07-09-2019 06:14 AM
I have problem with setting traffic policy. Im working on controllers version 18.4.1 and ISR1100 firmware is 16.10.2.
My case: I have hub spoke topology set manually from custom controll policy with preference set on one DC to 400, second is 200.
Both sides have two connections, private mpls and public. Spoke vpn10 address are 10.5.x.x. So I wanna set the branch traffic mostly goes to DC2 and by MPLS connections. This sound very simple, but whatever im changing its not working like it should. Counter are increment so match works, but traffic goes kinda randomly. When Im pinging or traceroute two servers it goes through mpls, and another one through public interface.
Another strange issue is that I have 2ms latency on mpls and about 50ms on Public interface (lte). This values I got when Im testing connections with one connection disconnect, also in vmanage on monitor dashbord it shows the same values. But when both connections are up, ping latency shows about 25-30ms, so its almost in the middle.
This is the policy on vsmart's and changing from local tloc to match remote tloc didnt help at all. Same situation with source/destination prefix. It looks like rule match traffic, counter increase, but traffic goes somewhere else.
Is there something im missing, why its not working? Is there any option to debug it besides wathing the couter?
policy data-policy _vpn-LAN_test-traffic-eng vpn-list vpn-LAN sequence 1 match source-data-prefix-list BRANCHES ! action accept count source_route_ping_-516454198 set local-tloc-list color mpls encap ipsec ! ! ! ! default-action accept ! ! lists vpn-list vpn-LAN vpn 10 ! data-prefix-list BRANCHES ip-prefix 10.5.0.0/16 ! site-list Branch-site-list site-id 11-100 ! site-list DC site-id 1 ! site-list DC2 site-id 2 ! prefix-list _AnyIpv4PrefixList ip-prefix 0.0.0.0/0 le 32 ! ! control-policy hub-spoke-manual-priority sequence 1 match route prefix-list _AnyIpv4PrefixList site-list DC vpn-list vpn-LAN ! action accept ! ! sequence 11 match route prefix-list _AnyIpv4PrefixList site-list DC2 vpn-list vpn-LAN ! action accept ! ! sequence 21 match route prefix-list _AnyIpv4PrefixList ! action reject ! ! sequence 31 match tloc site-list DC2 ! action accept set preference 400 ! ! ! sequence 41 match tloc site-list DC ! action accept set preference 200 ! ! ! sequence 51 match tloc ! action reject ! ! default-action accept ! ! apply-policy site-list Branch-site-list control-policy hub-spoke-manual-priority out data-policy _vpn-LAN_test-traffic-eng all ! !
Solved! Go to Solution.
07-11-2019 01:34 AM
This statement is key to your problem:
@hawaii wrote:
Spoke vpn10 address are 10.5.x.x. So I wanna set the branch traffic mostly goes to DC2 and by MPLS connections. This sound very simple, but whatever im changing its not working like it should. Counter are increment so match works, but traffic goes kinda randomly. When Im pinging or traceroute two servers it goes through mpls, and another one through public interface.
Your issue is typical. Whenever you try to do any traffic engineering with any kind of policies (routing, data), you should keep in mind that traffic flow is bidirectional, hence with your policy you properly steered egress flow via desired color, but return traffic (in case of traceroute - ICMP ttl exceeded) takes whatever path remote site prefers and you feel that there is discrepancy. You always should take care and check return path as well.
07-11-2019 01:34 AM
This statement is key to your problem:
@hawaii wrote:
Spoke vpn10 address are 10.5.x.x. So I wanna set the branch traffic mostly goes to DC2 and by MPLS connections. This sound very simple, but whatever im changing its not working like it should. Counter are increment so match works, but traffic goes kinda randomly. When Im pinging or traceroute two servers it goes through mpls, and another one through public interface.
Your issue is typical. Whenever you try to do any traffic engineering with any kind of policies (routing, data), you should keep in mind that traffic flow is bidirectional, hence with your policy you properly steered egress flow via desired color, but return traffic (in case of traceroute - ICMP ttl exceeded) takes whatever path remote site prefers and you feel that there is discrepancy. You always should take care and check return path as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide