan1 permit 20
Set interface null0
After normal
* Mar 1 02:35:31. 059: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy match
* Mar 1 02:35:31. 063: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
* Mar 1 02:35:31. 111: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy match
* Mar 1 02:35:31. 111: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
* Mar 1 02:35:31. 139: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy match
* Mar 1 02:35:31. 139: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1 (FastEthernet0/0.10)
R1 #, len 100, FIB policy routed
* Mar 1 02:35:31. 159: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy match
* Mar 1 02:35:31. 159: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
* Mar 1 02:35:31. 187: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1, len 100, FIB policy match
* Mar 1 02:35:31. 187: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.10.1 (FastEthernet0/0.10), len 100, FIB policy routed
R1 #
* Mar 1 02:35:35. 135: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1, len 100, FIB policy match
* Mar 1 02:35:35. 139: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1 (Null0), len 100, FIB policy routed (drop)
R1 #
* Mar 1 02:35:37. 171: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1, len 100, FIB policy match
* Mar 1 02:35:37. 175: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1 (Null0), len 100, FIB policy routed (drop)
R1 #
* Mar 1 02:35:39. 183: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1, len 100, FIB policy match
* Mar 1 02:35:39. 187: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1 (Null0), len 100, FIB policy routed (drop)
R1 #
* Mar 1 02:35:41. 179: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1, len 100, FIB policy match
* Mar 1 02:35:41. 183: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1 (Null0), len 100, FIB policy routed (drop)
R1 #
* Mar 1 02:35:43. 187: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1, len 100, FIB policy match
* Mar 1 02:35:43. 191: IP: s = 192.168.20.1 (FastEthernet0/0.20), d = 192.168.30.1 (Null0), len 100, FIB policy routed (drop)
2. Use access list control:
R1 # sh run
Building configuration...
Current configuration: 1245 bytes
!
Version 12.4:
Service timestamps debug datetime msec
Service timestamps log datetime msec
No service password-encryption
!
Hostname R1
!
Boot-start-marker
Boot-end-marker
!
!
No aaa new-model
Memory-size iomem 5
!
!
Ip cef
!
!
!
!