cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4119
Views
10
Helpful
21
Replies

Help me, Route-map on Catalyst 4503

mr Anh
Level 1
Level 1

Hello,

i'm performing configuration PBR on catalyst 4503, but it doesn't work. Here is the configuration and basic diagram:

                                                                         --> Router 3845 (10.4.30.20)

Server(10.4.28.60)--> ASA5520--> Catalyst 4503

                                                                         --> Router 3945 (10.4.30.21)

Catalyst 4503:

access-list 110 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255

access-list 110 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255

access-list 110 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255

access-list 110 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255

!

route-map Corebank_policy permit 20

match ip address 110

set ip next-hop 10.4.30.20

!

Route-map is applied on interface vlan 10 (using connect from ASA to Catalyst 4503)

interface Vlan10

ip address 10.4.30.11 255.255.255.248

ip policy route-map Corebank_policy

standby 10 ip 10.4.30.9

standby 10 priority 200

standby 10 preempt

end

Show route-map command on 4503:

route-map Corebank_policy, permit, sequence 20

  Match clauses:

    ip address (access-lists): 110

  Set clauses:

    ip next-hop 10.4.30.20

  Policy routing matches: 30 packets, 1800 bytes

Sometime, Traffic still pass through Router 3945 (10.4.30.21).

If there is any one there have an idea what it is then pls tell

Thanks

2 Accepted Solutions

Accepted Solutions

Just to add, is it possible for you to run a debug - debug ip policy ?

  • This is to be done on your HSRP primary switch for VLAN 10.
  • Attempt to access from the host 10.4.28.60 to any of those specified destinations in your ACL.

As you are running OSPF between 4500 & Router. Being that the next hop is not seen as a directly connected network, you may need to change your configs to have it look something like this

access-list 110 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255

!

route-map Corebank_policy permit 20
match ip address 110
set ip next-hop recursive 10.4.30.20
!
interface Vlan10
ip address 10.4.30.11 255.255.255.248
ip policy route-map Corebank_policy
standby 10 ip 10.4.30.9
standby 10 priority 200
standby 10 preempt

Please post the results.

View solution in original post

ok.what i think is Reason you have /32 route is because your ospf network type is point to multipoint.So even though you have the network as directly connected ,it is seeing the interface as /32 host route.and your debug shows that it is not able to reach the next hop

26179: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20Policy NextHop Inquiry: Corebank_policy seq: 20, type: INVALID SW_OBJ_TYPE: 0, SW_HANDLE: 0

The moment you make ospf network point to multipoint it wil inject host route  /32 for interface.Now to get around this problem

1.changing the network type of ospf(I am not sure how feasible it would be in your production)

2.IOS which supports the recursive command

I will look for the command support for this platform side by side could you please let me know if you have got chance to test it with connected interface.

View solution in original post

21 Replies 21

Vivek Ganapathi
Level 4
Level 4

Hello,

Your topology seems to be unclear.

                                                                         --> Router 3845 (10.4.30.20)

Server(10.4.28.60)--> ASA5520--> Catalyst 4503

                                                                         --> Router 3945 (10.4.30.21)

Could you please provide me a diagramatic representation of your topology to further help?

Thanks

Vivek

Dear Vivek Ganapathi,

Here is the network diagram.

Thanks,

Hello,

how are you verifying that sometimes traffic is passing through  Router 3945 (10.4.30.21)?

Can we check which traffic it is.?

I see very less hits in PBR,i would like to see hits in ACL

Policy routing matches: 30 packets, 1800 bytes

is it a testing enviorment or production?Do you see anything is logs that  PBR is failing?

is the next-hop a connected interface or we have to perform RIB lookup to reach 10.4.30.20 or 21?

can you paste output of sh ip route 10.4.30.20

sh access-list 110

Dear Mukti Chandwani,

it's our production environment, i perform tracert 10.5.1.1 on Server (10.4.28.60) and see traffic pass through Router 3945.

here is the output of sh ip route 10.4.30.20 and sh access-list 110:

sh ip route 10.4.30.20

Routing entry for 10.4.30.20/32

  Known via "ospf 1", distance 110, metric 1, type intra area

  Last update from 10.4.30.20 on Vlan11, 00:06:12 ago

  Routing Descriptor Blocks:

  * 10.4.30.20, from 10.4.30.20, 00:06:12 ago, via Vlan11

      Route metric is 1, traffic share count is 1

sh access-lists 110

Extended IP access list 110

    10 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255

    20 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255

    30 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255 (30 matches)

    40 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255

Thanks,

Hi,

Few things which might not be 100% correct but wanted to share here..

Scenario#1.

How would you expect the PBR to work where the Server is in Different VLAN than the PBR applied VLAN#10.

VLAN#10 is = 10.4.30.8/29  but Server(10.4.28.60) is in Different VLAN. Should the Server traffic come to VLAN#10 and Route based on PBR ?. No.

Scenario#2. PBR will work, If you met the following,

    If you have Users in VLAN#10 and the users are tyring to communicate to and fro the Server.

    Along with the first line you should have "access-list 110 permit ip host 10.4.28.60 VLAN#10"

Thanks,

ThiyaguVG.

Dear ThiyaguVG,

Thank for your advice, but i want all important traffic (Server: 10.4.28.60) come to branches pass through leased-line connection (on Router 3845) and all other traffic (other server) pass through MPLS connection (On Router 3945). Vlan#10 doesn't have user, it's using to connect from 4503 to ASA.

Thanks

ok.reason i was wondering is because if you notice matches in ACL and matches in PBR ,its exact same.Means whatever traffic matching the ACL is getting PBR.

please paste tracert from the server to 10.5.1.1

I hope there is no nat for source /destination addresses when crossing the ASA

Also could you please make a slight change in your configuration as instead of setting

set ip next-hop 10.4.30.20 ,please change it to set ip next-hop recursive 10.4.30.20

its not considering it as connected route.

Routing entry for 10.4.30.20/32

  Known via "ospf 1", distance 110, metric 1, type intra area


Hello,

Looks to me like one of your ACL is being matched.

30 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255 (30 matches)

Have tried attempting to hit those other destinations like 10.1.0.0 etc as defined in ACL?

Or Do you mean, PBR is intermittently not kicking in?

Thanks

Vivek

Dear Vivek

yes, I've tried to tracert other IP but it seem that PBR doesn't work. 30 packet is very small because  we have many people in the branches using application on server 10.4.28.60

Thanks

Just to add, is it possible for you to run a debug - debug ip policy ?

  • This is to be done on your HSRP primary switch for VLAN 10.
  • Attempt to access from the host 10.4.28.60 to any of those specified destinations in your ACL.

As you are running OSPF between 4500 & Router. Being that the next hop is not seen as a directly connected network, you may need to change your configs to have it look something like this

access-list 110 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255

!

route-map Corebank_policy permit 20
match ip address 110
set ip next-hop recursive 10.4.30.20
!
interface Vlan10
ip address 10.4.30.11 255.255.255.248
ip policy route-map Corebank_policy
standby 10 ip 10.4.30.9
standby 10 priority 200
standby 10 preempt

Please post the results.

Dear Vivek, Mukti Chandwani,

i add ip addres 10.4.28.2 to access-list, and this is the output of tracert 10.5.1.1:

traceroute 10.5.1.1

  Type escape sequence to abort.

Tracing the route to 10.5.1.1

   1 10.4.30.11 9 msec 0 msec 0 msec

  2 10.4.30.21 8 msec 0 msec 0 msec

  3 10.0.253.30 17 msec *  9 msec

In the route-map config, it doesn't have set ip next-hop recursive command. (IOS version: Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 15.0(2)SG3, RELEASE SOFTWARE (fc2))

(config-route-map)#set ip next-hop ?

  A.B.C.D       IP address of next hop

  dynamic       application dynamically sets next hop

  peer-address  Use peer address (for BGP only)

Thanks

Thanks for the outpu.

Can you tell me why do you have hostroute /32 via ospf .Please paste output of

sh run int vlan 11
.

I want to see the subnet.Reason it is failing is because by defult PBR considers next hop as directly connected ,however in our case router has to go through routing table to reach 10.4.30.20

This issue is recursive lookup related.You might need to upgarde the IOS.

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

if you want to verify that this is the case ,you can check via adding a test set ip next-hop with next hop which is directly connected to 4500 and that will work.

Regards,

Mukti

Thanks Mukti Chandwani,

Here is the output of sh int vlan 11 and sh int bvi 1 on router

interface Vlan11

description ****Vlan ket noi toi Router 3845****

ip address 10.4.30.19 255.255.255.248

ip ospf network point-to-multipoint

standby 11 ip 10.4.30.17

standby 11 priority 200

standby 11 preempt

end

interface BVI1

description ***Connect to CoreSwitch 4503***

ip address 10.4.30.21 255.255.255.248

ip ospf network point-to-multipoint

ip ospf cost 10

end


Does the "ip ospf network point-to-multipoint"  command is the Problem?

Yes, ip ospf network point-to-multipoint advertises a /32. You may need to change them to a point-to-point.

Also, why do you require to have a BVI interface between your 4500 & Router?

Review Cisco Networking for a $25 gift card