Re: Cisco ASR 902 - Policy-Based Routing don't work

Grzegorz Kuczynski · ‎02-11-2020

Hello
I have problem with properly configured router-map in Cisco ASR-902 (RSP2).

My configuration is following:

interface TenGigabitEthernet0/1/0
 no ip address
 service instance 108 ethernet
  encapsulation dot1q 108
  rewrite ingress tag pop 1 symmetric
  bridge-domain 108

interface TenGigabitEthernet0/1/1
 no ip address
 service instance 81 ethernet
  encapsulation dot1q 81
  rewrite ingress tag pop 1 symmetric
  bridge-domain 81



interface BDI81
 ip address 192.168.33.231 255.255.255.240
 standby 81 ip 192.168.33.229
 standby 81 preempt


interface BDI108
 ip address 192.168.108.1 255.255.255.0
 ip policy route-map routemap
 ip ospf authentication key-chain OSPF-869
 ip ospf priority 3
 ip ospf 869 area 1.1.1.1

ip access-list extended cccc-WAN
 permit ip 172.21.10.0 0.0.0.255 any

route-map routemap permit 60
 match ip address cccc-WAN
 set ip default next-hop 192.168.33.225

#sh sdm prefer current
The current sdm template is "video"

My intention is to replace default GW (to 192.168.33.225) if source come from 172.21.10.0/24 network.

I try this configuration on two system version and it still don't work:
asr900rsp2-universalk9_npe.03.18.02.SP.156-2.SP2-ext.bin
asr900rsp2-universalk9_npe.16.09.05.SPA.bin

Debbuging log show somting like this:

Feb 11 10:40:59 192.168.109.12 : IP: s=192.168.108.10 (BDI108), d=255.255.255.255 (nil), len 148, policy rejected -- normal forwarding

Network 172.21.10.0/24 is connected with my ASR via 192.168.108.0/24. It was alsow worded in HSRP, but I disabled it and change to only static address.
Network 192.168.33.225 i directly connected. It work in HSRP.
Both network 172.21.10.0/24 and 192.168.33.225 is readable from ASR.

This is documentation witch I suggested when configured.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-3s/asr903/iri-xe-3s-asr903-book/iri-xe-3s-asr903-book_chapter_010.html#reference_DA6510217ADB4930BED473BDAB419E71

Anyone have idea what is the problem?

Richard Burts · ‎02-11-2020

Based on that you have told us there is not any error. The log message is the expected behavior. Note that the log message specifies this source address of the packet

s=192.168.108.10

and your acl specifies this as the source

 permit ip 172.21.10.0 0.0.0.255 any

there is not a match and normal forwarding is expected.

HTH

Rick

Grzegorz Kuczynski · ‎02-11-2020

First of thanks for reply

The problem is that the source packer have exactly 172.21.10.10 IP address and don't NAT:

172.21.10.0/24 [R] 192.168.108.10/24 ------- 192.168.108.1/24 [ASR]

I connect my computer to VLAN 108 and addressed it as eg. 192.168.108.250. In router [R] I change default route from 192.168.108.1 to 192.168.108.250. Next I sniffing network connection and I see network packet come with source address 172.21.10.10 (not 192.168.108.10).

The log line which I was quoting is only what is logged, but repeat many times. Many time the same log line. At the time when system log not longing network traffic from 172.21.10.10 some ICMP packet passes through ASR and this not log.

I think the log

Feb 11 10:40:59 192.168.109.12 : IP: s=192.168.108.10 (BDI108), d=255.255.255.255 (nil), len 148, policy rejected -- normal forwarding

concerns packet send from router [R] from IP 192.168.108.10 and it dst is only brd (255.255.255.255). I don't have any others log.

In addition, I have to add...
In configuration which I presents works local network, but don't work gateway. If I change from

set ip default next-hop 192.168.33.225

to

set ip next-hop 192.168.33.225

then works gateway but don't works local LANs.

