Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2595
Views
0
Helpful
11
Replies

Access List for Policy Based routing for 2nd gateway

Go to solution
Jonnyballgame34
Level 1
Level 1

‎09-03-2017 06:45 PM - edited ‎03-08-2019 11:55 AM

greeting

 

I'm try to bring in a second connection my network to alleviate over utilization.  The plan is to start moving the internet connections over local users over to the new line.  I want to test it by first bringing over a single host.  

 

The host I want to router is on VLAN 111, and it's address is 10.87.123.134

 

interface Vlan111
description ***Building 1 Users***
ip address 10.87.123.253 255.255.254.0

exiting gateway is 

Gateway of last resort is 205.142.167.252 to network 0.0.0.0

 

The IP of the new gateway I want to use is 10.87.82.1

 

For the access list for the route map is it just a standard:

ip access list with the single host like below, or do I need something more?  Thanks

 

ip access-list standard LANtoIP
permit 10.87.123.134 0.0.0.0 any log

 

Thanks for looking

 

 

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Predrag Jovic
Level 3
Level 3

‎09-03-2017 09:03 PM - edited ‎09-04-2017 12:06 AM

Access list is not correctly written (keyword any is error in your ACL), when that is corrected it is OK to be used to PBR traffic from host 10.87.123.134. 10.87.123.134 0.0.0.0 will be anyway translated to host 10.87.123.134 (but it is valid):

 

ip access-list standard LANtoIP
permit host 10.87.123.134 log

 

Keyword log in not recommended to use since it can negativelly influence on CPU utilization. So, as soon as you finish testing, it would be a good idea to remove it. You can check access-list hits without logging with

show access-list LANtoIP

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jonnyballgame34

‎09-05-2017 11:54 AM

There are two parts to the current question so let me answer them separately.

 

Yes with the partial config that you have posted I would expect that single host to be routed to the specified gateway and I would expect that it would not impact other hosts in that vlan. If it did impact the entire vlan then we need to look further. Could you post the complete config (hiding public IP and other sensitive parts)? It would also be helpful if you post the output of show route-map.

 

I do not know that it would be significant but I would suggest that you make a small change in the syntax of your access list to that is like this

ip access-list standard LANtoIP
permit 10.87.123.134

 

The second question is about the behavior of the PBR. Yes with that syntax it should route just the single IP. But we need to be very careful with the answer about what happens if that gateway goes down. The really correct answer is that if the interface through which the router reaches that gateway goes down then PBR will stop the special forwarding for that IP and it would use normal routing. What that means is that if the gateway is not responding and is not reachable but the interface to get to that gateway is still line protocol up then PBR will continue to try to use special forwarding for that IP and the traffic will get dropped. That is an issue especially when the interface is Ethernet. If you want to be sure that PBR will stop its special forwarding for that IP then you need to use the verify-availability parameter in the set statement. verify-availability will use IP SLA to check reachability of that gateway and PBR would stop if the gateway was not reachable.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jonnyballgame34

‎09-13-2017 02:34 PM

Thank you for posting back to the forum to confirm that you have the issue sorted out. I am glad that our suggestions were helpful. Thank you for marking this issue as solved.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Predrag Jovic
Level 3
Level 3

‎09-03-2017 09:03 PM - edited ‎09-04-2017 12:06 AM

Access list is not correctly written (keyword any is error in your ACL), when that is corrected it is OK to be used to PBR traffic from host 10.87.123.134. 10.87.123.134 0.0.0.0 will be anyway translated to host 10.87.123.134 (but it is valid):

 

ip access-list standard LANtoIP
permit host 10.87.123.134 log

 

Keyword log in not recommended to use since it can negativelly influence on CPU utilization. So, as soon as you finish testing, it would be a good idea to remove it. You can check access-list hits without logging with

show access-list LANtoIP

0 Helpful

Go to solution
Jonnyballgame34
Level 1
Level 1
In response to Predrag Jovic

‎09-03-2017 10:22 PM

Thanks for taking time to look at my question

 

I figured out the "any" part when I actually tried to test it,

 

Will remove the "log" thanks for the tip

 

