Help with understanding route-maps

Shawnw4401 · ‎05-15-2017

Hello,

Could someone explain to me what are route-maps and how they work? I am trying to understand it a little in my lab, but I don't think I am grasping it too well.

Here's my scenario:

I have two groups: LAN and Wi-Fi. The IPs associated with each group is only allowed to communicate within those IP. So no LAN device should be able to communicate with Wi-Fi, with the exception of 10.71.0.16/28. Below is the IPs associated with the two groups.

LAN IP Addresses	Wi-Fi IP Address
10.1.0.0/30 10.1.0.4/30 10.25.0.0/28 10.71.0.16/28	10.2.0.0/30 10.2.0.4/30 10.49.0.32/28

And I had something like this:

ip access-list standard LAN_2
permit 10.1.0.4 log
deny any log
!
ip access-list extended FW_IN
deny ip any any log
ip access-list extended LAN_11
permit ospf 10.1.0.4 0.0.0.3 any log
deny ip any any log
ip access-list extended LAN_12
permit icmp 10.25.0.0 0.0.0.15 any log
deny icmp any any log
deny ip any any log
ip access-list extended LAN_13
permit icmp 10.71.0.0 0.0.0.15 any log
deny icmp any any log
deny ip any any log
ip access-list extended LAN_14
permit icmp 10.1.0.0 0.0.0.3 any log
deny icmp any any log
deny ip any any log
ip access-list extended LAN_15
permit icmp 10.1.0.4 0.0.0.3 any log
deny icmp any any log
deny ip any any log
ip access-list extended LAN_16
permit tcp 10.25.0.0 0.0.0.15 any gt 1 log
permit udp 10.25.0.0 0.0.0.15 any gt 1 log
deny ip any any log
ip access-list extended LAN_17
permit tcp 10.71.0.16 0.0.0.15 any gt 1 log
permit udp 10.71.0.16 0.0.0.15 any gt 1 log
deny ip any any log
!
route-map LAN permit 5
match ip address LAN_1
set ip next-hop 10.1.0.1
!
route-map LAN permit 10
match ip address LAN_2
set ip next-hop 10.1.0.5
!
route-map LAN permit 55
match ip address LAN_11
!
route-map LAN permit 60
match ip address LAN_12
!
route-map LAN permit 65
match ip address LAN_13
!
route-map LAN permit 70
match ip address LAN_14
!
route-map LAN permit 75
match ip address LAN_15
!
route-map LAN permit 80
match ip address LAN_16
set vrf Computers
set vrf Computers next-hop 10.25.0.2
set ip global next-hop 10.1.0.5 10.1.0.6
set default interface GigabitEthernet0/0.1025
!
route-map LAN permit 85
match ip address LAN_17
set vrf Servers next-hop 10.71.0.18
set ip global next-hop 10.1.0.5
set default interface GigabitEthernet0/0.1071

But, of course, that didn't work. I was receiving no packets through route-maps as shown:

Ext_Router#show route-map LAN
route-map LAN, permit, sequence 5
Match clauses:
ip address (access-lists): LAN_1
Set clauses:
ip next-hop 10.1.0.1
Policy routing matches: 0 packets, 0 bytes
route-map LAN, permit, sequence 10
Match clauses:
ip address (access-lists): LAN_2
Set clauses:
ip next-hop 10.1.0.1
Policy routing matches: 0 packets, 0 bytes
route-map LAN, permit, sequence 55
Match clauses:
ip address (access-lists): LAN_11
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map LAN, permit, sequence 60
Match clauses:
ip address (access-lists): LAN_12
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map LAN, permit, sequence 65
Match clauses:
ip address (access-lists): LAN_13
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Now I think it is I am partially not understanding it correctly, and I am also misconfiguring it (I am almost sure of this one).

So, for my question:
1) What am I doing wrong?
2) What is the point of different sequence and should I use different sequences in my scenario?
3) What are some tips or pointers to look for when using route-maps?

All input is greatly appreciated. Thank you.

Georg Pauwen · ‎05-15-2017

Hello,

first of all, what, that is, which interface(s), are these route maps applied to ? The route maps by themselves do not do anything unless you apply them somewhere.

Are both your LAN and WiFi networks on the same router ? Post the entire config of your lab if possible...

Shawnw4401 · ‎05-16-2017

Georg,

The route-map was applied to two interfaces, both LAN interfaces (Gi0/0.1100 and Gi0/1.1100).

