Route-Map for Policy Based Routing

mnleblanc · ‎02-03-2011

Hello everyone,

I have been using a route map to pick WAN exit points (PBR) on a 3725 router. This have been working fine with /24 networks. I am trying to pick the first /28 piece out of the 10.1.1.0 network and send it out a different exit from the rest of that network. I have tried the /28 entry at the start and end of the route map, although I thought the first match would stop any further route map processing. The entry does not seem to have any effect, as traffic from all addresses in the 10.1.1.0 /24 network exit per the "route-map 10-LAN permit 11" section.

access-list 5 remark Ten Dot 1 low 63 IPs

access-list 5 remark SDM_ACL Category=2
access-list 5 remark Ten Dot One Low 63 IPs
access-list 5 permit 10.1.1.0 0.0.0.63 log

access-list 11 remark TenDotOne
access-list 11 remark SDM_ACL Category=2
access-list 11 remark Staff Network
access-list 11 permit 10.1.1.0 0.0.0.255

route-map 10-LAN permit 5
match ip address 5
set ip next-hop 12.x.x.x 192.168.100.1 192.168.0.1
!
route-map 10-LAN permit 11
match ip address 11
set ip next-hop 192.168.0.1 12.159.137.193 192.168.100.1
!
route-map 10-LAN permit 63
match ip address 5
set ip next-hop 12.x.x.x 192.168.100.1 192.168.0.1

interface FastEthernet0/1
description Downstream to LAN$ETH-LAN$$FW_INSIDE$
ip address 12.x.x.x 255.255.255.252
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map 10-LAN
duplex auto
speed auto
no mop enabled

Thanks for any advice,

Mark LeBlanc

cadet alain · ‎02-03-2011

Hi,

To clarify what you want: you want the first 63 adresses( from .1 to .62) from .1 to .255 to take another path than the other addresses from .63 to .254, is it so?

If so ACL 5 is ok. can you do sh access-list and verify you're hitting ACL5 and also if ACL 102 is not interfering.

You can also do a debug ip policy.

Regards.

Alain.

Don't forget to rate helpful posts.

mnleblanc · ‎02-03-2011

Thanks for the response, Alain.

Yes, that is what I am trying to do.

Standard IP access list 5
10 permit 10.1.1.0, wildcard bits 0.0.0.63 log (112 matches)

Standard IP access list 11
10 permit 10.1.1.0, wildcard bits 0.0.0.255 (526087 matches)

030738: Feb 3 09:56:06.073 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.35 -> 72.21.203.145, 8 packets
030739: Feb 3 09:57:28.938 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.55 -> 63.233.110.41, 1 packet

The access list seems to be working, but the route-map is still not altering the path as desired.

Is there a way to log the route-map process.

Mark

cadet alain · ‎02-03-2011

Hi,

Is there a way to log the route-map process.

No,

You'll have to do debug ip policy to debug PBR

Regards.

Alain.

Don't forget to rate helpful posts.

mnleblanc · ‎02-03-2011

The access lists are simple...

Standard IP access list 5
10 permit 10.1.1.0, wildcard bits 0.0.0.63 log (1059 matches)
Standard IP access list 11
10 permit 10.1.1.0, wildcard bits 0.0.0.255 (5106274 matches)

The access list seems to be working...

052837: Feb 3 13:12:33.915 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.33 -> 207.138.133.168, 1 packet
052838: Feb 3 13:12:46.680 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.20 -> 207.138.133.240, 1 packet
052839: Feb 3 13:12:51.368 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.63 -> 69.31.38.131, 1 packet
052840: Feb 3 13:12:53.828 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.37 -> 198.63.231.44, 1 packet
052841: Feb 3 13:13:06.749 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.62 -> 96.6.170.54, 14 packets
052842: Feb 3 13:14:06.752 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.10 -> 208.80.152.118, 26 packets
052843: Feb 3 13:14:06.752 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.10 -> 204.236.217.203, 80 packets
052844: Feb 3 13:15:06.760 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.10 -> 199.7.57.72, 26 packets
052845: Feb 3 13:17:31.416 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.61 -> 69.31.38.105, 1 packet
052846: Feb 3 13:18:06.770 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.33 -> 207.138.133.168, 14 packets
052847: Feb 3 13:18:06.770 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.20 -> 207.138.133.240, 14 packets
052848: Feb 3 13:18:06.770 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.63 -> 69.31.38.131, 47 packets
052849: Feb 3 13:18:06.770 EST: %SEC-6-IPACCESSLOGNP: list 5 permitted 0 10.1.1.37 -> 198.63.231.44, 14 packets

but the route-map seems to be ignoring it...

route-map 10-LAN, permit, sequence 5
Match clauses:
    ip address (access-lists): 5
Set clauses:
    ip next-hop 12.x.x.x 192.168.100.1 192.168.0.1
Policy routing matches: 0 packets, 0 bytes
route-map 10-LAN, permit, sequence 11
Match clauses:
    ip address (access-lists): 11
Set clauses:
    ip next-hop 192.168.0.1 12.x.x.x 192.168.100.1
Policy routing matches: 4743632 packets, 703335411 bytes

output from debug ip policy shows that all 10.1.1.x traffic is being routed the same way...

