01-19-2014 12:11 PM - edited 03-07-2019 05:39 PM
Hi All,
I wonder if anyone can help with this issue?
We have many customers who come into our colcocation in Australia from a satellite feed - this terminates our 3750x. From here most of our customers then break out via our firewall (ASA5525), also connected to the same 3750x.
However we have on customer who needs the traffic from their clients comming in on the sat feed to connect to their own router which connects into the same 3750x as the firewall, their router is on 192.168.20.5. This customers client all come from the subnet 172.17.1.0/24 (all others are outside this subnet) and they need to be pushed to 192.168.20.1, they currently go to the default route – the firewall. I've applied the below config however the customers traffic is still going to the firewall, almost like the acl is being ignored. Does anyone have any ideas? thanks in advance.
interface GigabitEthernet1/0/1
description Inside link to SC-SYD1-ASA01 Primary
interface GigabitEthernet1/0/2
description Primary Sat connection
no switchport
ip address 172.30.167.26 255.255.255.252
ip policy route-map Customer1
speed 100
duplex full
interface GigabitEthernet3/0/11
description 3rdparty Link for Customer1
no switchport
ip address 192.168.20.5 255.255.255.240
access-list 101 permit ip 172.17.1.0 0.0.0.255 any
route-map Customer1 permit 10
match ip address 101
set ip next-hop 192.168.20.1
Solved! Go to Solution.
01-19-2014 05:10 PM
The original post tells us that it wants to manipulate traffic originating from subnet 172.17.1.0. But I am not sure that this traffic actually arrives at the switch on interface gig1/0/2. Would the original poster be able to post the output of the command
show ip route 172.17.1.0
which should show us the interface where that subnet is located.
HTH
Rick
01-19-2014 12:18 PM
If the customers IPs are 172.17.1.x then this should work.
How are you testing it ie. a traceroute from the customer end ?
Be aware that L3 switches do not always show hit counts in the acl as they are processed in hardware.
I am guessing you have IP Services and are running the SDM routing template as if i remember correctly you can't apply a PBR route map if you are not but it is worth checking ie.
"sh ver" for feature set
"sh sdm prefer" for the SDM template.
Jon
01-19-2014 12:35 PM
Hi, Thanks for your prompt response. Yes the source ips are 172.17.1.x and i know theyre not going to the PBR next-hop as i can see them hitting the firewall which is the default route on the 3750.
It is running IP services however the license type is evaluation - not sure if thats relevant? This is a brand new piece of kit. ;
License Level: ipservices
License Type: Evaluation
Next reload license Level: ipservices
SDM Prefer is 'desktop routing'
01-19-2014 12:59 PM
There is no way the next hop router is routing the traffic back to the firewall is there ? Very unlikely but just wanted to check.
I don't know about the Evaluation license bit to be honest. I'll have a bit of dig around to see if i can find anything relevant.
All i can say at the moment is that there is nothing wrong with your configuration as far i can see.
Jon
01-19-2014 05:10 PM
The original post tells us that it wants to manipulate traffic originating from subnet 172.17.1.0. But I am not sure that this traffic actually arrives at the switch on interface gig1/0/2. Would the original poster be able to post the output of the command
show ip route 172.17.1.0
which should show us the interface where that subnet is located.
HTH
Rick
01-22-2014 07:35 AM
Hi Guys,
Thanks for all your help. Richard you were correct. While the interface the route-map was applied to is the physical interface there is infact a logical interface for this traffice over a tunnel. I applied it to the tunnel interface and bingo!
Thanks for your help
Kevin
01-22-2014 08:13 AM
I am glad that you have been able to resolve the problem and that my suggestion was helpful. Thank you for posting back to the forum to let us know how you identified the issue and how you solved it. Also thank you for using the rating system to mark this question as answered.
HTH
Rick
01-20-2014 01:12 AM
Hi Jon,
the reciving next hop router doesnt have a route back to the fw. The customer in fact pushes this out of thier own break out, which is the intire point, they just want us to pass the traffic - they manage it.
Cheers
Hi Richard
There is no route for the 172.17.1.0 subnet on the router. The route back to the individual clients are learned and passed using BGP from the satellite link. So theres a learned route on an per client basis back to the source. The traffic is definatly arriving on that port as there is no other source for the addresses that i'm seeing hit the firewall.
thanks
01-20-2014 03:30 AM
Just a couple more checks -
can you post the IOS version you are using ?
how long have you had the evlauation license on that switch ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide