the subnet 10.10.10.0/24 is

ghermocilla · ‎03-14-2017

Guys, need your help on this one

for example, I have a internet connection and MPLS connection

the subnet 10.10.10.0/24 is going via MPLS

there is 1 IP address in that subnet that I wanted to be routed via internet on 1 vlan

example the IP 10.10.10.50 should be routed via internet for vlan 20

so what i did is create a IP policy for vlan 20

!sample config
ip access-list 110 permit ip 192.168.1.0 0.0.0.255 host 10.10.10.50

route-map TO-INTERNET permit 10
match ip address 110
set ip next-hop 1.1.1.1

interface vlan 20
ip address 192.168.1.1 255.255.255.0
ip policy route-map TO-INTERNET

the policy works when you do a traceroute you can see that it is routed via internet

my problem is when accessing the site, it doesn't come up

I've tried doing a static route and it worked, but unfortunately under the policy the site doesn't load.

any insights on what might be the problem?

thanks.

Jon Marshall · ‎03-14-2017

Your description does not quite match with your configuration. You talk about routing a specific IP across the internet but your acl is applied to the 192.168.1.x L3 interface.

Perhaps you could provide a topology diagram and more detailed description of what you are trying to achieve.

Jon

ghermocilla · ‎03-14-2017

the subnet 10.10.10.0/24 is learned via BGP through the MPLS router

I want a certain IP from that subnet (10.10.10.50) to be routed via internet for vlan 20 only

10.10.10.50 is accessible via web browser, I have many vlans on the core switch

each connection for internet router and MPLS router are on different vlans

when I do a static route for that IP on the core, the website is accessible

but when I put on the policy for the vlan interface it doesn't work, site is inaccessible

Jon Marshall · ‎03-14-2017

Thanks, that makes more sense now :)

What doesn't make sense is that if you add a static route presumably with exactly the same next hop IP as you are using in your PBR configuration it works but the PBR does not.

I can't, at the moment, see the difference.

Jon

Julio E. Moisa · ‎03-14-2017

Hi

Could you please provide more details about: when accessing the site what are you referring? Is it related to get access to internal services

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ghermocilla · ‎03-14-2017

basically its a website accessed via web browser

Julio E. Moisa · ‎03-14-2017

Hi

I think your config if ok, but you need to add other sequence to avoid any impact on the traffic originated by the vlan 20. PBR uses an implicit deny when the traffic does not match that is the reason you need to include an empty permit sequence:

route-map TO-INTERNET permit 100

If you are using corporate DNS (not public like 8.8.8.8) it will be blocked if you are not including the empty route-map.

Your config should be:

Core device:

access-list 110 permit ip 192.168.1.0 0.0.0.255 host 10.10.10.50

route-map TO-INTERNET permit 10
match ip address 110
set ip next-hop 1.1.1.1

route-map TO-INTERNET permit 100

interface vlan 20
ip address 192.168.1.1 255.255.255.0
ip policy route-map TO-INTERNET

Once the empty sequence is submitted please try again.

I am assuming the Core switch is working like a CE device (Customer Edge) and the router knows how to reach the vlan 20, otherwise you could use the following config:

Router

ip route 192.168.1.0 255.255.255.0 <IP Next Hope core>

Example:

ip route 192.168.1.0 255.255.255.0 1.1.1.2 name TO-VLAN20

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Policy Based Routing