Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
18
Helpful
9
Replies

Route-Map Query

GRANT3779
Spotlight
Spotlight

‎11-25-2014 10:32 AM - edited ‎03-10-2019 12:29 PM

Hi All,

 

I'm trying to achieve the following -

 

I have a host 10.44.125.70.

If going to any Internal address space I want the host to use a certain next hop (vlan interface on core this PBR is configured). Then IF going to anywhere else (e.g external address) , use a different next hop. I have the below but doesn't seem to be working as expected. Is my first route-map entry catching all traffic? I'm sure what I'm trying to do is very simple...

 

IP access list Sent_Inside
    10 permit ip host 10.44.125.70 172.12.0.0 0.0.15.255
    30 permit ip host 10.44.125.70 10.0.0.0 0.255.255.255


 IP access list Sent_Outside
    10 permit ip host 10.44.125.70 any
    20 permit ip host 10.44.125.70 any

 

route-map TEST permit 20
 match ip address Sent_Inside
 set ip next-hop 10.44.125.1

route-map TEST permit 30
 match ip address Sent_Outside
 set ip next-hop 10.44.141.7

Labels:
0 Helpful
9 Replies 9

John Blakley
VIP Alumni
VIP Alumni

‎11-25-2014 11:01 AM

The route map looks fine to me. What is it doing, and what type of equipment is this configured on? How does the device get to the 10.44.141.0/24 network? Does it also go to the next hop of 10.44.125.1?

HTH,

John

HTH, John *** Please rate all useful posts ***

Jon Marshall
Hall of Fame
Hall of Fame

‎11-25-2014 11:01 AM

What is the next hop for inside. It sounds like it is the vlan interface you have applied the PBR to from your description. Perhaps you could clarify.

Are you testing with traceroute ?

What you could try doing is having one acl where you deny the traffic to the inside networks then permit traffic to everything else.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎11-25-2014 11:56 AM

Just an additional note.

Using deny lines on a L3 switch (if that is what you are using) can cause CPU issues.

An alternative may be to use the existing configuration you have but not set the next hop IP in your inside acl. This would mean the packets would be matched but because there is no next hop then the IP routing table would be used.

Obviously this assumes there are routes for those networks in the IP routing table.

Jon

GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎11-25-2014 12:37 PM

Hi Jon,

This is indeed on a L3 switch (3750). It acts as the core switch.

Attached to it is an ASA with inside IP address of 10.44.141.7 in the respective vlan for that subnet. The core switch also has SVI for that VLAN. This ASA inside interface is where I'm routing (or trying to) the "Non Inside traffic).

I will try what you said about not having the next hop set for inside traffic match, as yes I just want it to route as per the routing table on the core device. 

In route-maps / PBR - is it processed sequentially until a match is found and is the whole Route-Map processed before the actual routing table is used?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎11-25-2014 12:48 PM

The route map is processed sequentially until a match is found. The whole route map does not need to processed before the routing table is used.

It all depends on what is matched in the route map.

Out of interest if the inside networks are in the routing table why do you just not have a default route pointing to the ASA for any other traffic.

Is it because you have a default route already pointing to a different next hop ?

Edit - when you test the PBR make sure you are using traceroute to test and not simply looking at the acl hits. This is because on a L3 switch acl processing is done in hardware (usually) so you may not see hits in your acl.

Jon

GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎11-25-2014 12:52 PM

Exactly John, a different default route already exists. Because I have a static NAT on the ASA (10.44.141.7) for this host of mine, I need to make sure all Internet traffic uses the ASA and not the default route on the Core.

What is happening at the moment is - If I have just the below.Then the device 10.44.125.70 is accessible from the Outside on my Nat'd external address (ASA config is all good and setup with NAT etc..). I then realised I could not access my hosts internal IP within the network so i added the extra parts to my route-map. Upon doing this my NAT stopped working (but I could then access my internal address internally). Not going to be able to test this again until tomorrow either which isn't ideal.

 IP access list Sent_Outside
    10 permit ip host 10.44.125.70 any
    20 permit ip host 10.44.125.70 any

route-map TEST permit 30
 match ip address Sent_Outside
 set ip next-hop 10.44.141.7

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎11-25-2014 01:00 PM

Okay, that makes sense.

I would try using the permit statements without a set statement for the inside networks then as discussed.

Let me know how it goes.

Jon

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎11-25-2014 01:54 PM

Hi Jon,

This was bugging me so actually jumped on from home to do some more testing and oh dear...guess what was wrong :-) look closely at my ACL in my permit statement for the 172.16.0.0 network...

Amended WILDCARD MASK and working as expected.! Good little learning exercise for me. Thank you all for the excellent help as always.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎11-25-2014 02:17 PM

Thank you all for the excellent help as always.

Hmmm,  I was assuming it was an invalid next hop that was causing the issue so rather than help I think I led you off in the wrong direction :-)

Glad to hear you got it working though.

Jon

0 Helpful
Customers Also Viewed These Support Documents