Solved: Re: Route map/acl issue

soporteca · ‎10-26-2018

Hi Community!

I'm having and issue using acl and route map. Let me explain. We have a 4900M core and a firewall

4900M is the DG of some vlans and the firewall is for others. The problem comes when I aply and PR and acl, and something "no logical" happens.

Let me show a trace

traceroute to 192.168.54.3 (192.168.54.3), 30 hops max, 60 byte packets

1 intrafire0.comarb (192.168.4.1) 0.766 ms 0.872 ms 0.996 ms

2 192.168.253.254 (192.168.253.254) 0.140 ms 0.143 ms 0.356 ms Firewall

3 192.168.253.253 (192.168.253.253) 1.109 ms 1.239 ms 1.356 ms CORE 4900m

4 192.168.54.3 (192.168.54.3) 0.339 ms * * destination host.

192.168.54.1 and 192.168.4.1 are both at layer3 4900m, so it's nonsense to make a hope to the firewall.

Routing table of the 4900

Gateway of last resort is 192.168.253.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.253.254
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Vlan124
L        10.1.1.253/32 is directly connected, Vlan124
      172.18.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.18.1.0/24 is directly connected, Vlan125
L        172.18.1.1/32 is directly connected, Vlan125
      192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.4.0/24 is directly connected, Vlan104
L        192.168.4.1/32 is directly connected, Vlan104
      192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.50.0/24 is directly connected, Vlan5
L        192.168.50.254/32 is directly connected, Vlan5
      192.168.54.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.54.0/24 is directly connected, Vlan225
L        192.168.54.1/32 is directly connected, Vlan225
      192.168.253.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.253.252/30 is directly connected, GigabitEthernet2/11
L        192.168.253.253/32 is directly connected, GigabitEthernet2/11

Acl, pbr and interfaces

interface Vlan104
 ip address 192.168.4.1 255.255.255.0
 ip policy route-map vlanIT
!
interface Vlan225
 ip address 192.168.54.1 255.255.255.0
 ip policy route-map vlan_tel
!
access-list 121 deny   ip 192.168.54.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 121 permit ip 192.168.54.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 121 deny   ip 192.168.54.0 0.0.0.255 10.17.1.0 0.0.0.255
access-list 121 deny   ip 192.168.54.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 121 deny   ip 192.168.54.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 121 permit ip 192.168.54.0 0.0.0.255 192.168.252.0 0.0.0.255
access-list 121 permit ip 192.168.54.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 130 permit ip 192.168.4.0 0.0.0.255 host 172.18.1.157
access-list 130 permit ip 192.168.4.0 0.0.0.255 host 172.18.1.156
access-list 130 permit ip 192.168.4.0 0.0.0.255 10.17.0.0 0.0.255.255
access-list 130 permit ip 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 192.168.4.0 0.0.0.255 10.19.0.0 0.0.0.255
access-list 130 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 permit ip 192.168.4.0 0.0.0.255 10.18.0.0 0.0.255.255
access-list 131 permit ip 192.168.4.0 0.0.0.255 any
route-map vlanIT permit 10
 match ip address 130
 set ip next-hop 192.168.253.254
!
route-map vlanIT permit 11
 match ip address 131
set ip next-hop 172.18.1.254

The reason for the policy routing solution, is to forward traffic to internet to PFSENSE at 172.18.1.254. Any ideas are welcome.

Thanks

Mariano

paul driver · ‎10-26-2018

Hello
Try the following:

no route-map vlanIT permit 10

route-map vlanIT deny 10

match ip address 130

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

chrihussey · ‎10-26-2018

Hello,

From what I can see things are working as configured, although it may not be how you want it.

The first instance of ACL 130 for the route map is:

access-list 130 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255

which includes the 192.168.54.3, so it will be sent to the firewall 192.168.253.254 which will have the route to the destination pointing back at the 4900's 192.168.253.253.

This is probably not what you want, so to remedy this you need to explicitly deny the locally connected routes prior to the permits or if it applies specify "set ip default next-hop" in the route-map instead. See link below:

https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html

Hope this helps

paul driver · ‎10-26-2018

Hello
Try the following:

no route-map vlanIT permit 10

route-map vlanIT deny 10

match ip address 130

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

soporteca · ‎10-29-2018

Cool!

seems to solve the problem! even is very "handy" and I have to declare all the networks and deny them, now the hop to firewall is not in my trace. :)

Thanks for you solution

Mariano