02-03-2011 05:36 AM - edited 03-04-2019 11:18 AM
Hello everyone,
I have been using a route map to pick WAN exit points (PBR) on a 3725 router. This have been working fine with /24 networks. I am trying to pick the first /28 piece out of the 10.1.1.0 network and send it out a different exit from the rest of that network. I have tried the /28 entry at the start and end of the route map, although I thought the first match would stop any further route map processing. The entry does not seem to have any effect, as traffic from all addresses in the 10.1.1.0 /24 network exit per the "route-map 10-LAN permit 11" section.
access-list 5 remark Ten Dot 1 low 63 IPs
access-list 5 remark SDM_ACL Category=2
access-list 5 remark Ten Dot One Low 63 IPs
access-list 5 permit 10.1.1.0 0.0.0.63 log
access-list 11 remark TenDotOne
access-list 11 remark SDM_ACL Category=2
access-list 11 remark Staff Network
access-list 11 permit 10.1.1.0 0.0.0.255
route-map 10-LAN permit 5
match ip address 5
set ip next-hop 12.x.x.x 192.168.100.1 192.168.0.1
!
route-map 10-LAN permit 11
match ip address 11
set ip next-hop 192.168.0.1 12.159.137.193 192.168.100.1
!
route-map 10-LAN permit 63
match ip address 5
set ip next-hop 12.x.x.x 192.168.100.1 192.168.0.1
interface FastEthernet0/1
description Downstream to LAN$ETH-LAN$$FW_INSIDE$
ip address 12.x.x.x 255.255.255.252
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map 10-LAN
duplex auto
speed auto
no mop enabled
Thanks for any advice,
Mark LeBlanc
02-03-2011 06:16 AM
Hi,
To clarify what you want: you want the first 63 adresses( from .1 to .62) from .1 to .255 to take another path than the other addresses from .63 to .254, is it so?
If so ACL 5 is ok. can you do sh access-list and verify you're hitting ACL5 and also if ACL 102 is not interfering.
You can also do a debug ip policy.
Regards.
Alain.
02-03-2011 07:38 AM
Thanks for the response, Alain.
Yes, that is what I am trying to do.
Standard IP access list 5
10 permit 10.1.1.0, wildcard bits 0.0.0.63 log (112 matches)
Standard IP access list 11
10 permit 10.1.1.0, wildcard bits 0.0.0.255 (526087 matches)
030738: Feb 3 09:56:06.073 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.35 -> 72.21.203.145, 8 packets
030739: Feb 3 09:57:28.938 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.55 -> 63.233.110.41, 1 packet
The access list seems to be working, but the route-map is still not altering the path as desired.
Is there a way to log the route-map process.
Mark
02-03-2011 10:00 AM
Hi,
Is there a way to log the route-map process.
No,
You'll have to do debug ip policy to debug PBR
Regards.
Alain.
02-03-2011 10:34 AM
The access lists are simple...
Standard IP access list 5
10 permit 10.1.1.0, wildcard bits 0.0.0.63 log (1059 matches)
Standard IP access list 11
10 permit 10.1.1.0, wildcard bits 0.0.0.255 (5106274 matches)
The access list seems to be working...
052837: Feb 3 13:12:33.915 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.33 -> 207.138.133.168, 1 packet
052838: Feb 3 13:12:46.680 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.20 -> 207.138.133.240, 1 packet
052839: Feb 3 13:12:51.368 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.63 -> 69.31.38.131, 1 packet
052840: Feb 3 13:12:53.828 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.37 -> 198.63.231.44, 1 packet
052841: Feb 3 13:13:06.749 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.62 -> 96.6.170.54, 14 packets
052842: Feb 3 13:14:06.752 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.10 -> 208.80.152.118, 26 packets
052843: Feb 3 13:14:06.752 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.10 -> 204.236.217.203, 80 packets
052844: Feb 3 13:15:06.760 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.10 -> 199.7.57.72, 26 packets
052845: Feb 3 13:17:31.416 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.61 -> 69.31.38.105, 1 packet
052846: Feb 3 13:18:06.770 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.33 -> 207.138.133.168, 14 packets
052847: Feb 3 13:18:06.770 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.20 -> 207.138.133.240, 14 packets
052848: Feb 3 13:18:06.770 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.63 -> 69.31.38.131, 47 packets
052849: Feb 3 13:18:06.770 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.37 -> 198.63.231.44, 14 packets
but the route-map seems to be ignoring it...
route-map 10-LAN, permit, sequence 5
Match clauses:
ip address (access-lists): 5
Set clauses:
ip next-hop 12.x.x.x 192.168.100.1 192.168.0.1
Policy routing matches: 0 packets, 0 bytes
route-map 10-LAN, permit, sequence 11
Match clauses:
ip address (access-lists): 11
Set clauses:
ip next-hop 192.168.0.1 12.x.x.x 192.168.100.1
Policy routing matches: 4743632 packets, 703335411 bytes
output from debug ip policy shows that all 10.1.1.x traffic is being routed the same way...
058570: Feb 3 13:24:00.330 EST: IP: s=10.1.1.10 (FastEthernet0/1), d=69.147.86.184, len 52, FIB policy match
058571: Feb 3 13:24:00.330 EST: IP: s=10.1.1.10 (FastEthernet0/1), d=69.147.86.184, g=192.168.0.1, len 52, FIB policy routed
058572: Feb 3 13:24:00.338 EST: IP: s=10.1.1.207 (FastEthernet0/1), d=66.235.143.118, len 52, FIB policy match
058573: Feb 3 13:24:00.338 EST: IP: s=10.1.1.207 (FastEthernet0/1), d=66.235.143.118, g=192.168.0.1, len 52, FIB policy routed
I been searching extensively online, but I just don't see anything obvious.
