Solved: Re: Route-map using 02 internet circuit

marcio.tormente · ‎05-13-2019

Hello guys!

Please, I need help with one issue that I'm facing.

I have 02 sites (A and B) connected by MPLS, both sites have internet circuit, but after internet circuit of site B goes down, the default route was changed to use the internet from site A.

After this change one Web Server that is on site B stopped to work, the reason is that this server uses a public IP from the internet from site B.

To solve this issue I create a PBR with ACL source the private IP (source) to any (destination)

Next-hop is the internet fw of site B.

Extended IP access list LOCAWEB
10 permit IP host 10.166.115.10 any
20 permit IP host 10.166.115.11 any

!

route-map ROUTE-LOCAWEB, permit, sequence 10
Match clauses:
ip address (access-lists): LOCAWEB
Set clauses:
ip next-hop 10.166.64.1
Policy routing matches: 0 packets, 0 bytes

!

The Web Server is working, but I lose connectivity with the server using internal IP. All my network is 10.0.0.0/8.

I already tried to change the ACL and put the rule below, but when I do it both (internal and external) communication stop to work.

08 deny ip host 10.166.115.10 10.0.0.0 255.0.0.0

09 deny ip host 10.166.115.11 10.0.0.0 255.0.0.0

Does anyone know how to solve this issue?

Thanks

Marcio

paul driver · ‎05-13-2019

Hello
Probably need to amend you access-list to deny PBR for traffic between your host and the 10.0.0.0/8

ip access-list extended LOCALWEB
permit ip host 10.166.115.10 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 host 10.166.115.10
permit ip host 10.166.115.11 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 host 10.166.115.11

route-map ROUTE-LOCAWEB deny 5
match ip address LOCALWEB

route-map ROUTE-LOCAWEB permit 10
no match ip address LOCALWEB
set ip next-hop 10.166.64.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎05-13-2019

Hello
Probably need to amend you access-list to deny PBR for traffic between your host and the 10.0.0.0/8

ip access-list extended LOCALWEB
permit ip host 10.166.115.10 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 host 10.166.115.10
permit ip host 10.166.115.11 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 host 10.166.115.11

route-map ROUTE-LOCAWEB deny 5
match ip address LOCALWEB

route-map ROUTE-LOCAWEB permit 10
no match ip address LOCALWEB
set ip next-hop 10.166.64.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

marcio.tormente · ‎05-13-2019

Hello Paul,

In your ACL is considering just the communication with network 10.0.0.0/8, in this case, the traffic to the internet should continue using default route and going to Site A, right?

marcio.tormente · ‎05-13-2019

I made the change and worked fine.
Thank you very much

paul driver · ‎05-13-2019

Hello

Glad to see its working - Thank You for the feedback and rating.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Giuseppe Larosa · ‎05-13-2019

Hello Marcio,

ACLs use wildcard mask so the additional lines should be:

08 deny ip host 10.116.15.10 10.0.0.0 0.255.255.255

09 deny ip host 10.116.15.11 10.0.0.0 0.255.255.255

Hope to help

Giuseppe