Issues with policy based routing (ACL not identifing traffic correctly)

Jason Flory · ‎02-09-2016

Hello Everyone

We just started doing policy based routing on our network. We just purchased a layer 2 point to point for replication traffic to offload our MPLS. I have configured policy based routing on both sides. Currently we have multiple ACLs identifying multiple types of traffic but only one ACL seems to be working at a time.

Site one

access-list 151 permit tcp 10.2.2.60 0.0.0.3 10.3.2.60 0.0.0.3 eq 8080
access-list 152 permit tcp any host 10.3.2.30 eq 4214
access-list 153 permit tcp host 10.2.4.90 host 10.3.4.90 eq 12547
access-list 154 permit tcp 10.2.4.150 0.0.0.1 10.3.4.150 0.0.0.1 eq 64327
access-list 155 permit ip host 10.2.4.31 host 10.3.4.31
access-list 156 permit tcp host 10.2.4.157 host 10.3.4.50 range 5022 5026
access-list 156 permit tcp host 10.2.4.158 host 10.3.4.50 range 5022 5026

route-map alt_route_dc permit 10
match ip address 155 151 152 153 154 156
set ip next-hop 172.16.255.2

Policy then assigned to each vlan that is the servers are on.

On site 2 we have exactly the reverse configuration.

The only traffic I see working correctly is from this ACL

access-list 156 permit tcp host 10.2.4.158 host 10.3.4.50 range 5022 5026

All the others have worked when we did them individually

Cisco Freak · ‎02-09-2016

Can you please share the output of 'sh route-map alt_route_dc'

Let's verify if all the ACL are matching in the route-map.

CF

Jason Flory · ‎02-09-2016

Here is the route map

route-map alt_route_dc, permit, sequence 10
Match clauses:
ip address (access-lists): 155 151 152 153 154 156
Set clauses:
ip next-hop 172.16.255.2
Policy routing matches: 152238 packets, 18882217 bytes

Jon Marshall · ‎02-09-2016

Jason

Had a quick look at last post and it looks like you are using 3850s which have had bugs in PBR in the past.

Is there are a specific reason for using multiple acls because you are applying the same route map to all the SVIs ?

It shouldn't make a difference but as each acl worked individually perhaps it is something to do with the way the switch is handling multiple acls in the match statement.

Jon

Jason Flory · ‎02-09-2016

We did try and combine everything into one ACL and it did not work then moved to individual. The other thing we tried with no success was named access lists which is supposed to worked but could not get these to work.

It is possible that the reason the combined ACLs was related to some other config error. Let me try combining again.

Jason Flory · ‎02-09-2016

BTW

I just figured out to do a named acl. Apparently you cannot type the whole thing out you have to enter into access list then add your entries. This seems like a better way because you can actually edit them without removing them.

Jason Flory · ‎02-17-2016

BTW

Wanted to point out that we did move to IP named access lists but kept them separate. We may combine later but for now everything is working and always was working.

Jason Flory · ‎02-17-2016

Everyone

I ended up doing a packet capture on interface and all traffic was being identified correctly. This was do to SolarWinds netflow not showing the correct traffic. Had me chasing my tail for a bit.

Resolved