Solved: apply routemap or acl to bvi

pamirian76 · ‎05-25-2013

hi,

this is on a 881 router.

so I have this bvi 1 interface with many vlans.

how would I tell that bvi1

- if traffic is going to the dialer0 (main dsl line) allow everything

- if traffic is going to the dialer1 (backup 1fl line) just allow things to 10.10.10.10 ip

thanks.

Bilal Nawaz · ‎05-26-2013

Just to make it really clear on what I was saying..... We have the following as an example:

R2 is the default gateway for vlans 10 and 20 with a host on each.... 10.10.10.10, and 20.20.20.20.

We want everything to route via the 10.0.0.0 network (i.e. fa0/0) on R2 and if this fails it will switch over to fa0/1 which is the 20.0.0.0 network. But we will only allow the host 10.10.10.10 on vlan 10 to be able to reach outbound to R1 on the 100.0.0.1 address via the secondary interface, in the case of primary link failure.

Config on R2 will show that there is tracking with ip sla's and will also show that there is an ACL to only allow host 10.10.10.10 to go via fa0/1 in an event of a primary link failure.

R2#show run

Building configuration...

Current configuration : 1348 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

ip sla monitor 1

type echo protocol ipIcmpEcho 10.0.0.1 source-interface FastEthernet0/0

ip sla monitor schedule 1 life forever start-time now

!

track 1 rtr 1 reachability

delay down 2 up 2

!

interface FastEthernet0/0

ip address 10.0.0.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 20.0.0.2 255.255.255.0

ip access-group ALLOW10 out

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

!

interface FastEthernet1/0.10

encapsulation dot1Q 10

ip address 10.10.10.1 255.255.255.0

!

interface FastEthernet1/0.20

encapsulation dot1Q 20

ip address 20.20.20.1 255.255.255.0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 1

ip route 0.0.0.0 0.0.0.0 20.0.0.1 10

!

ip access-list extended ALLOW10

permit ip host 10.10.10.10 any log

deny ip any any log

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

R2#

Here we can see that the status of the track is 'up' and the show ip route is showing the default route to be the primary link:

Just to test if Ping is working I will ping from the host 10.10.10.10 and 20.20.20.20 to 100.0.0.1

Now I will fail the primary link by shutting down the interface fa0/0 on R1

And we'll see what happens on R2:

As you can see the default route has changed to the secondary route because the track SLA changed state to down.

Now we'll go ahead and test our pings from SW1 (our hosts)

As you can see, the host 10.10.10.10 was permitted but now host 20.20.20.20 gets unreachable. We'll see what is happening on R2 whilst we are doing the pings. Here is the output of 'debug ip packet'

This shows the permitting of traffic from 10.10.10.10, but denied the 20.20.20.20

Here is the deny for the other hosts.

So in summary, the tracking of the default route with the floating static route is required. And also just an extended ACL to ONLY allow traffic from 10.10.10.10 outbound via the secondary interface, in the case of primary failure...

Hope this helps

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Bilal Nawaz · ‎05-25-2013

Hello, you could turn the router into a sniffer with ACLs to see what is going through the interface:

Router (config)# access-list 101 permit ip any any log (this entry is a “catch-all”)

Router (config)# interface interfaceRouter (config-if)# ip access-group 101 in

Look at the log by using the show log command from the exec prompt. You should see IP addresses (source and destination), along with the used TCP or UDP ports (in parentheses):

Mar 18 20:05:10.628: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50051) -> 10.2.9.30(15648), 1 packet

Mar 18 20:05:20.697: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50054) ->10.2.9.30(15648), 1 packet

Mar 18 20:05:30.757: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50057) ->10.2.9.30(15648), 1 packet

Mar 18 20:05:40.854: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50060) ->10.2.9.30(15648), 1 packet

Mar 18 20:05:51.006: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50063) ->10.2.9.30(15648), 1 packet

Mar 18 20:06:01.115: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50115) ->10.2.9.30(15648), 1 packet

Mar 18 20:06:10.354: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50118) ->10.2.9.30(15648), 1 packet

Mar 18 20:06:20.423: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 192.168.19.137(50121) ->10.2.9.30(15648), 1 packet

This way it is visible that packets are going in or out of an interface depending on which direction you apply the ACL. This example is anything coming inbound towards the interface.

http://ciscotips.wordpress.com/2006/05/07/turning-the-router-in-to-packet-sniffer/

If you only want the single IP to be routed through the backup link, you may want to look at Policy Based Routing (based on source), although I'm not entirely sure if you can do it on your router or not.

