please dissect this config

Scott_O'Brien · ‎09-22-2011

plc-sw-core#en

plc-sw-core#sh

plc-sw-core#show ip ro

plc-sw-core#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.252.0.1 to network 0.0.0.0

S 192.168.74.0/24 [1/0] via 10.252.0.1

116.0.0.0/32 is subnetted, 1 subnets

S 116.212.202.21 [1/0] via 10.252.0.1

S 192.168.150.0/24 [1/0] via 10.252.0.1

S 192.168.128.0/24 [1/0] via 10.252.0.1

S 192.168.160.0/24 [1/0] via 10.252.0.1

S 192.168.131.0/24 [1/0] via 10.252.0.1

S 192.168.140.0/24 [1/0] via 10.252.0.1

S 192.168.201.0/24 [1/0] via 10.252.0.1

10.0.0.0/8 is variably subnetted, 35 subnets, 6 masks

C 10.11.1.0/24 is directly connected, Vlan71

C 10.255.10.254/32 is directly connected, Loopback0

C 10.10.1.0/24 is directly connected, Vlan70

C 10.10.2.0/24 is directly connected, Vlan69

C 10.15.1.0/24 is directly connected, Vlan19

C 10.7.0.0/24 is directly connected, Vlan5

C 10.5.0.0/16 is directly connected, Vlan10

S 10.20.1.0/24 [1/0] via 10.5.50.60

C 10.100.0.40/32 is directly connected, Loopback140

C 10.100.0.41/32 is directly connected, Loopback141

C 10.100.0.38/32 is directly connected, Loopback138

C 10.100.0.39/32 is directly connected, Loopback139

C 10.100.0.36/32 is directly connected, Loopback136

C 10.100.0.37/32 is directly connected, Loopback137

C 10.100.0.34/32 is directly connected, Loopback134

C 10.83.21.0/24 is directly connected, Vlan110

C 10.100.0.35/32 is directly connected, Loopback135

C 10.83.20.0/24 is directly connected, Vlan111

C 10.100.0.32/32 is directly connected, Loopback132

C 10.100.0.33/32 is directly connected, Loopback133

S 10.82.0.0/16 [1/0] via 10.252.0.1

C 10.83.0.0/24 is directly connected, Vlan109

C 10.100.0.15/32 is directly connected, Loopback115

C 10.100.1.0/24 is directly connected, Loopback1

C 10.100.0.30/32 is directly connected, Loopback130

C 10.100.0.31/32 is directly connected, Loopback131

C 10.1.120.0/22 is directly connected, Vlan101

C 10.100.0.25/32 is directly connected, Loopback125

C 10.1.124.0/22 is directly connected, Vlan102

C 10.1.136.0/21 is directly connected, Vlan105

C 10.1.128.0/22 is directly connected, Vlan103

C 10.1.132.0/22 is directly connected, Vlan104

C 10.1.145.0/24 is directly connected, Vlan108

C 10.1.144.0/24 is directly connected, Vlan106

C 10.252.0.0/29 is directly connected, GigabitEthernet1/23

72.0.0.0/32 is subnetted, 1 subnets

S 72.233.89.198 [1/0] via 10.7.0.252

C 192.168.0.0/24 is directly connected, Vlan107

C 192.168.1.0/24 is directly connected, Vlan113

S 192.168.69.0/24 [1/0] via 10.252.0.1

C 192.168.222.0/24 is directly connected, Vlan112

203.153.247.0/32 is subnetted, 1 subnets

S 203.153.247.130 [1/0] via 10.7.0.252

S* 0.0.0.0/0 [1/0] via 10.252.0.1

plc-sw-core# show ip access-lists

Standard IP access list 1

10 permit 10.5.50.13

Standard IP access list 2

10 permit 10.5.50.57

20 permit 10.5.50.56

30 permit 10.5.50.58

40 permit 10.5.50.55

Standard IP access list 3

10 permit 10.5.50.29

20 permit 10.5.50.30

30 permit 10.5.50.21

40 permit 10.5.50.9

Extended IP access list 101

10 permit ip any host 203.33.253.43 (7167 matches)

Extended IP access list 102

10 permit ip host 10.5.6.70 any

20 permit ip host 10.5.6.72 any

30 permit ip host 10.5.6.76 any

40 permit ip host 10.5.6.78 any

50 permit ip host 10.5.50.204 any (4626 matches)

