Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
10
Helpful
3
Replies

ACL clarification..

Go to solution
ittechk4u1
Level 4
Level 4

‎03-14-2018 03:11 AM - edited ‎03-05-2019 10:06 AM

Hello experts,

As we are implementing MPLS on few location (Not all) so we need to filter VIDEO Application traffic and sent it over to MPLS ,rest traffic will go via Internet VPN.

Here is my config:

 

------------------------------------------------------------------------------------
Headquarter Router :


interface GigabitEthernet0/2
description *** MPLS ***
ip address 172.24.18.1 255.255.255.248
!
interface GigabitEthernet0/1
description *** LAN connection ***
ip address 10.18.2.4 255.255.255.0
ip policy route-map IDEO
!
route-map VIDEO permit 5
description *** only Video Traffic Allowed ***
match ip address VIDEO
set ip next-hop verify-availability 172.24.18.6 1 track 556
!
route-map VIDEO permit 6
!
ip access-list extended VIDEO
remark *** RTP ****
permit udp any any range 16384 32767
permit udp any range 16384 32767 any
deny ip any any
!
ip sla 556
icmp-echo 172.24.18.6 source-interface GigabitEthernet0/2
threshold 2
timeout 1000
frequency 3
ip sla schedule 556 life forever start-time now
!
track 556 ip sla 556 reachability

--------------------------------------------------------------------------------

Branch Router:

int gig0/1
desc *** Internet ISP1 ***
IP address xxx.xxx.xxx.xxx/29
!
int gig0/2
des *** To MPLS ***
ip address 172.24.56.1 255.255.255.248
!
int vlan 6
desc *** LAN ***
ip address 10.56.xx.xx/24

ip policy route-map VIDEO
!
route-map VIDEO permit 5
description *** only Video Traffic ***
match ip address VIDEO
set ip next-hop verify-availability 172.24.56.2 track 56
!
route-map SAP_VIDEO permit 6
!
ip access-list extended VIDEO
remark *** RTP ****
permit udp any any range 16384 32767
permit udp any range 16384 32767 any
deny ip any any
!
ip sla 56
icmp-echo 172.24.56.2 source-interface GigabitEthernet0/2
threshold 2
timeout 1000
frequency 3
ip sla schedule 56 life forever start-time now
!
track 56 ip sla 56 reachability

---------------------------------------------------------------------------------------

 

My main concern is on HQ router as all video traffic will be send to MPLS(which is my probelm)!!

How can I send the video traffic to few location whcih are using MPLs not others.

 

MPLS location : 10.56.xx.xx

Without MPLS: 10.48.xx.xx

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hkkalra
Level 1
Level 1

‎03-14-2018 05:04 AM

Hello, 

 

As per my understanding you need to define in the ACL on the HQ to only match traffic that is going to some of your branches to use MPLS. You are defining the path using the "set ip next-hop"command. 

 

I would recommend you to make changes in the ACL VIDEO to only match traffic which is destined to the branch office which are using MPLS. 

 

Instead of using: 

ip access-list extended SAP-VIDEO
remark *** RTP ****
permit udp any any range 16384 32767
permit udp any range 16384 32767 any
deny ip any any

 

You can use something like this where I am taking 192.168.0.0/16 and 10.0.0.0/8 as examples of remote branches using MPLS: 

ip access-list extended SAP-VIDEO
remark *** RTP ****
permit udp any 192.168.0.0 255.255.0.0 range 16384 32767
permit udp any range 16384 32767 192.168.0.0 255.255.0.0

permit udp any 10.0.0.0 255.0.0.0 range 16384 32767
permit udp any range 16384 32767 10.0.0.0 255.0.0.0

deny ip any any

 

This would only match traffic for these two branches and send it MPLS and rest of the traffic will go through your normal routing (VPN I am assuming).

 

Hope my understanding is correct and this is helpful. 

View solution in original post

3 Replies 3

Go to solution
hkkalra
Level 1
Level 1

‎03-14-2018 05:04 AM

Hello, 

 

As per my understanding you need to define in the ACL on the HQ to only match traffic that is going to some of your branches to use MPLS. You are defining the path using the "set ip next-hop"command. 

 

I would recommend you to make changes in the ACL VIDEO to only match traffic which is destined to the branch office which are using MPLS. 

 

Instead of using: 

ip access-list extended SAP-VIDEO
remark *** RTP ****
permit udp any any range 16384 32767
permit udp any range 16384 32767 any
deny ip any any

 

You can use something like this where I am taking 192.168.0.0/16 and 10.0.0.0/8 as examples of remote branches using MPLS: 

ip access-list extended SAP-VIDEO
remark *** RTP ****
permit udp any 192.168.0.0 255.255.0.0 range 16384 32767
permit udp any range 16384 32767 192.168.0.0 255.255.0.0

permit udp any 10.0.0.0 255.0.0.0 range 16384 32767
permit udp any range 16384 32767 10.0.0.0 255.0.0.0

deny ip any any

 

This would only match traffic for these two branches and send it MPLS and rest of the traffic will go through your normal routing (VPN I am assuming).

 

Hope my understanding is correct and this is helpful. 

Go to solution
ittechk4u1
Level 4
Level 4
In response to hkkalra

‎03-14-2018 05:56 AM

Thanks

I agree with you but the problem is I have a very long ACL(40 lines) and 6 location are using MPLS means total lines will be (40*6= 240 lines).

Is there any other solution ???

0 Helpful

Go to solution
hkkalra
Level 1
Level 1
In response to ittechk4u1

‎03-14-2018 06:24 AM

You need a factor to differentiate between the traffic going to the Branch office with MPLS from the traffic going to the Branch without MPLS. From your requirement it is only possible to do that using IP addresses. 

 

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card