Re: Need Help in Route Map - Page 2

arjunsawant · ‎02-26-2011

Hi All..

I have two Lease line Rel and tata between DC and DR with configuring eigrp load balancing.But due to some issue my management ask me that keep separete link for Storage Database and other traffic.

So I have configured Route Map for NAS traffic and Other(mail,other) traffic.

But problem is that when I trace my branch IP 10.2.15.1....It goes like

Tracert ,

10.3.0.1

192.168.3.31

10.5.0.149

10.5.0.150

10.2.15.1

It sohuld be go directly...

10.3.0.1

192.168.3.31

10.2.15.1

Pls find the attached file for Net diag and config...

Thanx a lo....

cadet alain · ‎03-04-2011

Hi Ian,

For PBR you don't need to add a permit all route-map entry because when ther is no match in the first entry then traffic is routed according to routing

table.It's not the same as route-maps for redistribution or filtering.

Regards.

Alain.

Don't forget to rate helpful posts.

Tharak Abraham · ‎03-04-2011

Arjun,

Are you running any protocol between your Branch and DC ?

Eigrp or Static ?

Understand your concern for the NAS traffic over a particular link, and PBR helps there.

Could you paste a trace from the Branch router or from any user IP from you Branch to the user in in DC ?

Just a thought.

IAN WHITMORE · ‎03-04-2011

Between branch and DC its static.

And this is the trace from DC t branch:

10.3.0.1

192.168.3.31

10.5.0.149

10.5.0.150

10.2.15.1

Tharak Abraham · ‎03-04-2011

Arjun and IAN,

Can anyone show us output of "sh ip route" over here along with "sh route-map "

1. We need to see why the the Branch traffic is being policy routed.

2. pease check the trace backwards from the Branch to the DC, just to isolate the issue to DC router.

3. Can you please do a trace to any other destinations other than the NAS ip, just to make sure this ain't any config issue

arjunsawant · ‎03-04-2011

Dear All,

Thanx.....

1. pease check the trace backwards from the Branch to the DC, just to isolate the issue to DC router.

Branch#traceroute
Protocol [ip]:
Target IP address: 10.0.0.100
Source address: 10.2.15.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.0.0.100

1 10.5.4.29 12 msec 12 msec 12 msec
2 192.168.3.1 12 msec 16 msec 12 msec
3 10.0.0.100 12 msec 16 msec 12 msec

2. Can you please do a trace to any other destinations other than the NAS ip, just to make sure this ain't any config issue

Which destination? I can Trace to Branch, NAS and Mail server which are directly connectly with LL (EIGRP).

DC#sh ip route 10.2.15.0
Routing entry for 10.2.15.0/24
Known via "static", distance 1, metric 0
Redistributing via eigrp 111
Advertised by eigrp 111
Routing Descriptor Blocks:
* 10.5.4.30
Route metric is 0, traffic share count is 1

DC#sh route-map PBR
route-map PBR, permit, sequence 10
Match clauses:
    ip address (access-lists): NAS
Set clauses:
    ip next-hop 10.5.0.161
Policy routing matches: 101966311 packets, 1363714042 bytes
route-map PBR, permit, sequence 20
Match clauses:
    ip address (access-lists): OTHER
Set clauses:
    ip next-hop 10.5.0.149
Policy routing matches: 367748723 packets, 3506886271 bytes
route-map PBR, permit, sequence 30
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Pls find the attch files for config of DC, DR and BRANCH.

Thanx...a Lot.....Any kind of help is appriciated.

Arjun

IAN WHITMORE · ‎03-05-2011

I labbed this up in GNS and gt the same results. When you remove the route-map it works fine.

Your problem is the route-map access-list in DC:

Extended IP access list OTHER

10 deny ip host 10.0.0.175 host 10.1.2.74

20 deny ip host 10.0.0.176 host 10.1.2.76

30 deny ip host 10.0.0.175 host 10.1.2.76

40 deny ip host 10.0.0.176 host 10.1.2.74

50 permit ip any any (224 matches)

You see you are denying 4 entries and then policy routing ALL the rest of the traffic. So all traffic that entered g0/0 in DC is routed to DR. DR then rightly sends it back. Now the traffic comes in another interface and is routed normally by the routing table and correctly sends it to Branch.

You need to try and specify your traffic in this access-list (I mean protocols and ports) to be more specific.

At the moment, ALL you traffic from 10.0.0.175 & 10.0.0.176 is being policy routes to 10.5.0.161, this traffic will never go to line 20 / 10.5.0.149. So the deny statements in OTHER access-lists will never get hits and then ALL the rest of the traffic from other hosts, regardless of the protocols is policy routed to 10.5.0.149.

ip access-list extended NAS

permit ip host 10.0.0.175 host 10.1.2.74

permit ip host 10.0.0.176 host 10.1.2.76

permit ip host 10.0.0.175 host 10.1.2.76

permit ip host 10.0.0.176 host 10.1.2.74

ip access-list extended OTHER

deny ip host 10.0.0.175 host 10.1.2.74

deny ip host 10.0.0.176 host 10.1.2.76

deny ip host 10.0.0.175 host 10.1.2.76

deny ip host 10.0.0.176 host 10.1.2.74

permit ip any any

!

route-map PBR permit 10

match ip address NAS

set ip next-hop 10.5.0.161

!

route-map PBR permit 20

match ip address OTHER

set ip next-hop 10.5.0.149

So you need to work on your access-lists.

Example.

ip access-list extended NAS

permit tcp host 10.0.0.175 host 10.1.2.74 range 1000 5000 (this is just and example! - specify protocol tcp/udp and ports used by NAS)

permit tcp host 10.0.0.176 host 10.1.2.76 range 1000 5000 (this is just and example! - specify protocol tcp/udp and ports used by NAS)

!

ip access-list extended OTHER

permit tcp host 10.0.0.175 host 10.1.2.74 range 1 1024 (this is just and example! - specify other ports)

! DO NOT put ip any any at the end of this list because ALL traffic entering the interface will be policy routed.

!

route-map PBR permit 10

match ip address NAS

set ip next-hop 10.5.0.161

!

route-map PBR permit 20

match ip address OTHER

set ip next-hop 10.5.0.149

Other than that, you should be fine.

HTH,

Ian

Please rate if helpful.

Kishore Chennupati · ‎03-06-2011

Ian,

stars for taking the time to lab it up and also follow thru on this one

Regards,

Kishore