Solved: Re: route-map application concern

Kn1ghtR1d3rOfD00m · ‎10-15-2017

Hi experts,

I have a question related to the following output route-map.

First,there is a first sequence 5 to match the private addressing space (meaning any internal resources) to follow my regular traffic, if it matches, it will skip and continue normally since there is no set clause

Second, there is a second sequence 10 to allow any other traffic (no internal resources) to go lets say Internet, that if matches the CLIENT-IPPUBLIC access-list, will be forced to the next hop 192.168.10.20

My question is, what traffic is the last sequence 100? you can see the packets, there is a lot of traffic going to this hole.

Is it the same CLIENT-IPPRIVATE traffic that is falling here?

Is it needed this sequence at the end? Ultimately, there is an implicit deny, so why would I have and want to have a last sequence if my interesting traffic is matched at the beggining, but the rest (Internet) wanted to go to the sequence 10?

Is it true that I have a lot of sequences with no set clause causes high CPU?

You see my point?

For example,

I have a local PC, it wants to talk to an internal server in another subnet, so the source is 192.168.1.10 and destination is 172.17.100.100 via http, so first, it falls in the first sequence 5 since there is no set, it will go and follow its regular ip routing table destination.

Let's say, the same PC wants to go to a public resource in the Internet, then it falls into the sequence 10, correct?

Just keep in eye in the group CLIENT-IPPRIVATE and CLIENT-IPPUBLIC acls since they contain the same source set of subnets. Please check the access-list below as well to avoid confusion.

So, then, what is the rest of the traffic (200732200 marked in the last sequence 100) that falls into sequence 100? would be the same to let the implicit does its job?

Is this a good aproach or any better idea?

router# show route-map TI-CLIENT-GUEST-PBR
route-map TI-CLIENT-GUEST-PBR, permit, sequence 5
Match clauses:
ip address (access-lists): CLIENT-IPPRIVATE
Set clauses:
Policy routing matches: 3292 packets, 837689 bytes
route-map TI-CLIENT-GUEST-PBR, permit, sequence 10
Match clauses:
ip address (access-lists): CLIENT-IPPUBLIC
Set clauses:
ip next-hop 192.168.10.20
Policy routing matches: 0 packets, 0 bytes
route-map TI-CLIENT-GUEST-PBR, permit, sequence 100
Match clauses:
Set clauses:
Policy routing matches: 200732200 packets, 272004774 bytes
router#

router#show access-list CLIENT-IPPRIVATE
Extended IP access list CLIENT-IPPRIVATE
10 permit ip addrgroup CLIENTS 172.16.0.0 0.15.255.255
20 permit ip addrgroup CLIENTS 10.0.0.0 0.255.255.255
30 permit ip addrgroup CLIENTS 192.168.0.0 0.0.255.255
router#show acce
router#show access-list CLIENT-IPPUBLIC
Extended IP access list CLIENT-IPPUBLIC
10 permit ip addrgroup CLIENTS any
router#

Julio E. Moisa · ‎10-16-2017

Hi Alex

Have you verified if the object-group is for specific IP address, probably the sequence 100 is used for the rest of the traffic. It could had been made to manipulate the traffic for one specific IP and the rest will use the normal path.

You should check what IP addresses are included on this addrgroup CLIENTS

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Meheretab Mengistu · ‎10-15-2017

Hi Alex,

So, then, what is the rest of the traffic (200732200 marked in the last sequence 100) that falls into sequence 100? would be the same to let the implicit does its job?

It is strange. Which direction did you apply the route-map? Could you share all commands related with the route-map (sh run | section route-map|access-list)?

HTH,

Meheretab

HTH,
Meheretab

Kn1ghtR1d3rOfD00m · ‎10-16-2017

HI, sure,

this is what I have, its basically the same output as the beginning, the direction, well, its basically all coming traffic into the interface

these are the access list

ip access-list extended CLIENT-IPPRIVATE
permit ip addrgroup CLIENTS 172.16.0.0 0.15.255.255
permit ip addrgroup CLIENTS 10.0.0.0 0.255.255.255
permit ip addrgroup CLIENTS 192.168.0.0 0.0.255.255
ip access-list extended CLIENT-IPPUBLIC
permit ip addrgroup CLIENTS any

this is the confi of the route-map itself

router#show route-map TI-CLIENT-GUEST-PBR
route-map TI-CLIENT-GUEST-PBR, permit, sequence 5
Match clauses:
ip address (access-lists): CLIENT-IPPRIVATE
Set clauses:
Policy routing matches: 3292 packets, 837689 bytes
route-map TI-CLIENT-GUEST-PBR, permit, sequence 10
Match clauses:
ip address (access-lists): CLIENT-IPPUBLIC
Set clauses:
ip next-hop 192.168.10.20
Policy routing matches: 0 packets, 0 bytes
route-map TI-CLIENT-GUEST-PBR, permit, sequence 100
Match clauses:
Set clauses:
Policy routing matches: 211765528 packets, 1031063827 bytes
router#

Dean Romanelli · ‎10-16-2017

Alex,

Can you do a show run and paste the route-map section as it appears in the running-config?

Kn1ghtR1d3rOfD00m · ‎10-16-2017

Hi, thanks,

Sure, here is the portion of the route-map, let me know if its ok

Regards,

router#show run

!

!
route-map TI-CLIENT-GUEST-PBR permit 5
match ip address CLIENT-IPPRIVATE
!
route-map TI-CLIENT-GUEST-PBR permit 10
match ip address CLIENT-IPPUBLIC
set ip next-hop 192.168.10.20
!
route-map TI-CLIENT-GUEST-PBR permit 100
!

Julio E. Moisa · ‎10-16-2017

Hi Alex

Have you verified if the object-group is for specific IP address, probably the sequence 100 is used for the rest of the traffic. It could had been made to manipulate the traffic for one specific IP and the rest will use the normal path.

You should check what IP addresses are included on this addrgroup CLIENTS

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Kn1ghtR1d3rOfD00m · ‎10-16-2017

Hi Moisa,

THanks for your assistance, indeed, dont know how, but somehow the object is the same used or at least I got confused with it,

but after reviewing the running, I discovered the object inside and it has two addresses, I was wrong, so the logic is fine.

object-group ip address CLIENTS
host-info 10.69.132.225
host-info 10.69.132.251
!

thanks for your help

Jon Marshall · ‎10-16-2017

Hi Alex

Not sure what is happening with your route map but to answer your specific question, no you don't need the last statement in your route map because with PBR any traffic that does not match any of the permit statements is simply routed using the routing table.

It may be there because when you use a route map with route redistribution you often see an empty permit statement because any routes not matched specifically are filtered without an empty permit statement.

Jon

Kn1ghtR1d3rOfD00m · ‎10-16-2017

I see, thanks Jon, so there are many forms I can take actions then, depending on the requierement, but after reading a bit more, its what you are saying,

thanks for your help and taking the time