QQ-- will the log stop it from showing in and "debug ip policy routing"   I applied the changes, turned on debugging, and the changes seemed to work fine but I never saw any hits on the access list counter nor any debugging for policy routing, (although I saw debugs for a different ACL). Thanks agin

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jonnyballgame34

‎09-04-2017 08:56 AM

You showed us the access list but not the route map or the interface where the route map is applied. Can you show us those things? It is possible that there is something in the route map that is causing it to not work as you expect. And a very common issue in implementing PBR is applying the route map on the interface where the packet exits the router instead of the interface where the packet enters the router.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Jonnyballgame34
Level 1
Level 1
In response to Richard Burts

‎09-04-2017 03:43 PM

HI, 

 

Thanks for looking.  Information is below.  I should add, I tested it and it worked at least from the IP in the access list.  I won't be able to check that All IP's on that Vlan aren't routing that way until tomorrow. But it looked OK, I am just wondering why I didn't see any debugs and if that should be a concern. 

 


ip access-list standard LANtoIP
permit 10.87.123.134 0.0.0.0

route-map LAN->NEWINET permit 10
match ip address LANtoINET
set ip next-hop 10.87.82.1


interface Vlan111
description ***Building 1 Users***
ip address 10.87.123.253 255.255.254.0
no ip redirects
no ip unreachables
standby 111 ip 10.87.123.254
standby 111 preempt
ip policy route-map LAN->NEWINET

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jonnyballgame34

‎09-05-2017 07:34 AM

The config that you posted looks appropriate and the items that I mentioned are as they should be. It is good to know that you tested and the processing for that IP was correct. I am confident that you will find that other IP are not procesed by PBR.

 

I would not be worried by the lack of debug output. Debug processes only things that are processed by the CPU (essentially processed switched). As more effective forwarding methods are implemented which allow packets to be forwarded without going through the CPU debug does not report on that traffic. That may be what is going on here.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Jonnyballgame34
Level 1
Level 1
In response to Richard Burts

‎09-05-2017 11:23 AM

Thanks for taking the time to answer my question.

 

So with this Syntax it shoudl route only the single IP to that gateway, and if that gateway goes down even that IP should get routed out the standard gateway, correct? 


For some reason when I just applied this it broke the entire vlan  Thx

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jonnyballgame34

‎09-05-2017 11:54 AM

There are two parts to the current question so let me answer them separately.

 

Yes with the partial config that you have posted I would expect that single host to be routed to the specified gateway and I would expect that it would not impact other hosts in that vlan. If it did impact the entire vlan then we need to look further. Could you post the complete config (hiding public IP and other sensitive parts)? It would also be helpful if you post the output of show route-map.

 

I do not know that it would be significant but I would suggest that you make a small change in the syntax of your access list to that is like this

ip access-list standard LANtoIP
permit 10.87.123.134

 

The second question is about the behavior of the PBR. Yes with that syntax it should route just the single IP. But we need to be very careful with the answer about what happens if that gateway goes down. The really correct answer is that if the interface through which the router reaches that gateway goes down then PBR will stop the special forwarding for that IP and it would use normal routing. What that means is that if the gateway is not responding and is not reachable but the interface to get to that gateway is still line protocol up then PBR will continue to try to use special forwarding for that IP and the traffic will get dropped. That is an issue especially when the interface is Ethernet. If you want to be sure that PBR will stop its special forwarding for that IP then you need to use the verify-availability parameter in the set statement. verify-availability will use IP SLA to check reachability of that gateway and PBR would stop if the gateway was not reachable.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Jonnyballgame34
Level 1
Level 1
In response to Richard Burts

‎09-11-2017 10:31 AM

I got this sorted out---thank you very much for your help

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jonnyballgame34

‎09-13-2017 02:34 PM

Thank you for posting back to the forum to confirm that you have the issue sorted out. I am glad that our suggestions were helpful. Thank you for marking this issue as solved.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Jonnyballgame34
Level 1
Level 1
In response to Richard Burts

‎09-22-2017 07:41 AM

Got it thanks

0 Helpful

Go to solution
Jonnyballgame34
Level 1
Level 1
In response to Predrag Jovic

‎09-11-2017 10:31 AM

Thank you very much for your help with this.  Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card