Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1195
Views
5
Helpful
5
Replies

Problem with policy routing on a 3560 layer 3 switch

billy_vaughn
Level 1
Level 1

‎06-22-2011 11:22 AM - last edited on ‎03-25-2019 03:32 PM by Community Manager

I'm having an issue with policy routing on a 3560 switch running 12.2(50)SE1. We have the layer 3 switch routing for this remote location and it's default route is to the router that connects to our WAN across a Verizon MPLS circuit. I have two VLAN's created on the layer 3 switch. VLAN 1 is the default VLAN for all the clients. VLAN 2 is connected to an ASA firewall that is connected to a business class DSL line. We are trying to route the CEO's internet traffic at this location out the DSL connection. We also have a video conferncing system that is on VLAN 2 and has it's default gateway set to the ASA. We are able to make video calls through the ASA and over the DSL. Here's where the problem starts. I've created an access-list and a route-map to identify the traffic but I'm not seeing any matches for anything destined for the internet. I've applied the route-map to VLAN1. Any help would be greatly appreciated.

ip access-list extended BV_TEST_PBR

deny   ip host 10.8.9.48 23.1.1.0 0.0.0.63     (The deny statements are for internal traffic that should go across the MPLS)

deny   ip host 10.8.9.48 10.8.0.0 0.0.255.255

deny   ip host 10.8.9.48 10.1.0.0 0.0.255.255

permit ip host 10.8.9.48 any    (This should catch anything outside the networks i'm denying)

route-map BV_TEST_PBR permit 10

match ip address BV_TEST_PBR

set ip next-hop 10.8.10.254 ( This is the ASA inside interface)

ICSL3_SW#sh access-list BV_TEST_PBR  (I have lots of matches for internal traffic but only 2 for other. I've done extensive internet broswing and no matches)

Extended IP access list BV_TEST_PBR

    10 deny ip host 10.8.9.48 23.1.1.0 0.0.0.63 (2480 matches)

    20 deny ip host 10.8.9.48 10.8.0.0 0.0.255.255 (102 matches)

    30 deny ip host 10.8.9.48 10.1.0.0 0.0.255.255 (13285 matches)

    40 permit ip host 10.8.9.48 any (2 matches)

ICSL3_SW#sh route-map BV_TEST_PBR

route-map BV_TEST_PBR, permit, sequence 10

  Match clauses:

    ip address (access-lists): BV_TEST_PBR

  Set clauses:

    ip next-hop 10.8.10.254

  Policy routing matches: 2 packets, 684 bytes (Hardly any matches even though I've been doing quite a bit of surfing and jumping around to different sites.)

ICSL3_SW#

Labels:
Preview file
314 KB
0 Helpful
5 Replies 5

Peter Paluch
Cisco Employee
Cisco Employee

‎06-22-2011 11:43 AM

Billy,

Would it be possible to post your entire configuration, or, at least, the configuration pertaining to the routing on your multilayer switch?

Best regards,

Peter

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎06-22-2011 11:51 AM

Billy

In addition to Peter's request. Looking at the "permits" in a PBR acl on a L3 switch is not a good indication of whether it is working or not because most of the packets will be hardware switched and therefore don't register as hits on the acl.

To test your PBR use traceroute from your source IP to see if it is being directed to the ASA.

Jon

billy_vaughn
Level 1
Level 1
In response to Jon Marshall

‎06-22-2011 12:52 PM

Here's the config. I tried the traceroute and it was going back across our MPLS network. Interesting fact about the way the PBR works.

Building configuration...

Current configuration : 5492 bytes

!

! Last configuration change at 11:22:41 CST Wed Jun 22 2011 by bvaughn

! NVRAM config last updated at 20:02:13 CST Tue Jun 21 2011 by bvaughn

!

version 12.2

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

no service dhcp

!

hostname ICSL3_SW

!

boot-start-marker

boot-end-marker

!

logging buffered informational

enable secret 5 $1$xZMy$u.SRFfZnUOlHoiX9nO3wS.

!

username sshadmin password 7 124B080211031A54232821

aaa new-model

!

!

aaa authentication login default group tacacs+ local

!

!

!

aaa session-id common

clock timezone CST -6

system mtu routing 1500

ip subnet-zero

ip routing

no ip domain-lookup

ip domain-name corp.rmic.com

!

!

!

password encryption aes

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip tcp synwait-time 10

!

!

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

speed 100

duplex full

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/24

!

interface FastEthernet0/25

!

interface FastEthernet0/26

!

interface FastEthernet0/27

!

interface FastEthernet0/28

!

interface FastEthernet0/29

!

interface FastEthernet0/30

!

interface FastEthernet0/31

switchport access vlan 2

!

interface FastEthernet0/32

!

interface FastEthernet0/33

!

interface FastEthernet0/34

!

interface FastEthernet0/35

!

interface FastEthernet0/36

description To ASA Firewall

switchport access vlan 2

!

interface FastEthernet0/37

description Omega ILO

speed 100

duplex full

!

interface FastEthernet0/38

description Omega

speed 100

duplex full

!

interface FastEthernet0/39

description To ICS 244

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

!

interface FastEthernet0/40

description To ICS 245

switchport trunk encapsulation dot1q

switchport mode access

speed 100

duplex full

!

interface FastEthernet0/41

description To ICS 246

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

!

interface FastEthernet0/42

description To ICS 247

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

!

interface FastEthernet0/43

description To ICS 248

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

!

interface FastEthernet0/44

description To ICS 249

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

!

interface FastEthernet0/45

description To ICS 250

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

!

interface FastEthernet0/46

description To ICS 251

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

!

interface FastEthernet0/47

description To ICS 252

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

!

interface FastEthernet0/48

description To ICS RTR

speed 100

duplex full

!

interface GigabitEthernet0/1

shutdown

!

interface GigabitEthernet0/2

shutdown

!

interface GigabitEthernet0/3

shutdown

!

interface GigabitEthernet0/4

shutdown

!

interface Vlan1

description ICSDefGat

ip address 10.8.8.253 255.255.254.0

ip policy route-map BV_TEST_PBR

!

interface Vlan2

description VideoConf

ip address 10.8.10.253 255.255.255.0

!

!

router eigrp 110

passive-interface FastEthernet0/36

no auto-summary

network 10.0.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.8.8.254

no ip http server

no ip http secure-server

!

!

ip access-list extended BV_TEST_PBR

deny   ip host 10.8.9.48 23.1.1.0 0.0.0.63

deny   ip host 10.8.9.48 10.8.0.0 0.0.255.255

deny   ip host 10.8.9.48 10.1.0.0 0.0.255.255

permit ip host 10.8.9.48 any

ip access-list extended CN_ACL

deny   ip host 10.8.9.113 10.1.0.0 0.0.255.255

deny   ip host 10.8.9.113 10.8.0.0 0.0.255.255

deny   ip host 10.8.9.113 23.1.1.0 0.0.0.63

deny   ip host 10.8.9.48 23.1.1.0 0.0.0.63

deny   ip host 10.8.9.48 10.8.0.0 0.0.255.255

deny   ip host 10.8.9.48 10.1.0.0 0.0.255.255

permit ip host 10.8.9.113 any

permit ip host 10.8.9.48 any

!

logging 10.10.1.200

route-map CN_PBR permit 10

match ip address CN_ACL

set ip next-hop 10.8.10.254

!

route-map BV_TEST_PBR permit 10

match ip address BV_TEST_PBR

set ip next-hop 10.8.10.254

!

!

snmp-server community ******* RO

tacacs-server host 10.1.254.50 key 7 01010B0D58180E0E33494A

tacacs-server host 10.1.254.51 key 7 095E43001A161F13190900

tacacs-server directed-request

!

control-plane

!

banner motd ^Cogin#

This device is private property. Unauthorized access is not permitted. If you are unauthorized to access this device, you MUST disconnect immediate^C

!

line con 0

line vty 0 4

transport input ssh

line vty 5 15

transport input ssh

!

ntp clock-period 36028518

ntp server 10.1.254.254

end

0 Helpful

billy_vaughn
Level 1
Level 1
In response to billy_vaughn

‎06-22-2011 01:27 PM

I wanted to update this post and let you know that it is working. Not sure why I had not thought about this earlier but I just Googled "what's my IP address" and it's showing the correct NAT IP address. I'm use to doing policy routing on a router and it normally shows correctly on the acl and route-map matches so I was a little thrown off by the numbers.

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎06-22-2011 01:49 PM

Jon,

Very true. Those pesky counters are increased only for software-switched traffic

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card