Solved: http acl

Abdelilah Benrida · ‎05-06-2013

Hi ,

i have one router with tree interfaces :

__s0/0(150.0.0.1/24)

HTTP_SERVER(172.16.1.2)--------------(172.16.1.1/24)f0/0-ROUTER-|__

s1/0(150.0.1.1/24)

i want that http traffic which leave the router from the LAN follow the s0/0 and the rest follow the s1/0 i must use PBR to do this , i want to know if my

configuration is correct.

For http traffic:

ROUTER(config)#access-list 106 permit tcp 172.16.1.2 255.255.255.255 eq 80

ROUTER(config)#route-map httpmap permit 10

ROUTER(config-route-map)#match ip address 106

ROUTER(config-route-map)#set ip next-hop 150.0.0.1

ROUTER(config)#interface s0/0

ROUTER(config-if)#ip policy route-map httpmap

for other traffic:

ROUTER(config)#access-list 101 permit ip 172.16.1.2 255.255.255.255 any

ROUTER(config)#route-map othermap permit 10

ROUTER(config-route-map)#match ip address 101

ROUTER(config-route-map)#set ip next-hop 150.0.1.1

ROUTER(config)#interface s0/1

ROUTER(config-if)#ip policy route-map othermap

Is that correct ?

Bilal Nawaz · ‎05-06-2013

Hello, This is slightly incorrect and needs some tweaking. First thing is you need to apply PBR on the LAN interface. Also, you can't apply more than one policy on an interface if i remember correctly. Thats why we will split up a bit like access-list with entries for the route-map in lines 10 and 20.

The ordering is important here. we need the http traffic to be policy based first, then all other traffic will follow after.

Also you have specified the next-hop to be the interface ip address? is this correct? If you want to send out of an interface instead of 'set ip next-hop' you can do 'set interface s0/X' next hop is only when you want to send to another router or exit point. If it is next hop to another router please use the next hop command. In my example I will use set interface because this is what you have given in your example.

ROUTER(config)#access-list 106 permit tcp 172.16.1.2 255.255.255.255 eq 80

ROUTER(config)#access-list 101 permit ip 172.16.1.2 255.255.255.255 any

ROUTER(config)#route-map MYTRAFFIC permit 10

ROUTER(config-route-map)#match ip address 106

ROUTER(config-route-map)#set interface s0/0

ROUTER(config)#route-map MYTRAFFIC permit 20

ROUTER(config-route-map)#match ip address 101

ROUTER(config-route-map)#set interface s0/1

ROUTER(config)#interface fa0/0

ROUTER(config-if)#ip policy route-map MYTRAFFIC

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Bilal Nawaz · ‎05-06-2013

Hello, This is slightly incorrect and needs some tweaking. First thing is you need to apply PBR on the LAN interface. Also, you can't apply more than one policy on an interface if i remember correctly. Thats why we will split up a bit like access-list with entries for the route-map in lines 10 and 20.

The ordering is important here. we need the http traffic to be policy based first, then all other traffic will follow after.

Also you have specified the next-hop to be the interface ip address? is this correct? If you want to send out of an interface instead of 'set ip next-hop' you can do 'set interface s0/X' next hop is only when you want to send to another router or exit point. If it is next hop to another router please use the next hop command. In my example I will use set interface because this is what you have given in your example.

ROUTER(config)#access-list 106 permit tcp 172.16.1.2 255.255.255.255 eq 80

ROUTER(config)#access-list 101 permit ip 172.16.1.2 255.255.255.255 any

ROUTER(config)#route-map MYTRAFFIC permit 10

ROUTER(config-route-map)#match ip address 106

ROUTER(config-route-map)#set interface s0/0

ROUTER(config)#route-map MYTRAFFIC permit 20

ROUTER(config-route-map)#match ip address 101

ROUTER(config-route-map)#set interface s0/1

ROUTER(config)#interface fa0/0

ROUTER(config-if)#ip policy route-map MYTRAFFIC

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Abdelilah Benrida · ‎05-06-2013

thanks for the reply , in my case i don't want to use the next hop just the interfaces as you did .

Abdelilah Benrida · ‎05-06-2013

how to verify this ? is there any command to send http traffic from a router ? (the Http server is a cisco router).

Bilal Nawaz · ‎05-06-2013

Im not too sure :-) maybe you could try telnet on port 80?

You might want to turn on a debug 'debug ip policy' to see if any PBR takes place

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Abdelilah Benrida · ‎05-06-2013

Ok thanks

Abdelilah Benrida · ‎05-06-2013

when i send a packet from the server i have this on the ROUTER (i used 'debug ip policy') :

1 01:54:27.771: IP: s=172.16.3.3 (Tunnel0), d=172.16.1.2, len 100, FIB policy rejected(no match) - normal forwarding

*Mar 1 01:54:27.819: IP: s=172.16.3.3 (Tunnel0), d=172.16.1.2, len 100, FIB policy rejected(no match) - normal forwarding

*Mar 1 01:54:27.867: IP: s=172.16.3.3 (Tunnel0), d=172.16.1.2, len 100, FIB policy rejected(no match) - normal forwarding

*Mar 1 01:54:27.919: IP: s=172.16.3.3 (Tunnel0), d=172.16.1.2, len 100, FIB policy rejected(no match) - normal forwarding

*Mar 1 01:54:27.975: IP: s=172.16.3.3 (Tunnel0), d=172.16.1.2, len 100, FIB policy rejected(no match) - normal forwarding

what does it mean?

Bilal Nawaz · ‎05-06-2013

Which device are you testing from? the source seems to be 172.16.3.3 which is located at tunnel0? Which interface is your LAN on??

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Abdelilah Benrida · ‎05-06-2013

i used tunnel interfaces instead of serial interfaces because i have two dmvpn cloud connected to the ROUTER the first dmvpn cloud is on interface serial 0/0 and have the logical IP 10.0.0.1 and the second dmvpn cloud is on interface serial 0/1, the 172.16.3.3 refer to host address in the other side (spoke). thanks