Solved: Route-map issue on Cisco Catalyst 3850

giangle · ‎01-05-2020

Hi all.

I had a issue in Cisco Catalyst 3850. This is the diagram in my company.

Internet ------------- Cisco 9300 ======2 MPLS lines======== Cisco 3850 ------------ Users

In Cisco 3850:

I am using route-map in 3850 to route traffic from vlan Users (vlan 183) to Internet via MPLS-02 and default route via MPLS-01. This is my configurations:

------------------------------

interface Vlan183
description UserVlan-01
ip address 192.168.183.1 255.255.255.0
ip policy route-map MPLS-02
end

------------------------------

route-map MPLS-02, permit, sequence 10
Match clauses:
ip address (access-lists): 130
Set clauses:
ip next-hop 1.2.3.4
Policy routing matches: 4192 packets, 523934 bytes

------------------------------

Extended IP access list 130
10 permit ip 192.168.183.0 0.0.0.255 any (4195 matches)

------------------------------

My issue:

- when I traceroute from interface vlan 183 to Internet on 3850, traffic forwarded via MPLS-02 --> It's correct.

- When Users in vlan 183 access to Internet, traffic forwarded via MPLS-01 by default route --> It's wrong. But if I reload Cisco 3850, User's traffic forwarded via MPLS-02 --> It's correct. This issue happened 2 times then I had to reload Switch

I was using Cisco IOS-XE 16.06.05 in 3850. I wonder why route-map didn't work well. Please help me to fix it. Thanks so much

Regards,

Giang Le

Francesco Molino · ‎01-05-2020

Hi
It works intermentaly right?
First I'll try to upgrade to the latest recommended version which is 16.9.4 and test again.

After upgrade, if it happens again, can you create and acl from that vlan to a specific internet IP like 8.8.8.8 and do a debug ip packet detail by attaching the created acl for filter and share it please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-05-2020

Hi
It works intermentaly right?
First I'll try to upgrade to the latest recommended version which is 16.9.4 and test again.

After upgrade, if it happens again, can you create and acl from that vlan to a specific internet IP like 8.8.8.8 and do a debug ip packet detail by attaching the created acl for filter and share it please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

giangle · ‎01-05-2020

Hi Francesco,
Because This switch is working in Production env, so I cannot upgrade in this time. By the way, I will plan to upgrade this and how I debug ip packet. please give me some command to do it.

Thanks,
Giang Le

Francesco Molino · ‎01-06-2020

After you tested what @paul driver said, let's assume acl 110 isn't existing on your switch, below the command you need to do:

conf t

ip access-list extend 110

permit ip 192.168.183.0 0.0.0.255 host 8.8.8.8

!

do term mon

exit

!

debug ip packets detail 110

Then run a ping 8.8.8.8 from your testing machine and you'll get some outputs on your terminal. Save it and share it on the post by putting it into a text file for better readability.

To stop debug and clear the config on your switch:

undebug all

conf t

no ip access-list extend 110

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

giangle · ‎01-09-2020

I upgraded 3850 to IOS-XE 16.9.4 yesterday. It's working well and I will monitor it in the future if there are any issues.

Thanks so much.
Giang Le

Francesco Molino · ‎01-11-2020

you're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

paul driver · ‎01-06-2020

Hello

As you cannot upgrade at this time, Try using the same RM but without specifying any ACL, as you wish all traffic from that subnet to be policy routed then you dont require an access-list.

Is the RM next hop a direclty connected interface?
What sdm template are you running?
sh ip route
sh sdm prefer

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

giangle · ‎01-07-2020

Hi paul driver.
This is show sdm prefer
DN_CoreSW#show sdm prefer
Showing SDM Template Info

This is the Advanced template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
L2/L3 Multicast entries: 4096
Overflow L2/L3 Multicast entries: 512
Directly connected routes: 16384
Indirect routes: 7168
Security Access Control Entries: 3072
QoS Access Control Entries: 2560
Policy Based Routing ACEs: 1024
Netflow ACEs: 768
Flow SPAN ACEs: 512
Tunnels: 256
LISP Instance Mapping Entries: 256
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
SGT/DGT (or) MPLS VPN entries: 4096
SGT/DGT (or) MPLS VPN Overflow entries: 512
Wired clients: 2048
MPLS L3 VPN VRF: 127
MPLS Labels: 2048
MPLS L3 VPN Routes VRF Mode: 7168
MPLS L3 VPN Routes Prefix Mode: 3072
MVPN MDT Tunnels: 256
L2 VPN EOMPLS Attachment Circuit: 256
MAX VPLS Bridge Domains : 64
MAX VPLS Peers Per Bridge Domain: 8
MAX VPLS/VPWS Pseudowires : 256
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created.

And default route point to Cisco 9300 to go to Internet.