Here is the configuration of the router:

version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname External_Router
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
clock timezone CST -6 0
!
dot11 syslog
no ip source-route
!
ip cef
!
!
!
!
ip domain name MyTestLab.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name FW_OUT tcp router-traffic
ip inspect name FW_OUT udp router-traffic
ip inspect name FW_OUT icmp router-traffic
ip inspect name FW_OUT ftp
ip inspect name FW_OUT tftp
ip inspect name FW_OUT bootpc
ip inspect name FW_OUT bootps
ip inspect name FW_OUT bgp
ip inspect name FW_OUT dns
ip inspect name FW_OUT echo
ip inspect name FW_OUT ftps
ip inspect name FW_OUT http
ip inspect name FW_OUT https
ip inspect name FW_OUT ntp
ip inspect name FW_OUT ssh
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
parameter-map type inspect global
log dropped-packets enable
!
voice-card 0
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC105013BA
vtp domain MyTestLab.com
vtp mode transparent
vtp version 2
username stw privilege 15 secret 5 $1$QEsA$2RsNy20ARS1Sg68xDLDSQ0
!
redundancy
!
!
vlan 100
name Management_LAN
!
vlan 999
name Native_VLAN
!
ip ssh authentication-retries 2
ip ssh source-interface Loopback0
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface Loopback1100
ip address 10.255.255.252 255.255.255.255
ip ospf network point-to-point
!
interface Loopback1200
ip address 10.255.255.253 255.255.255.255
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.1100
description To LAN Router
encapsulation dot1Q 1100
ip address 10.1.0.5 255.255.255.252
ip flow ingress
ip flow egress
ip policy route-map LAN
!
interface GigabitEthernet0/0.1200
description To Wi-Fi Router
encapsulation dot1Q 1200
ip address 10.2.0.5 255.255.255.252
ip flow ingress
ip flow egress
ip policy route-map LAN
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 192.168.100.3 255.255.255.0
ip access-group FW_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect FW_OUT out
!
interface GigabitEthernet0/1.1100
description To LAN Firewall
encapsulation dot1Q 1100
ip address 10.1.0.2 255.255.255.252
ip access-group FW_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect FW_OUT out
ip policy route-map LAN
!
interface GigabitEthernet0/1.1200
description To Wi-Fi Firewall
encapsulation dot1Q 1200
ip address 10.2.0.2 255.255.255.252
ip access-group FW_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect FW_OUT out
ip policy route-map Wi-Fi
!
interface FastEthernet0/0/0
no ip address
shutdown
!
interface FastEthernet0/0/1
no ip address
shutdown
!
interface FastEthernet0/0/2
no ip address
shutdown
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router ospf 1100
router-id 10.255.255.252
network 10.1.0.0 0.0.0.3 area 0
network 10.1.0.4 0.0.0.3 area 0
network 10.255.255.252 0.0.0.0 area 0
default-information originate
!
router ospf 1200
router-id 10.255.255.253
network 10.2.0.0 0.0.0.3 area 0
network 10.2.0.4 0.0.0.3 area 0
network 10.255.255.253 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list standard LAN_2
permit 10.1.0.4 log
deny any log
!
ip access-list extended FW_IN
deny ip any any log
ip access-list extended LAN_11
permit ospf 10.1.0.4 0.0.0.3 any log
deny ip any any log
ip access-list extended LAN_12
permit icmp 10.25.0.0 0.0.0.15 any log
deny icmp any any log
deny ip any any log
ip access-list extended LAN_13
permit icmp 10.71.0.0 0.0.0.15 any log
deny icmp any any log
deny ip any any log
ip access-list extended LAN_14
permit icmp 10.1.0.0 0.0.0.3 any log
deny icmp any any log
deny ip any any log
ip access-list extended LAN_15
permit icmp 10.1.0.4 0.0.0.3 any log
deny icmp any any log
deny ip any any log
ip access-list extended LAN_16
permit tcp 10.25.0.0 0.0.0.15 any gt 1 log
permit udp 10.25.0.0 0.0.0.15 any gt 1 log
deny ip any any log
ip access-list extended LAN_17
permit tcp 10.71.0.16 0.0.0.15 any gt 1 log
permit udp 10.71.0.16 0.0.0.15 any gt 1 log
deny ip any any log
!
!
!
!
!
route-map LAN permit 5
match ip address LAN_1
set ip next-hop 10.1.0.1
!
route-map LAN permit 10
match ip address LAN_2
set ip next-hop 10.1.0.5
!
route-map LAN permit 55
match ip address LAN_11
!
route-map LAN permit 60
match ip address LAN_12
!
route-map LAN permit 65
match ip address LAN_13
!
route-map LAN permit 70
match ip address LAN_14
!
route-map LAN permit 75
match ip address LAN_15
!
route-map LAN permit 80
match ip address LAN_16
set vrf Computers
set vrf Computers next-hop 10.25.0.2
set ip global next-hop 10.1.0.5 10.1.0.6
set default interface GigabitEthernet0/0.1025
!
route-map LAN permit 85
match ip address LAN_17
set vrf Servers next-hop 10.71.0.18
set ip global next-hop 10.1.0.5
set default interface GigabitEthernet0/0.1071
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
banner login ^C
W A R N I N G
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

All computer systems may be monitored for all lawful purposes, including
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security.

Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During monitoring,
information may be examined, recorded, copied and used for authorized
purposes.

All information including personal information, placed on or sent over
this system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of
any such unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
^C
!
line con 0
exec-timeout 0 0
logging synchronous
login local
line aux 0
line vty 0 4
logging synchronous
login local
transport input ssh
transport output ssh
line vty 5 15
logging synchronous
login
transport input all
!
scheduler allocate 20000 1000