If I good remember I was also try

permit ip 192.168.108.0 0.0.0.255 any

Update

Ok I add to my acl router network

ip access-list extended cccc-WAN
 permit ip 10.21.10.0 0.0.0.255 any
 permit ip 192.168.108.0 0.0.0.255 any

Now ICMP work to other local network, to wan (eg. 1.1.1.1) not work. And I got this log:

Feb 12 07:03:00 192.168.109.12 : IP: s=192.168.108.10 (BDI108), d=255.255.255.255, len 148, policy match
Feb 12 07:03:00 192.168.109.12 : IP: s=192.168.108.10 (BDI108), d=255.255.255.255 (BDI81), len 148, policy routed
Feb 12 07:03:00 192.168.109.12 : IP: BDI108 to BDI81 192.168.33.225

This redirect only some traffic directly from router [R] to broadcast.
Why I don't have any log from ICMP to local network?

I tested this also from second router [R2] (different vendor). Connect it to vlan 108, addressed 192.168.108.254 and create new network (10.77.77.0/24) behind it without NAT. Add this network to acl:

ip access-list extended cccc-WAN
 permit ip 10.21.10.0 0.0.0.255 any
 permit ip 192.168.108.0 0.0.0.255 any
 permit ip 10.77.77.0 0.0.0.255 any

Check is new network is available from ASR

ASR902#ping 10.77.77.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.77.77.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

And in logs I don't have any log.

192.168.108.10 is a MikroTik
192.168.108.254 is a FortiGate

I test this with many combinations, with/without HSRP and still result is the same.

Next Update

We tests many solutions and find one:

ip access-list extended cccc-WAN
 permit ip 172.21.10.0 0.0.0.255 object-group INTERNET
 permit ip 10.77.77.0 0.0.0.255 object-group INTERNET

object-group network INTERNET
 range 1.0.0.1 9.255.255.255
 range 11.0.0.1 172.15.255.255
 range 172.32.0.1 192.167.255.255
 range 192.169.0.1 223.255.255.255

route-map routemap permit 10
 match ip address cccc-WAN
 set ip next-hop 192.168.33.225

So this is look like when we use "any" as destination address it's not work!

Why??

Richard Burts · ‎02-12-2020

I am glad that you found one that does work. The difference from what works and using any is that the one that works excludes the private class A 10.0.0.0/8, private class B 172.16.0.0/12, and private class C 192.168.0.0/16 while using any would include these networks.

HTH

Rick

Grzegorz Kuczynski · ‎02-12-2020

You means that form of acl:

ip access-list extended cccc-WAN
 deny ip 172.21.10.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny ip 172.21.10.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny ip 172.21.10.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny ip 10.77.77.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny ip 10.77.77.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny ip 10.77.77.0 0.0.0.255 192.168.0.0 0.0.255.255 
 permit ip 172.21.10.0 0.0.0.255 any
 permit ip 10.77.77.0 0.0.0.255 any

route-map routemap permit 10
 match ip address cccc-WAN
 set ip next-hop 192.168.33.225

We tested this but it was don't work - tomorrow I will test it again.

Second case why this form doesn't work.

set ip default next-hop 192.168.33.225

and what is correct example of using it because documentation is wrong.

Update

yeap, I confirm this form DOESN'T work

ip access-list extended cccc-WAN
 deny ip 172.21.10.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny ip 172.21.10.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny ip 172.21.10.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny ip 10.77.77.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny ip 10.77.77.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny ip 10.77.77.0 0.0.0.255 192.168.0.0 0.0.255.255 
 permit ip 172.21.10.0 0.0.0.255 any
 permit ip 10.77.77.0 0.0.0.255 any

public network (eg. 8.8.8.8) work, private network doesn't work.

when I change form of next-hop

set ip default next-hop 192.168.33.225

effect is invert but don't work simultaneously both network - private and public