10-26-2018 03:19 AM - edited 03-08-2019 04:28 PM
Hi Community!
I'm having and issue using acl and route map. Let me explain. We have a 4900M core and a firewall
4900M is the DG of some vlans and the firewall is for others. The problem comes when I aply and PR and acl, and something "no logical" happens.
Let me show a trace
Gateway of last resort is 192.168.253.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 192.168.253.254 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, Vlan124 L 10.1.1.253/32 is directly connected, Vlan124 172.18.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.18.1.0/24 is directly connected, Vlan125 L 172.18.1.1/32 is directly connected, Vlan125 192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.4.0/24 is directly connected, Vlan104 L 192.168.4.1/32 is directly connected, Vlan104 192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.50.0/24 is directly connected, Vlan5 L 192.168.50.254/32 is directly connected, Vlan5 192.168.54.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.54.0/24 is directly connected, Vlan225 L 192.168.54.1/32 is directly connected, Vlan225 192.168.253.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.253.252/30 is directly connected, GigabitEthernet2/11 L 192.168.253.253/32 is directly connected, GigabitEthernet2/11Acl, pbr and interfaces
interface Vlan104 ip address 192.168.4.1 255.255.255.0 ip policy route-map vlanIT ! interface Vlan225 ip address 192.168.54.1 255.255.255.0 ip policy route-map vlan_tel ! access-list 121 deny ip 192.168.54.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 121 permit ip 192.168.54.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 121 deny ip 192.168.54.0 0.0.0.255 10.17.1.0 0.0.0.255 access-list 121 deny ip 192.168.54.0 0.0.0.255 192.168.50.0 0.0.0.255 access-list 121 deny ip 192.168.54.0 0.0.0.255 172.18.1.0 0.0.0.255 access-list 121 permit ip 192.168.54.0 0.0.0.255 192.168.252.0 0.0.0.255 access-list 121 permit ip 192.168.54.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 130 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 130 permit ip 192.168.4.0 0.0.0.255 host 172.18.1.157 access-list 130 permit ip 192.168.4.0 0.0.0.255 host 172.18.1.156 access-list 130 permit ip 192.168.4.0 0.0.0.255 10.17.0.0 0.0.255.255 access-list 130 permit ip 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 130 permit ip 192.168.4.0 0.0.0.255 10.19.0.0 0.0.0.255 access-list 130 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 130 permit ip 192.168.4.0 0.0.0.255 10.18.0.0 0.0.255.255 access-list 131 permit ip 192.168.4.0 0.0.0.255 any route-map vlanIT permit 10 match ip address 130 set ip next-hop 192.168.253.254 ! route-map vlanIT permit 11 match ip address 131 set ip next-hop 172.18.1.254
The reason for the policy routing solution, is to forward traffic to internet to PFSENSE at 172.18.1.254. Any ideas are welcome.
Thanks
Mariano
Solved! Go to Solution.
10-26-2018 06:20 AM
Hello
Try the following:
no route-map vlanIT permit 10
route-map vlanIT deny 10
match ip address 130
10-26-2018 03:43 AM
Hello,
From what I can see things are working as configured, although it may not be how you want it.
The first instance of ACL 130 for the route map is:
access-list 130 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.255.255
which includes the 192.168.54.3, so it will be sent to the firewall 192.168.253.254 which will have the route to the destination pointing back at the 4900's 192.168.253.253.
This is probably not what you want, so to remedy this you need to explicitly deny the locally connected routes prior to the permits or if it applies specify "set ip default next-hop" in the route-map instead. See link below:
https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html
Hope this helps
10-26-2018 06:20 AM
Hello
Try the following:
no route-map vlanIT permit 10
route-map vlanIT deny 10
match ip address 130
10-29-2018 01:59 PM
Cool!
seems to solve the problem! even is very "handy" and I have to declare all the networks and deny them, now the hop to firewall is not in my trace. :)
Thanks for you solution
Mariano
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide