Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
3
Replies

Trying to restrict only certain traffic to a P2P circuit.

Go to solution
Stephen Carville
Level 1
Level 1

‎06-09-2017 01:55 PM - edited ‎03-05-2019 08:41 AM

I have a requirement to insure all traffic between 10.200.210.0/24 (in CA) and 10.200.210.0/24 (in AZ) be sent over a point-to-point between the two sites.  Only traffic between the two above subnets are supposed to route over the P2P.  All other traffic must be routed normally over an MPLS circuit.

I tried to to this using route-maps but it doesn't seem to be working.

Here are what I hope are the relevant configurations on each end

#------------------------------------------------
CA side (6506)

Extended IP access list ca2az-backups
    10 permit ip 10.212.210.0 0.0.0.255 10.200.210.0 0.0.0.255 (573975 matches)
    20 deny ip any any (28451 matches)

route-map ca2az-backups, permit, sequence 10
  Match clauses:
    ip address (access-lists): ca2az-backups
  Set clauses:
    ip next-hop 192.168.100.18
  Policy routing matches: 294281 packets, 65891982 bytes

interface Vlan210
 description Router to Branches
 ip address 10.212.210.1 255.255.255.0
 ip helper-address 10.212.3.3
 ip policy route-map ca2az-backups

#------------------------------------------------
AZ size (3850)

Extended IP access list az2ca-backups
    10 permit ip 10.200.210.0 0.0.0.255 10.212.210.0 0.0.0.255 (444 matches)
    20 deny ip any any (27223 matches)

route-map az2ca-backups, permit, sequence 10
  Match clauses:
    ip address (access-lists): az2ca-backups
  Set clauses:
    ip next-hop 192.168.100.17
  Policy routing matches: 222 packets, 134376 bytes

interface Vlan210
 ip address 10.200.210.1 255.255.255.0
 ip helper-address 10.200.100.250
 ip policy route-map az2ca-backups


The traceroute indicate the traffic is not using the P2P when going from AZ to CA.

#------------------------------------------------
Traceroute using mtr

CA -> AZ

HOST: scamanda01.lereta.com       Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. 10.212.210.1                  0.0%    10    0.3   1.5   0.2  11.8   3.6
  2. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
  3. 10.200.210.50                 0.0%    10   16.4  16.5  16.2  16.9   0.2

AZ -> CA

HOST: sazmanda01.lereta.net       Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. 10.200.210.1                  0.0%    10    2.4   2.5   2.3   2.8   0.2
  2. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
  3. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
  4. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
  5. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
  6. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
  7. 10.212.210.50                 0.0%    10   16.2  16.2  16.1  16.2   0.0

#------------------------------------------------

To make the situation even more weird

Traceroute using traceroute

CA -> AZ

traceroute to 10.200.210.50 (10.200.210.50), 30 hops max, 60 byte packets
 1  10.212.210.1 (10.212.210.1)  60.886 ms  60.886 ms  60.840 ms
 2  * * *
 3  az-backup-bc.lereta.net (10.200.210.50)  16.232 ms  16.125 ms  16.207 ms

AZ -> CA

traceroute to 10.212.210.50 (10.212.210.50), 30 hops max, 60 byte packets
 1  10.200.210.1 (10.200.210.1)  4.954 ms  5.024 ms  5.088 ms
 2  * * *
 3  10.212.210.50 (10.212.210.50)  16.144 ms  16.137 ms  16.092 ms

Firewalls are normally on but are turned off at both ends for testing.

Is the even the right approach?  I found some example configs on the Internet that suggest it should but they are wrong or I messed something up.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio E. Moisa
VIP
VIP

‎06-09-2017 02:14 PM

Hi

Your configuration looks fine, are you trying the traceroute from a windows computer over that vlan.  

192.168.100.18 -- is the IP of the next hop, I mean AZ router?

192.168.100.17 -- is the IP of CA router?

Your could modify the config to:

CA Router

ip access-list extended CA-ROUTER
permit ip 10.212.210.0 0.0.0.255 10.200.210.0 0.0.0.255

route-map ca2az-backups permit 5
match ip access CA-ROUTER
set ip next-hop 192.168.100.18    <--- next hop IP, it should be the IP on AZ router. 

route-map ca2az-backups permit 100      <--- the rest of the traffic originated from this SVI 210  will use the MPLS Circuit.

interface Vlan210
 ip policy route-map ca2az-backups

* I removed the deny ip any any

The configuration should be similar in AZ Router. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio E. Moisa
VIP
VIP

‎06-09-2017 02:14 PM

Hi

Your configuration looks fine, are you trying the traceroute from a windows computer over that vlan.  

192.168.100.18 -- is the IP of the next hop, I mean AZ router?

192.168.100.17 -- is the IP of CA router?

Your could modify the config to:

CA Router

ip access-list extended CA-ROUTER
permit ip 10.212.210.0 0.0.0.255 10.200.210.0 0.0.0.255

route-map ca2az-backups permit 5
match ip access CA-ROUTER
set ip next-hop 192.168.100.18    <--- next hop IP, it should be the IP on AZ router. 

route-map ca2az-backups permit 100      <--- the rest of the traffic originated from this SVI 210  will use the MPLS Circuit.

interface Vlan210
 ip policy route-map ca2az-backups

* I removed the deny ip any any

The configuration should be similar in AZ Router. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Stephen Carville
Level 1
Level 1
In response to Julio E. Moisa

‎06-09-2017 02:39 PM

That worked. Thank you.

I think I even know why it worked and my configuration did not.  Any day I learn something new is a good day.

#------------------------------------------------
CA side

Extended IP access list ca2az-backups
    10 permit ip 10.212.210.0 0.0.0.255 10.200.210.0 0.0.0.255

route-map ca2az-backups, permit, sequence 10
  Match clauses:
    ip address (access-lists): ca2az-backups
  Set clauses:
    ip next-hop 192.168.100.18
  Policy routing matches: 295829 packets, 66612462 bytes
route-map ca2az-backups, permit, sequence 100
  Match clauses:
  Set clauses:
  Policy routing matches: 455964 packets, 69443897 bytes

interface Vlan210
 description Router to Branches
 ip address 10.212.210.1 255.255.255.0
 ip helper-address 10.212.3.3
 ip policy route-map ca2az-backups

#------------------------------------------------
AZ side

Extended IP access list az2ca-backups
    10 permit ip 10.200.210.0 0.0.0.255 10.212.210.0 0.0.0.255

route-map az2ca-backups, permit, sequence 10
  Match clauses:
    ip address (access-lists): az2ca-backups
  Set clauses:
    ip next-hop 192.168.100.17
  Policy routing matches: 1632 packets, 844164 bytes
route-map az2ca-backups, permit, sequence 100
  Match clauses:
  Set clauses:
  Policy routing matches: 3 packets, 729 bytes

interface Vlan210
 ip address 10.200.210.1 255.255.255.0
 ip helper-address 10.200.100.250
 ip policy route-map az2ca-backups

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to Stephen Carville

‎06-09-2017 02:42 PM

Hi Stephen,

It was a pleasure,

have a great day!

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card