Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
5
Helpful
1
Replies

Traffic Policy - not working

Go to solution
hawaii
Level 1
Level 1

‎07-09-2019 06:14 AM

I have problem with setting traffic policy. Im working on controllers version 18.4.1 and ISR1100 firmware is 16.10.2.

My case: I have hub spoke topology set manually from custom controll policy with preference set on one DC to 400, second is 200.

 

Both sides have two connections, private mpls and public. Spoke vpn10 address are 10.5.x.x. So I wanna set the branch traffic mostly goes to DC2 and by MPLS connections. This sound very simple, but whatever im changing its not working like it should. Counter are increment so match works, but traffic goes kinda randomly. When Im pinging or traceroute two servers it goes through mpls, and another one through public interface.

 

Another strange issue is that I have 2ms latency on mpls and about 50ms on Public interface (lte). This values I got when Im testing connections with one connection disconnect, also in vmanage on monitor dashbord it shows the same values. But when both connections are up, ping latency shows about 25-30ms, so its almost in the middle.

 

This is the policy on vsmart's and changing from local tloc to match remote tloc didnt help at all. Same situation with source/destination prefix. It looks like rule match traffic, counter increase, but traffic goes somewhere else.

 

Is there something im missing, why its not working? Is there any option to debug it besides wathing the couter?

 

policy
 data-policy _vpn-LAN_test-traffic-eng
  vpn-list vpn-LAN
   sequence 1
    match
     source-data-prefix-list BRANCHES
    !
    action accept
     count source_route_ping_-516454198
     set
      local-tloc-list
       color mpls
       encap ipsec
      !
     !
    !
   !
   default-action accept
  !
 !
 lists
  vpn-list vpn-LAN
   vpn 10
  !
  data-prefix-list BRANCHES
   ip-prefix 10.5.0.0/16
  !
  site-list Branch-site-list
   site-id 11-100
  !
  site-list DC
   site-id 1
  !
  site-list DC2
   site-id 2
  !
  prefix-list _AnyIpv4PrefixList
   ip-prefix 0.0.0.0/0 le 32
  !
 !
 control-policy hub-spoke-manual-priority
  sequence 1
   match route
    prefix-list _AnyIpv4PrefixList
    site-list   DC
    vpn-list    vpn-LAN
   !
   action accept
   !
  !
  sequence 11
   match route
    prefix-list _AnyIpv4PrefixList
    site-list   DC2
    vpn-list    vpn-LAN
   !
   action accept
   !
  !
  sequence 21
   match route
    prefix-list _AnyIpv4PrefixList
   !
   action reject
   !
  !
  sequence 31
   match tloc
    site-list DC2
   !
   action accept
    set
     preference 400
    !
   !
  !
  sequence 41
   match tloc
    site-list DC
   !
   action accept
    set
     preference 200
    !
   !
  !
  sequence 51
   match tloc
   !
   action reject
   !
  !
  default-action accept
 !
!
apply-policy
 site-list Branch-site-list
  control-policy hub-spoke-manual-priority out
  data-policy _vpn-LAN_test-traffic-eng all
 !
!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ekhabaro
Cisco Employee
Cisco Employee

‎07-11-2019 01:34 AM

This statement is key to your problem:

 

@hawaii wrote:

 

Spoke vpn10 address are 10.5.x.x. So I wanna set the branch traffic mostly goes to DC2 and by MPLS connections. This sound very simple, but whatever im changing its not working like it should. Counter are increment so match works, but traffic goes kinda randomly. When Im pinging or traceroute two servers it goes through mpls, and another one through public interface.

 

Your issue is typical. Whenever you try to do any traffic engineering with any kind of policies (routing, data), you should keep in mind that traffic flow is bidirectional, hence with your policy you properly steered egress flow via desired color, but return traffic (in case of traceroute - ICMP ttl exceeded) takes whatever path remote site prefers and you feel that there is discrepancy. You always  should take care and check return path as well.

View solution in original post

1 Reply 1

Go to solution
ekhabaro
Cisco Employee
Cisco Employee

‎07-11-2019 01:34 AM

This statement is key to your problem:

 

@hawaii wrote:

 

Spoke vpn10 address are 10.5.x.x. So I wanna set the branch traffic mostly goes to DC2 and by MPLS connections. This sound very simple, but whatever im changing its not working like it should. Counter are increment so match works, but traffic goes kinda randomly. When Im pinging or traceroute two servers it goes through mpls, and another one through public interface.

 

Your issue is typical. Whenever you try to do any traffic engineering with any kind of policies (routing, data), you should keep in mind that traffic flow is bidirectional, hence with your policy you properly steered egress flow via desired color, but return traffic (in case of traceroute - ICMP ttl exceeded) takes whatever path remote site prefers and you feel that there is discrepancy. You always  should take care and check return path as well.

Customers Also Viewed These Support Documents