60 permit tcp host 10.5.1.37 any eq www

70 permit tcp host 10.5.1.37 any eq 443

80 permit tcp host 10.5.1.37 any eq 3389

Extended IP access list 103

10 permit ip host 10.1.139.63 any (907 matches)

20 permit ip host 192.168.222.2 any (145 matches)

Extended IP access list 104

10 permit ip host 10.83.0.200 any

plc-sw-core#show route-map

route-map WCCP, permit, sequence 10

Match clauses:

ip address (access-lists): 104

Set clauses:

ip next-hop 10.7.0.252

Policy routing matches: 0 packets, 0 bytes

route-map JoshTest, permit, sequence 10

Match clauses:

ip address (access-lists): 102

Set clauses:

ip next-hop 10.7.0.252

Policy routing matches: 249813 packets, 27628256 bytes

route-map DefPathViaScotch, permit, sequence 10

Match clauses:

ip address (access-lists): 2

Set clauses:

ip next-hop 10.252.0.1

Policy routing matches: 0 packets, 0 bytes

route-map DefPathViaScotch, permit, sequence 20

match clauses:

ip address (access-lists): 101

Set clauses:

ip next-hop 10.252.0.1

Policy routing matches: 0 packets, 0 bytes

route-map PLCWebsiteViaPix, permit, sequence 10

Match clauses

ip address (access-lists): 101

Set clauses:

ip next-hop 10.252.0.1

Policy routing matches: 0 packets, 0 bytes

route-map MobileDevicesToProxy, permit, sequence 10

Match clauses:

ip address (access-lists): 103

Set clauses:

ip next-hop 10.5.50.21

Policy routing matches: 1052 packets, 80497 bytes

route-map DefPathViaPLC, permit, sequence 10

Match clauses:

ip address (access-lists): 3

Set clauses:

ip next-hop 10.7.0.252

Policy routing matches: 0 packets, 0 bytes

route-map ichat, permit, sequence 10

Match clauses

ip address (access-lists): 1

Set clauses:

ip next-hop 10.7.0.252

Policy routing matches: 0 packets, 0 bytes

route-map PLCWebsiteViaDirect, permit, sequence 10

Match clauses:

ip address (access-lists): 101

Set clauses:

ip next-hop 10.7.0.252

Policy routing matches: 7167 packets, 947237 bytes

to me this config is only allowing data from the 10.5 networks to be routed out to next hop of 10.7.0.252 and all else blocked? but everything else will get blocked?

Fabio Francisco · ‎09-22-2011

To me there is more to it, the acl 101 allow any traffic to 203.33.253.43

Extended IP access list 101

10 permit ip any host 203.33.253.43 (7167 matches)

route-map DefPathViaScotch, permit, sequence 20

match clauses:

ip address (access-lists): 101

Set clauses:

ip next-hop 10.252.0.1

Policy routing matches: 0 packets, 0 bytes

r

oute-map PLCWebsiteViaPix, permit, sequence 10

Match clauses

ip address (access-lists): 101

Set clauses:

ip next-hop 10.252.0.1

route-map PLCWebsiteViaDirect, permit, sequence 10

Match clauses:

ip address (access-lists): 101

Set clauses:

ip next-hop 10.7.0.252

Policy routing matches: 7167 packets, 947237 bytes

And acl 103 also allow other subnets other than 10.5.x.x

Extended IP access list 103

10 permit ip host 10.1.139.63 any (907 matches)

20 permit ip host 192.168.222.2 any (145 matches)

Extended IP access list 104

10 permit ip host 10.83.0.200 any

Cheers,

Fabio

cadet alain · ‎09-23-2011

Hi,

ACL 101 is for Policy-base routing : if the destination is 203.33.253.43 then forward towards next-hop 10.252.0.1

but is it necessary as the default static route already points towards this next-hop.So you are process switching traffic going to this destination instead of cef switching and so you have a performance downgrade.

Furthermore where are these route-maps applied and why use the same next-hop to go to scotch or Pix?

We are missing infos such as sh run interface and sh run | i policy to really know what this is achieving.

Regards.

Alain.

Don't forget to rate helpful posts.