02-09-2016 04:06 PM - edited 03-08-2019 04:32 AM
Hello Everyone
We just started doing policy based routing on our network. We just purchased a layer 2 point to point for replication traffic to offload our MPLS. I have configured policy based routing on both sides. Currently we have multiple ACLs identifying multiple types of traffic but only one ACL seems to be working at a time.
Site one
access-list 151 permit tcp 10.2.2.60 0.0.0.3 10.3.2.60 0.0.0.3 eq 8080
access-list 152 permit tcp any host 10.3.2.30 eq 4214
access-list 153 permit tcp host 10.2.4.90 host 10.3.4.90 eq 12547
access-list 154 permit tcp 10.2.4.150 0.0.0.1 10.3.4.150 0.0.0.1 eq 64327
access-list 155 permit ip host 10.2.4.31 host 10.3.4.31
access-list 156 permit tcp host 10.2.4.157 host 10.3.4.50 range 5022 5026
access-list 156 permit tcp host 10.2.4.158 host 10.3.4.50 range 5022 5026
route-map alt_route_dc permit 10
match ip address 155 151 152 153 154 156
set ip next-hop 172.16.255.2
Policy then assigned to each vlan that is the servers are on.
On site 2 we have exactly the reverse configuration.
The only traffic I see working correctly is from this ACL
access-list 156 permit tcp host 10.2.4.158 host 10.3.4.50 range 5022 5026
All the others have worked when we did them individually
02-09-2016 04:27 PM
Can you please share the output of 'sh route-map alt_route_dc'
Let's verify if all the ACL are matching in the route-map.
CF
02-09-2016 04:35 PM
Here is the route map
route-map alt_route_dc, permit, sequence 10
Match clauses:
ip address (access-lists): 155 151 152 153 154 156
Set clauses:
ip next-hop 172.16.255.2
Policy routing matches: 152238 packets, 18882217 bytes
02-09-2016 04:45 PM
Jason
Had a quick look at last post and it looks like you are using 3850s which have had bugs in PBR in the past.
Is there are a specific reason for using multiple acls because you are applying the same route map to all the SVIs ?
It shouldn't make a difference but as each acl worked individually perhaps it is something to do with the way the switch is handling multiple acls in the match statement.
Jon
02-09-2016 04:45 PM
We did try and combine everything into one ACL and it did not work then moved to individual. The other thing we tried with no success was named access lists which is supposed to worked but could not get these to work.
It is possible that the reason the combined ACLs was related to some other config error. Let me try combining again.
02-09-2016 04:56 PM
BTW
I just figured out to do a named acl. Apparently you cannot type the whole thing out you have to enter into access list then add your entries. This seems like a better way because you can actually edit them without removing them.
02-17-2016 08:10 PM
BTW
Wanted to point out that we did move to IP named access lists but kept them separate. We may combine later but for now everything is working and always was working.
02-17-2016 07:40 PM
Everyone
I ended up doing a packet capture on interface and all traffic was being identified correctly. This was do to SolarWinds netflow not showing the correct traffic. Had me chasing my tail for a bit.
Resolved
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide