01-14-2016 04:49 PM - edited 03-08-2019 03:25 AM
Hi all,
I'm facing an issue configuring route-map on a SVI on L3 Catalyst 3560.
My go is to send all packets from THIRD_PARTIES network to my proxy server (10.50.0.18).
What Am I Doing Wrong?
I've got an interface vlan40 as follows.
interface Vlan40
description THIRD_PARTIES
ip address 172.18.0.1 255.255.255.0
ip policy route-map THIRD_PARTIES
end
The access-list to match THIRD_PARTIES network
access-list 30 permit 172.18.0.0 0.0.0.255
route-map THIRD_PARTIES permit 10
match ip address 30
set ip next-hop 10.50.0.18
BLMCCBM-SWCORE#sh run int vlan10
Building configuration...
Current configuration : 158 bytes
!
interface Vlan10
description ## INET ##
ip address 10.50.0.3 255.255.240.0
no ip redirects
ip ospf cost 20
end
BLMCCBM-SWCORE#ping 10.50.0.18 >>>> PROXY SERVER REACHABLE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.0.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/25 ms
BLMCCBM-SWCORE#ping 10.50.0.18 source vlan40 >>>> PROXY SERVER REACHABLE - SOURCE VALN40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.0.18, timeout is 2 seconds:
Packet sent with a source address of 1172.18.0.1
.....
Success rate is 0 percent (0/5)
BLMCCBM-SWCORE#sh rout
route-map THIRD_PARTIES, permit, sequence 10
Match clauses:
ip address (access-lists): 30
Set clauses:
ip next-hop 10.50.0.18
Policy routing matches: 0 packets, 0 bytes
BLMCCBM-SWCORE#sh ip policy
Interface Route map
Vlan40 THIRD_PARTIES
10 permit 172.18.0.0, wildcard bits 0.0.0.255 >>>> NO MATCH ON THE ACL
01-14-2016 05:26 PM
Hello,
ping 10.50.0.18 source vlan40
The result of ping shows that the proxy server does not respond when the source vlan 40 is used.
The gateway of proxy server should be 10.50.0.3.
If the gateway is something else, you need to configure a return route.
To see if there are any matches, you need to check with a device connected to you router. Ping with source option only uses the IP address of interface VLAN 40 so you will not see any matches with ping. You need to direct traffic to VLAN 40.
Try access-list 30 also.
I hope it helps,
Masoud
01-14-2016 06:07 PM
Dear Masoud, thank you for your attention.
The Proxy server has the following routes:
172.18.0.0/24 through 172.18.0.1 (interface vlan40)
0.0.0.0 0.0.0.0 through its Public IP address
And knows how to reach the Interface Vlan10 because it has an interface on this network
Today, earlier I asked for our field engineer to do a ping from the THIRD_PARTIES network and he couldn't reach the proxy's IP.
Tomorrow I'll do all over again.
Thanks once again.
01-14-2016 06:16 PM
set ip next-hop 10.50.0.18
If the proxy server has the interface in the range your 3rd party, you need to change the next-hop in your route-map,
set ip next-hop 172.18.0.X ( IP of proxy server)
In the original post you have mentioned that its IP is10.50.0.18.
As I understood your proxy server has
a public IP
a private IP in the range of 172.18.0
any other IPs?
Masoud
01-15-2016 02:23 AM
Thank you guys for your attention.
Let me make myself clear.
I have to route the traffic from the 3rd party network to the internet only through Proxy server.
Routes on Proxy server
10.50.0.0/24 -> 10.50.0.3
0.0.0.0 0.0.0.0 -> INTERNET
172.18.0.0/24 -> 10.50.0.3
3rd party - 172.18.0.0/24
Interface vlan10 - 10.50.0.3
Proxy server - 10.50.0.18
The traffic flow should be as follow:
3rd party => VLAN40 => Routed to VLAN10 towards to Proxy server => INTERNET
I've got a default route toward to the internet but only for the Corporate network - separated link.
The route-map seems to be right but PING test from 3rd party network doesn't work.
The flow stops at 172.18.0.1.
01-15-2016 04:24 AM
If you cannot ping the proxy server with the source IP of the SVI for vlan 40 then PBR is not your problem.
You have a basic connectivity issue somewhere.
Can you post the configuration of your switch.
Jon
01-15-2016 05:23 AM
Hello
Hope you dont mind me joining this discussion guys?
Can you enable redirects on the svi 10
Can you enable some debugging also to check your routing as Jon has stated?
access-list 101 permit ip 172.18.0.0 0.0.0.255 10.50.0.0 0.0.0.255
access-list 101 permit ip 10.50.0.0 0.0.0.255 172.18.0.0 0.0.0.255
debug condition vlan 40
debug condition vlan 10
debug ip packet detail 101
debug ip policy
I assume you have routing enabled on the L3 switch?
res
Paul
01-15-2016 05:25 AM
You did not say how many interfaces your proxy server has.
If it does not have interface in the range of 172.18.0.0/24, you need to have this route on proxy server.
172.18.0.0/24 -> 10.50.0.3
if it has interface in the range of 172.18, you need to remove that interface.
Masoud
01-14-2016 06:25 PM
The route on the proxy server for the 172.18.0.0/24 subnet is wrong.
The next hop IP should not be 172.18.0.1 because it does not have an interface in this subnet.
It should be 10.50.0.3 because it has an interface in that subnet.
Jon
01-14-2016 06:45 PM
edited
01-15-2016 02:20 AM
You are right Jon.
Actually the Routes on Proxy server are:
10.50.0.0/24 -> 10.50.0.3
0.0.0.0 0.0.0.0 -> INTERNET
172.18.0.0/24 -> 10.50.0.3
3rd party - 172.18.0.0/24
Interface vlan10 - 10.50.0.1
Proxy server - 10.50.0.18
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide