12-18-2018 11:37 AM - edited 12-18-2018 11:38 AM
Hello I'm a little confused about this route-map on this interface vlan 999.
So if i'm understanding this correctly, anything that wants to come into int vlan 999 with a source address that is in the "force-out-fw" acl which consists of the "permit-out-fw" and "internal-networks" ACLs it will be denied from entering this interface vlan 999. the 2nd part of the route-map is saying that anything with a source address that is in
the "ACL_PERMIT" acl will be have to be redirected to 172.21.5.1? Am I on the right page here?
NexusCore#
interface Vlan999
no shutdown
no ip redirects
ip address 172.27.250.2/24
no ipv6 redirects
ip router eigrp 1
ip passive-interface eigrp 1
ip policy route-map PBR11
hsrp version 2
hsrp 300
priority 105 forwarding-threshold lower 1 upper 105
ip 172.27.250.1
NexusCore# sh route-map PBR11
route-map PBR11, deny, sequence 10
Match clauses:
ip address (access-lists): FORCE-OUT-FW
Set clauses:
route-map PBR11, permit, sequence 20
Match clauses:
ip address (access-lists): ACL_PERMIT
Set clauses:
ip next-hop 172.21.5.1
IP access list FORCE-OUT-FW
10 permit ip addrgroup Permit-Out-FW addrgroup INTERNAL-NETWORKS
object-group ip address Permit-Out-FW
10 host 172.27.250.151
20 host 172.28.24.5
25 host 172.28.24.237
30 host 172.28.24.239
object-group ip address INTERNAL-NETWORKS
10 10.99.0.0/16
20 10.0.0.0/24
30 10.1.0.0/23
40 10.24.0.0/16
50 10.124.0.0/16
60 10.151.0.0/16
70 10.200.0.0/16
80 172.16.0.0/12
90 192.168.0.0/16
ip access-list ACL_PERMIT
10 permit ip 172.27.250.151/32 any
11 permit ip 172.28.24.5/32 any
Solved! Go to Solution.
12-19-2018 08:26 AM
If the original poster deletes instance 10 of the route map then things will definitely change. If you look at the acl used in the second instance
ip access-list ACL_PERMIT
10 permit ip 172.27.250.151/32 any
11 permit ip 172.28.24.5/32 any
The 2 host addresses here also appear in the acl for instance 10. The way it works now is that traffic from these two hosts with destination Internal networks gets normal routing and traffic from these hosts to other destinations gets policy routed. If instance 10 is removed then traffic from these hosts to Internet networks will be policy routed. That is a significant change in behavior.
Bottom line: leave the route map the way that it is.
HTH
Rick
12-18-2018 01:47 PM
Hello,
your route map sequence has no set clause, so the traffic will pass the interface and be routed according to the RIB.
route-map PBR11, deny, sequence 10
Match clauses:
ip address (access-lists): FORCE-OUT-FW
Set clauses:
12-18-2018 01:49 PM
so what about the permit sequence 20 that sets the next-hop to 172.21.5.1?
12-18-2018 02:22 PM
That traffic will be routed to the next hop specified, 172.21.5.1.
12-18-2018 02:25 PM
Ok to summarize, sequence 10 does nothing pretty much right? So if i was to remove sequence 10 right now, nothing on the network would change.
For sequence 20, anything that has a source address that matches the ACL_PERMIT will be redirected to 172.21.5.1?
12-18-2018 02:28 PM
In theory, yes, that is how it should work. What is the output of 'show route-map PBR11' ?
12-18-2018 02:30 PM
Ok thank you for your help. I put the output in the original description at the top
12-18-2018 02:33 PM
The output should have lines like:
Policy routing matches: 0 packets, 0 bytes
which tell you what sequences in the policy have what matches. Do you see that in your output ?
12-18-2018 02:35 PM - edited 12-18-2018 02:35 PM
when I put in "sho route-map PBR11" what I pasted above is all that I see. Is their another command?
12-18-2018 02:46 PM
Not sure why there is no such line...
Either way, send traffic from 172.27.250.151 to somewhere else, so that it has to go through interface Vlan 999. Is that traffic dropped or forwarded according to the routing table ?
12-18-2018 02:49 PM
ok I will do that test ASAP and that was actually going to be my next question. Because the "ACL_PERMIT" has 172.27.250.151 in the acl, but that is an ip address in the range of vlan 999...so that's kind of confusing. It's like saying that anything with a source address of 172.27.250.151 should be redirected to 172.21.5.1 ?
but nothing with a source address of 172.27.250.151 will ever go back into its own interface right? seems weird
12-18-2018 03:05 PM
Hello,
not sure what you mean. 172.27.250.2 is the interface address, 172.27.250.151 is a host in that subnet, so any traffic originating from that host should somehow go through the interface...
12-18-2018 06:28 PM
bad wording on my part
12-18-2018 03:04 PM - edited 12-18-2018 03:05 PM
Hello
@Amafsha1 wrote:
Hello I'm a little confused about this route-map on this interface vlan 999.
So if i'm understanding this correctly, anything that wants to come into int vlan 999 with a source address that is in the "force-out-fw" acl which consists of the "permit-out-fw" and "internal-networks" ACLs it will be denied from entering this interface vlan 999. the 2nd part of the route-map is saying that anything with a source address that is in
the "ACL_PERMIT" acl will be have to be redirected to 172.21.5.1? Am I on the right page here?
Anything that hits sequence 10 WONT be policy-routed but normal routed, however ACL_PERMIT pertaining to sequence 20 will be policy routed.
12-18-2018 06:29 PM
so sequence 10 does absolutely nothing right? I can just delete it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide