Solved: Re: route-map on svi

Amafsha1 · ‎12-18-2018

Hello I'm a little confused about this route-map on this interface vlan 999.

So if i'm understanding this correctly, anything that wants to come into int vlan 999 with a source address that is in the "force-out-fw" acl which consists of the "permit-out-fw" and "internal-networks" ACLs it will be denied from entering this interface vlan 999. the 2nd part of the route-map is saying that anything with a source address that is in
the "ACL_PERMIT" acl will be have to be redirected to 172.21.5.1? Am I on the right page here?

NexusCore#
interface Vlan999
no shutdown
no ip redirects
ip address 172.27.250.2/24
no ipv6 redirects
ip router eigrp 1
ip passive-interface eigrp 1
ip policy route-map PBR11
hsrp version 2
hsrp 300
priority 105 forwarding-threshold lower 1 upper 105
ip 172.27.250.1

NexusCore# sh route-map PBR11
route-map PBR11, deny, sequence 10
Match clauses:
ip address (access-lists): FORCE-OUT-FW
Set clauses:
route-map PBR11, permit, sequence 20
Match clauses:
ip address (access-lists): ACL_PERMIT
Set clauses:
ip next-hop 172.21.5.1

IP access list FORCE-OUT-FW
10 permit ip addrgroup Permit-Out-FW addrgroup INTERNAL-NETWORKS

object-group ip address Permit-Out-FW
10 host 172.27.250.151
20 host 172.28.24.5
25 host 172.28.24.237
30 host 172.28.24.239

object-group ip address INTERNAL-NETWORKS
10 10.99.0.0/16
20 10.0.0.0/24
30 10.1.0.0/23
40 10.24.0.0/16
50 10.124.0.0/16
60 10.151.0.0/16
70 10.200.0.0/16
80 172.16.0.0/12
90 192.168.0.0/16

ip access-list ACL_PERMIT
10 permit ip 172.27.250.151/32 any
11 permit ip 172.28.24.5/32 any

Richard Burts · ‎12-19-2018

If the original poster deletes instance 10 of the route map then things will definitely change. If you look at the acl used in the second instance

ip access-list ACL_PERMIT
10 permit ip 172.27.250.151/32 any
11 permit ip 172.28.24.5/32 any

The 2 host addresses here also appear in the acl for instance 10. The way it works now is that traffic from these two hosts with destination Internal networks gets normal routing and traffic from these hosts to other destinations gets policy routed. If instance 10 is removed then traffic from these hosts to Internet networks will be policy routed. That is a significant change in behavior.

Bottom line: leave the route map the way that it is.

HTH

Rick

HTH

Rick

View solution in original post

Georg Pauwen · ‎12-18-2018

Hello,

your route map sequence has no set clause, so the traffic will pass the interface and be routed according to the RIB.

route-map PBR11, deny, sequence 10
Match clauses:
ip address (access-lists): FORCE-OUT-FW
Set clauses:

Amafsha1 · ‎12-18-2018

so what about the permit sequence 20 that sets the next-hop to 172.21.5.1?

Georg Pauwen · ‎12-18-2018

That traffic will be routed to the next hop specified, 172.21.5.1.

Amafsha1 · ‎12-18-2018

Ok to summarize, sequence 10 does nothing pretty much right? So if i was to remove sequence 10 right now, nothing on the network would change.

For sequence 20, anything that has a source address that matches the ACL_PERMIT will be redirected to 172.21.5.1?

Georg Pauwen · ‎12-18-2018

In theory, yes, that is how it should work. What is the output of 'show route-map PBR11' ?

Amafsha1 · ‎12-18-2018

Ok thank you for your help. I put the output in the original description at the top

Georg Pauwen · ‎12-18-2018

The output should have lines like:

Policy routing matches: 0 packets, 0 bytes

which tell you what sequences in the policy have what matches. Do you see that in your output ?

Amafsha1 · ‎12-18-2018

when I put in "sho route-map PBR11" what I pasted above is all that I see. Is their another command?

Georg Pauwen · ‎12-18-2018

Not sure why there is no such line...

Either way, send traffic from 172.27.250.151 to somewhere else, so that it has to go through interface Vlan 999. Is that traffic dropped or forwarded according to the routing table ?

Amafsha1 · ‎12-18-2018

ok I will do that test ASAP and that was actually going to be my next question. Because the "ACL_PERMIT" has 172.27.250.151 in the acl, but that is an ip address in the range of vlan 999...so that's kind of confusing. It's like saying that anything with a source address of 172.27.250.151 should be redirected to 172.21.5.1 ?

but nothing with a source address of 172.27.250.151 will ever go back into its own interface right? seems weird

Georg Pauwen · ‎12-18-2018

Hello,

not sure what you mean. 172.27.250.2 is the interface address, 172.27.250.151 is a host in that subnet, so any traffic originating from that host should somehow go through the interface...

Amafsha1 · ‎12-18-2018

bad wording on my part

paul driver · ‎12-18-2018

Hello

@Amafsha1 wrote:

Hello I'm a little confused about this route-map on this interface vlan 999.

So if i'm understanding this correctly, anything that wants to come into int vlan 999 with a source address that is in the "force-out-fw" acl which consists of the "permit-out-fw" and "internal-networks" ACLs it will be denied from entering this interface vlan 999. the 2nd part of the route-map is saying that anything with a source address that is in
the "ACL_PERMIT" acl will be have to be redirected to 172.21.5.1? Am I on the right page here?

Anything that hits sequence 10 WONT be policy-routed but normal routed, however ACL_PERMIT pertaining to sequence 20 will be policy routed.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Amafsha1 · ‎12-18-2018

so sequence 10 does absolutely nothing right? I can just delete it?