In this example I want 10.10.10.10 traffic to go via dialer 1 and the rest of the traffic to go via dialer 0

access-list 1 permit 10.10.10.10
access-list 2 permit any
!
interface
ip policy route-map mypbr
!
route-map mypbr permit 10
match ip address 1
set ip next-hop x.x.x.x
!
route-map mypbr permit 20
match ip address 2
set ip next-hop y.y.y.y

Where x.x.x.x is your default gateway for dialer 1
And
Where y.y.y.y is your default gateway for dialer 0

You may also be able to determine which path your traffic is taking by looking at show ip route.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

pamirian76 · ‎05-26-2013

well what this is doing is to send anything 10.10.10.10 to the dialer1, not what I want.

I want basically when dialer0 is up, everything goes throught. when dialer0 is down (mainline is down) and dialup on dialer1 is up I want only 10.10.10.10 to hit the 1fl backup line everything else is blocked.

pamirian76 · ‎05-26-2013

I mean obviously i can put an acl on dialer 1 to just let traffic to 10.10.10.10 pass but i was wondering if there is a way with pbr or pbr cant block and just directs traffic based on rules

Sent from Cisco Technical Support iPad App

Bilal Nawaz · ‎05-26-2013

Hello, your original post wasn't so clear about your question.

You can have route and a floating static route. But change the metric on the less preferred route to a higher value.

2 default routes with one preferred over the other. Track the primary route. And apply an ACL on the interface to only allow 10.10.10.10 for the secondary interface.

This will say, all traffic goes via primary link, and if this fails, everything goes via secondary link.
However your ACL will only allow traffic from 10.10.10.10 via the secondary link.

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal Nawaz · ‎05-26-2013

Just to make it really clear on what I was saying..... We have the following as an example:

R2 is the default gateway for vlans 10 and 20 with a host on each.... 10.10.10.10, and 20.20.20.20.

We want everything to route via the 10.0.0.0 network (i.e. fa0/0) on R2 and if this fails it will switch over to fa0/1 which is the 20.0.0.0 network. But we will only allow the host 10.10.10.10 on vlan 10 to be able to reach outbound to R1 on the 100.0.0.1 address via the secondary interface, in the case of primary link failure.

Config on R2 will show that there is tracking with ip sla's and will also show that there is an ACL to only allow host 10.10.10.10 to go via fa0/1 in an event of a primary link failure.

R2#show run

Building configuration...

Current configuration : 1348 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

ip sla monitor 1

type echo protocol ipIcmpEcho 10.0.0.1 source-interface FastEthernet0/0

ip sla monitor schedule 1 life forever start-time now

!

track 1 rtr 1 reachability

delay down 2 up 2

!

interface FastEthernet0/0

ip address 10.0.0.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 20.0.0.2 255.255.255.0

ip access-group ALLOW10 out

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

duplex auto

speed auto

!

interface FastEthernet1/0.10

encapsulation dot1Q 10

ip address 10.10.10.1 255.255.255.0

!

interface FastEthernet1/0.20

encapsulation dot1Q 20

ip address 20.20.20.1 255.255.255.0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 1

ip route 0.0.0.0 0.0.0.0 20.0.0.1 10

!

ip access-list extended ALLOW10

permit ip host 10.10.10.10 any log

deny ip any any log

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

R2#

Here we can see that the status of the track is 'up' and the show ip route is showing the default route to be the primary link:

Just to test if Ping is working I will ping from the host 10.10.10.10 and 20.20.20.20 to 100.0.0.1

Now I will fail the primary link by shutting down the interface fa0/0 on R1

And we'll see what happens on R2:

As you can see the default route has changed to the secondary route because the track SLA changed state to down.

Now we'll go ahead and test our pings from SW1 (our hosts)

As you can see, the host 10.10.10.10 was permitted but now host 20.20.20.20 gets unreachable. We'll see what is happening on R2 whilst we are doing the pings. Here is the output of 'debug ip packet'

This shows the permitting of traffic from 10.10.10.10, but denied the 20.20.20.20

Here is the deny for the other hosts.

So in summary, the tracking of the default route with the floating static route is required. And also just an extended ACL to ONLY allow traffic from 10.10.10.10 outbound via the secondary interface, in the case of primary failure...

Hope this helps

Please rate useful posts & remember to mark any solved questions as answered. Thank you.