Thanks,
Mark
02-03-2011 11:08 AM
Mark,
do you see a route for 12.x.x.x when you do sh ip route ?
Manish
02-03-2011 11:36 AM
Hello Manish,
show ip route:
Gateway of last resort is 12.x.x.193 to network 0.0.0.0
S 172.16.0.0/16 [1/0] via 12.x.x.198
S 10.0.0.0/8 [1/0] via 12.x.x.198
C 192.168.0.0/24 is directly connected, FastEthernet1/0
12.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
S 12.x.x.96/27 [1/0] via 12.159.137.198
S 12.x.x.200/29 [1/0] via 12.159.137.198
C 12.x.x.192/30 is directly connected, FastEthernet2/0
C 12.x.x.196/30 is directly connected, FastEthernet0/1
C 192.168.100.0/24 is directly connected, FastEthernet1/1
S* 0.0.0.0/0 [5/0] via 12.x.x.193
debug ip policy:
058948: Feb 3 14:17:21.018 EST: IP: s=12.x.x.114 (FastEthernet0/1), d=12.127.16.67, len 56, FIB policy rejected(no match) - normal forwarding
Trace from a PC on 12.x.x.96 /27 LAN
U:\>tracert yahoo.com
Tracing route to yahoo.com [67.195.160.76]
over a maximum of 30 hops:
1 428 ms <1 ms <1 ms 12.x.x.126
2 2 ms 1 ms <1 ms 12.x.x.197
3 1 ms 1 ms <1 ms 12.x.x.193
4 6 ms 11 ms 8 ms 12.x.x.209
5 75 ms 12 ms 11 ms cr1.cb1ma.ip.att.net [12.122.145.66]
6 13 ms 13 ms 12 ms cr2.n54ny.ip.att.net [12.122.31.125]
7 15 ms 10 ms 10 ms 12.122.81.133
8 34 ms 32 ms 32 ms 192.205.37.78
9 39 ms 36 ms 34 ms vlan69.csw1.NewYork1.Level3.net [4.68.16.62]
10 32 ms 38 ms 32 ms ae-71-71.ebr1.NewYork1.Level3.net [4.69.134.69]
11 36 ms 32 ms 35 ms ae-10-10.ebr2.Washington12.Level3.net [4.69.148.50
12 32 ms 32 ms 33 ms ae-5-5.ebr2.Washington1.Level3.net [4.69.143.221]
13 35 ms 33 ms 34 ms ae-62-62.csw1.Washington1.Level3.net [4.69.134.146
14 171 ms 32 ms 35 ms ae-11-60.car1.Washington1.Level3.net [4.69.149.3]
15 18 ms 16 ms 16 ms YAHOO-INC.car1.Washington1.Level3.net [4.79.228.2]
16 39 ms 39 ms 573 ms xe-7-0-0.msr2.ac2.yahoo.com [216.115.108.129]
17 34 ms 64 ms 43 ms xe-10-2-0.clr3.ac4.yahoo.com [72.30.96.11]
18 18 ms 23 ms 17 ms UNKNOWN-76-13-0-X.yahoo.com [76.13.0.27]
19 17 ms 18 ms 17 ms ir1.fp.vip.ac4.yahoo.com [67.195.160.76]
Trace complete.
Thanks,
Mark
02-03-2011 12:16 PM
Can you try the following :-
from :-
route-map 10-LAN permit 5
match ip address 5
set ip next-hop 12.x.x.193 192.168.100.1 192.168.0.1
To :-
route-map 10-LAN permit 5
match ip address 5
set ip next-hop 12.x.x.194 192.168.100.1 192.168.0.1
Given that .194 is address for one of your local interface. Then again , I havent tested this , so make sure you play easy on Production Network .
Manish
02-03-2011 12:52 PM
Show ip int brief:
FastEthernet0/1 12.x.x.197 YES NVRAM up up
FastEthernet1/0 192.168.0.2 YES NVRAM up up
FastEthernet1/1 192.168.100.2 YES NVRAM up up
FastEthernet2/0 12.x.x.194 YES NVRAM up up
The next hops that have worked previously with /24 networks:
12.x.x.193, 192.168.0.1, 192.168.100.1
my issue seems to be related to the /28 subnet
Thanks,
Mark
02-03-2011 02:39 PM
Mark,
I would try one last thing , since there isn't an explicit route for the destination where your /26 is headed , I would use set interface rather then using set ip next-hop.
so , In the route map change set ip next-hop to set interface f 2/0 . Then see if the hit count increases in the policy matches.
Manish
02-03-2011 03:20 PM
Yes, /26 not /28.
Since the next hop is an eth int, not point to point, set does not like the interface option...ios complains
Since the show route-map does not show any matches, I don't think the set clause will ever be enforced.
Thank you for all your effort in trying to solve my issue.
Mark
02-03-2011 03:36 PM
I think I misread the information on Cisco.com , as per the following link :-
http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html#wp4766
Use Set default interface.
set default interface interface-type = Set output interface for the packet, if there is no explicit route for this destination.
interface-number [... type ...number]
I would really like to see your NAT configuration as well , look deeper into this.
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide