Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1936
Views
0
Helpful
4
Replies

access-list does shows any matching at cisco router 3725

Go to solution
ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1

‎04-29-2011 06:40 PM - edited ‎03-06-2019 04:51 PM

Hello,

We have a 3725 router wtih the next characteristics:

cisco 3725

c3725-jsx-mz.122-15.T17

DRAM: 256Mb

Flas: 32 Mb (ATA)

We are using two access-list 100 and 101 to prioritize traffic and one extended access-list named: CNP_DATA to forward traffic trough WAN connection.

When we applied this access-list into an interface fastethernet using an router-map, only the access-list 100 and 101 shows matching increasing counters but access-list CNP_DATA does not shows any match.

The question are:

  1. the access-list CNP_DATA does not shows any match but is working?
  2. we use: set ip next-hope into route-map VoIP to forward data to other router, is its working instead we do not see any match at access-list CNP_DATA?

This is the configuration or the router:

interface FastEthernet0/0
description LAN | CNP | CD=23932
ip address 192.168.13.2 255.255.255.0
ip access-group 103 in
no ip redirects
no ip proxy-arp
ip accounting output-packets
ip nat inside
ip route-cache policy
ip route-cache flow
no ip mroute-cache
ip policy route-map VoIP

!
ip access-list extended CNP_DATOS
deny   ip 192.168.13.0 0.0.0.255 host 10.1.240.50
deny   ip 192.168.13.0 0.0.0.255 host 10.1.240.51
deny   ip 192.168.13.0 0.0.0.255 host 10.1.240.52
deny   ip 192.168.13.0 0.0.0.255 host 10.1.240.53
deny   ip 192.168.13.0 0.0.0.255 host 10.1.240.54
deny   ip 192.168.13.0 0.0.0.255 host 10.1.240.55
permit ip host 192.168.13.12 any
permit ip host 192.168.13.37 any
permit ip host 192.168.13.38 any
permit ip host 192.168.13.39 any
permit ip host 192.168.13.40 any
permit ip host 192.168.13.41 any
permit ip host 192.168.13.77 any
permit ip host 192.168.13.93 any
permit ip 192.168.13.0 0.0.0.255 10.1.0.0 0.0.255.255
permit ip 192.168.13.0 0.0.0.255 10.16.0.0 0.0.255.255
permit ip 192.168.13.0 0.0.0.255 10.23.0.0 0.0.255.255
permit ip 192.168.13.0 0.0.0.255 10.17.0.0 0.0.255.255
permit ip 192.168.13.0 0.0.0.255 10.61.1.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 10.61.2.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 10.246.0.0 0.0.255.255
permit ip 192.168.13.0 0.0.0.255 10.203.0.0 0.0.255.255
permit ip 192.168.13.0 0.0.0.255 10.213.0.0 0.0.255.255

access-list 110 permit udp any any range 16384 32767
access-list 110 permit udp any range 16384 32767 any
access-list 110 permit tcp any any eq 1720
access-list 110 permit tcp any eq 1720 any
access-list 110 permit tcp host 192.168.13.12 any
access-list 110 permit tcp any host 192.168.13.12
access-list 111 deny   udp any any range 16384 32767
access-list 111 deny   udp any range 16384 32767 any
access-list 111 deny   tcp any any eq 1720
access-list 111 deny   tcp any eq 1720 any
access-list 111 permit ip any any

!
route-map VoIP permit 10
match ip address 110
set ip precedence critical
!
route-map VoIP permit 20
match ip address 111
set ip precedence priority
!
route-map VoIP permit 30
match ip address CNP_DATOS
set interface Serial0/0
set ip next-hop 10.145.1.17
!

When we write: show access-list CNP_DATOS does not appera any natchihng and i am not sure if the traffic is routed to 10.145.1.17 (wan).

Thanking you in advance.

Roger Majo

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-30-2011 02:46 AM

Roger

access-list 111 has a "permit ip any any" at the end so you will never get to the 3rd route-map entry where you set the next-hop. The way a route-map works is once a match is found in any of the statements the processing of the route-map ends.You also have "permit udp any any" statements in acl 110.

So you need to reorder your route-map statements. However it may not be that simple as you may match a particular host in one statement and it never gets to the next statement which also includes the same host.

What you can do though is have 2 "sets" in a route-map statement eg.

route-map VoIP permit 10

match ip address

set ip precedence critiical

set ip next-hop x.x.x.x

so you need to resort your acls. You may actually need more acls and more route-map entries ie. you need

1) an acl to match traffic to set precedence critical

2) an acl to match traffic to set precedence critical and where you want to set the next-hop

3) an acl to match traffic to set precedence priority

4) an acl to match traffic to set precedence priority and where you want to set the next hop

5) an acl to match traffic to set the next hop

none of the acls can contain the same host ie. if you want to set precedence to critical for 192.168.5.10 but not set the next-hop then use acl in 1). If you want to set the precedence to critical for 192.168.5.10 and to set the next-hop then use acl 2).

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-30-2011 02:46 AM

Roger

access-list 111 has a "permit ip any any" at the end so you will never get to the 3rd route-map entry where you set the next-hop. The way a route-map works is once a match is found in any of the statements the processing of the route-map ends.You also have "permit udp any any" statements in acl 110.

So you need to reorder your route-map statements. However it may not be that simple as you may match a particular host in one statement and it never gets to the next statement which also includes the same host.

What you can do though is have 2 "sets" in a route-map statement eg.

route-map VoIP permit 10

match ip address

set ip precedence critiical

set ip next-hop x.x.x.x

so you need to resort your acls. You may actually need more acls and more route-map entries ie. you need

1) an acl to match traffic to set precedence critical

2) an acl to match traffic to set precedence critical and where you want to set the next-hop

3) an acl to match traffic to set precedence priority

4) an acl to match traffic to set precedence priority and where you want to set the next hop

5) an acl to match traffic to set the next hop

none of the acls can contain the same host ie. if you want to set precedence to critical for 192.168.5.10 but not set the next-hop then use acl in 1). If you want to set the precedence to critical for 192.168.5.10 and to set the next-hop then use acl 2).

Jon

0 Helpful

Go to solution
ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1

‎04-30-2011 09:00 PM

Jon,

We are going to make the changes this monday because is a network in production and we do not want to make changes this weekend.

I am going to adivise you .

Thanks.

0 Helpful

Go to solution
ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1
In response to ROGER FERNANDO MAJO ZACARIAS

‎05-02-2011 05:49 PM

Jon,

we have re-ordered the route-map putting at the first statement the command: set next-hope .... and then the others and now they are working  very well.

Now, the access-list CNP_DATOS are matching each line and the traffic is forwarded at the right direction.

Thanks a lot.

Roger Majo

0 Helpful

Go to solution
ROGER FERNANDO MAJO ZACARIAS
Level 1
Level 1
In response to ROGER FERNANDO MAJO ZACARIAS

‎05-13-2011 11:52 AM

Sir,

All is o.k.

Thanks very much.

attn.

Roger Majo

0 Helpful
Customers Also Viewed These Support Documents