Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
1
Replies

Prefix-list and ACL strange behaviour. What's a difference?

Vadim Semenov
Level 1
Level 1

‎04-11-2016 07:29 AM - edited ‎03-05-2019 03:46 AM

Could you please explain what is reason why it doesn't work:

I want to setup conditional NAT just to redirect one traffic through ISP1 (10.x.x.x) and another traffic (192.168.0.0/21) to ISP2. I use route-map with match conditional with ACL, but it doesn't match required traffic (counts in the route-map doesn't increase). If I change ACL match condition to prefix-list -> counts increase!

The second step is configuring NAT conditions:

ip nat inside source route-map ISP1 int gig0/1 overload and

ip nat inside source route-map ISP2 int gig0/1 overload

And in route-map ISP2 i use prefix-list and it doesn't work (there is no translations in NAT), after i change prefix-list to ACL -> translations begin to happen.

Could you please explain the difference in Prefix-list and ACL work flow?

CONFIG:

interface GigabitEthernet0/2
description *** INSIDE ***
ip address 10.1.x.x 255.255.255.192
ip policy route-map WiFi_TO_ISP2

!

route-map WiFi_TO_ISP2, permit, sequence 10
Match clauses:
ip address prefix-lists: WiFi_Users
Set clauses:
ip default next-hop x.x.x.x
Policy routing matches: 3110917 packets, 732226412 bytes <-It works only with prefix-list!


route-map WiFi_TO_ISP2, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 78107 packets, 30482815 bytes

!

ip nat inside source route-map TO->ISP1 interface GigabitEthernet0/1 overload
ip nat inside source route-map TO->ISP2 interface GigabitEthernet0/0 overload

!

route-map TO->ISP2, permit, sequence 10
Match clauses:
ip address (access-lists): 101 <- It's fact, but it works only with ACL!
Set clauses:
Policy routing matches: 0 packets, 0 bytes

#sh route-map TO->ISP1
route-map TO->ISP1, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
Policy routing matches: 0 packets, 0 bytes

!
ip prefix-list WiFi_Users seq 5 permit 192.168.0.0/21
!

Access-list for NATs
access-list 100 permit ip 10.x.x.x 0.255.255.255 any
access-list 101 permit ip 192.168.0.0 0.0.7.255 any

OUTPUT

#sh ip nat statistics
Total active translations: 1314 (5 static, 1309 dynamic; 1314 extended)
Peak translations: 18610, occurred 5d08h ago
Outside interfaces:
GigabitEthernet0/0, GigabitEthernet0/1
Inside interfaces:
GigabitEthernet0/2
[Id: 5] route-map TO->ISP1 interface GigabitEthernet0/1 refcount 810
[Id: 6] route-map TO->ISP2 interface GigabitEthernet0/0 refcount 494

Labels:
0 Helpful
1 Reply 1

Vadim Semenov
Level 1
Level 1

‎04-11-2016 09:08 AM

I also recreate this in LAB

i create NAT rule and in one time i used prefix-list (result: there are no NAT translations) and in another time i used access-list (result: NAT translations exist)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card