058570: Feb 3 13:24:00.330 EST: IP: s=10.1.1.10 (FastEthernet0/1), d=69.147.86.184, len 52, FIB policy match
058571: Feb 3 13:24:00.330 EST: IP: s=10.1.1.10 (FastEthernet0/1), d=69.147.86.184, g=192.168.0.1, len 52, FIB policy routed
058572: Feb 3 13:24:00.338 EST: IP: s=10.1.1.207 (FastEthernet0/1), d=66.235.143.118, len 52, FIB policy match
058573: Feb 3 13:24:00.338 EST: IP: s=10.1.1.207 (FastEthernet0/1), d=66.235.143.118, g=192.168.0.1, len 52, FIB policy routed

I been searching extensively online, but I just don't see anything obvious.

Thanks,

Mark

manish arora · ‎02-03-2011

Mark,

do you see a route for 12.x.x.x when you do sh ip route ?

Manish

mnleblanc · ‎02-03-2011

Hello Manish,

show ip route:

Gateway of last resort is 12.x.x.193 to network 0.0.0.0

S    172.16.0.0/16 [1/0] via 12.x.x.198
S    10.0.0.0/8 [1/0] via 12.x.x.198
C    192.168.0.0/24 is directly connected, FastEthernet1/0
     12.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
S       12.x.x.96/27 [1/0] via 12.159.137.198
S       12.x.x.200/29 [1/0] via 12.159.137.198
C       12.x.x.192/30 is directly connected, FastEthernet2/0
C       12.x.x.196/30 is directly connected, FastEthernet0/1
C    192.168.100.0/24 is directly connected, FastEthernet1/1
S*   0.0.0.0/0 [5/0] via 12.x.x.193

debug ip policy:

058948: Feb 3 14:17:21.018 EST: IP: s=12.x.x.114 (FastEthernet0/1), d=12.127.16.67, len 56, FIB policy rejected(no match) - normal forwarding

Trace from a PC on 12.x.x.96 /27 LAN

U:\>tracert yahoo.com

Tracing route to yahoo.com [67.195.160.76]
over a maximum of 30 hops:

1   428 ms    <1 ms    <1 ms 12.x.x.126
2     2 ms     1 ms    <1 ms 12.x.x.197
3     1 ms     1 ms    <1 ms 12.x.x.193
4     6 ms    11 ms     8 ms 12.x.x.209
5    75 ms    12 ms    11 ms cr1.cb1ma.ip.att.net [12.122.145.66]
6    13 ms    13 ms    12 ms cr2.n54ny.ip.att.net [12.122.31.125]
7    15 ms    10 ms    10 ms 12.122.81.133
8    34 ms    32 ms    32 ms 192.205.37.78
9    39 ms    36 ms    34 ms vlan69.csw1.NewYork1.Level3.net [4.68.16.62]
10    32 ms    38 ms    32 ms ae-71-71.ebr1.NewYork1.Level3.net [4.69.134.69]
11    36 ms    32 ms    35 ms ae-10-10.ebr2.Washington12.Level3.net [4.69.148.50
12    32 ms    32 ms    33 ms ae-5-5.ebr2.Washington1.Level3.net [4.69.143.221]
13    35 ms    33 ms    34 ms ae-62-62.csw1.Washington1.Level3.net [4.69.134.146
14   171 ms    32 ms    35 ms ae-11-60.car1.Washington1.Level3.net [4.69.149.3]
15    18 ms    16 ms    16 ms YAHOO-INC.car1.Washington1.Level3.net [4.79.228.2]
16    39 ms    39 ms   573 ms xe-7-0-0.msr2.ac2.yahoo.com [216.115.108.129]
17    34 ms    64 ms    43 ms xe-10-2-0.clr3.ac4.yahoo.com [72.30.96.11]
18    18 ms    23 ms    17 ms UNKNOWN-76-13-0-X.yahoo.com [76.13.0.27]
19    17 ms    18 ms    17 ms ir1.fp.vip.ac4.yahoo.com [67.195.160.76]

Trace complete.

Thanks,

Mark

manish arora · ‎02-03-2011

Can you try the following :-

from :-

route-map 10-LAN permit 5
match ip address 5
set ip next-hop 12.x.x.193 192.168.100.1 192.168.0.1

To :-

route-map 10-LAN permit 5
match ip address 5
set ip next-hop 12.x.x.194 192.168.100.1 192.168.0.1

Given that .194 is address for one of your local interface. Then again , I havent tested this , so make sure you play easy on Production Network .

Manish

mnleblanc · ‎02-03-2011

Show ip int brief:

FastEthernet0/1            12.x.x.197            YES NVRAM       up                    up
FastEthernet1/0            192.168.0.2          YES NVRAM       up                    up
FastEthernet1/1            192.168.100.2       YES NVRAM       up                    up
FastEthernet2/0            12.x.x.194            YES NVRAM       up                    up

The next hops that have worked previously with /24 networks:

12.x.x.193, 192.168.0.1, 192.168.100.1

my issue seems to be related to the /28 subnet

Thanks,

Mark

manish arora · ‎02-03-2011

Mark,

I would try one last thing , since there isn't an explicit route for the destination where your /26 is headed , I would use set interface rather then using set ip next-hop.

so , In the route map change set ip next-hop to set interface f 2/0 . Then see if the hit count increases in the policy matches.

Manish

mnleblanc · ‎02-03-2011

Yes, /26 not /28.

Since the next hop is an eth int, not point to point, set does not like the interface option...ios complains

Since the show route-map does not show any matches, I don't think the set clause will ever be enforced.

Thank you for all your effort in trying to solve my issue.

Mark

manish arora · ‎02-03-2011

I think I misread the information on Cisco.com , as per the following link :-

http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html#wp4766

Use Set default interface.

set default interface interface-type = Set output interface for the packet, if there is no explicit route for this destination.
interface-number [... type ...number]

I would really like to see your NAT configuration as well , look deeper into this.

Manish