You did not say how many

ciraompf1 · ‎01-14-2016

Hi all,

I'm facing an issue configuring route-map on a SVI on L3 Catalyst 3560.

My go is to send all packets from THIRD_PARTIES network to my proxy server (10.50.0.18).

What Am I Doing Wrong?

I've got an interface vlan40 as follows.

interface Vlan40
description THIRD_PARTIES
ip address 172.18.0.1 255.255.255.0
ip policy route-map THIRD_PARTIES
end

The access-list to match THIRD_PARTIES network
access-list 30 permit 172.18.0.0 0.0.0.255

route-map THIRD_PARTIES permit 10
match ip address 30
set ip next-hop 10.50.0.18

BLMCCBM-SWCORE#sh run int vlan10
Building configuration...

Current configuration : 158 bytes
!
interface Vlan10
description ## INET ##
ip address 10.50.0.3 255.255.240.0
no ip redirects
ip ospf cost 20
end

BLMCCBM-SWCORE#ping 10.50.0.18    >>>> PROXY SERVER REACHABLE

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.0.18, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/25 ms

BLMCCBM-SWCORE#ping 10.50.0.18 source vlan40    >>>> PROXY SERVER REACHABLE - SOURCE VALN40

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.0.18, timeout is 2 seconds:
Packet sent with a source address of 1172.18.0.1
.....
Success rate is 0 percent (0/5)

BLMCCBM-SWCORE#sh rout
route-map THIRD_PARTIES, permit, sequence 10
Match clauses:
    ip address (access-lists): 30
Set clauses:
    ip next-hop 10.50.0.18
Policy routing matches: 0 packets, 0 bytes

BLMCCBM-SWCORE#sh ip policy
Interface      Route map
Vlan40         THIRD_PARTIES

    10 permit 172.18.0.0, wildcard bits 0.0.0.255 >>>> NO MATCH ON THE ACL

Masoud Pourshabanian · ‎01-14-2016

Hello,

ping 10.50.0.18 source vlan40

The result of ping shows that the proxy server does not respond when the source vlan 40 is used.

The gateway of proxy server should be 10.50.0.3.

If the gateway is something else, you need to configure a return route.

To see if there are any matches, you need to check with a device connected to you router. Ping with source option only uses the IP address of interface VLAN 40 so you will not see any matches with ping. You need to direct traffic to VLAN 40.

Try access-list 30 also.

I hope it helps,

Masoud

ciraompf1 · ‎01-14-2016

Dear Masoud, thank you for your attention.

The Proxy server has the following routes:

172.18.0.0/24 through 172.18.0.1 (interface vlan40)
0.0.0.0 0.0.0.0 through its Public IP address

And knows how to reach the Interface Vlan10 because it has an interface on this network

Today, earlier I asked for our field engineer to do a ping from the THIRD_PARTIES network and he couldn't reach the proxy's IP.
Tomorrow I'll do all over again.

Thanks once again.

Masoud Pourshabanian · ‎01-14-2016

set ip next-hop 10.50.0.18

If the proxy server has the interface in the range your 3rd party, you need to change the next-hop in your route-map,

set ip next-hop 172.18.0.X ( IP of proxy server)

In the original post you have mentioned that its IP is10.50.0.18.

As I understood your proxy server has

a public IP

a private IP in the range of 172.18.0

any other IPs?

Masoud

ciraompf1 · ‎01-15-2016

Thank you guys for your attention.

Let me make myself clear.

I have to route the traffic from the 3rd party network to the internet only through Proxy server.

Routes on Proxy server

10.50.0.0/24 -> 10.50.0.3
0.0.0.0 0.0.0.0 -> INTERNET
172.18.0.0/24 -> 10.50.0.3

3rd party - 172.18.0.0/24
Interface vlan10 - 10.50.0.3
Proxy server - 10.50.0.18

The traffic flow should be as follow:

3rd party => VLAN40 => Routed to VLAN10 towards to Proxy server => INTERNET

I've got a default route toward to the internet but only for the Corporate network - separated link.

The route-map seems to be right but PING test from 3rd party network doesn't work.

The flow stops at 172.18.0.1.

Jon Marshall · ‎01-15-2016

If you cannot ping the proxy server with the source IP of the SVI for vlan 40 then PBR is not your problem.

You have a basic connectivity issue somewhere.

Can you post the configuration of your switch.

Jon

paul driver · ‎01-15-2016

Hello

Hope you dont mind me joining this discussion guys?

Can you enable redirects on the svi 10
Can you enable some debugging also to check your routing as Jon has stated?

access-list 101 permit ip 172.18.0.0 0.0.0.255 10.50.0.0 0.0.0.255
access-list 101 permit ip 10.50.0.0 0.0.0.255 172.18.0.0 0.0.0.255

debug condition vlan 40
debug condition vlan 10
debug ip packet detail 101
debug ip policy

I assume you have routing enabled on the L3 switch?

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Masoud Pourshabanian · ‎01-15-2016

You did not say how many interfaces your proxy server has.

If it does not have interface in the range of 172.18.0.0/24, you need to have this route on proxy server.

172.18.0.0/24 -> 10.50.0.3

if it has interface in the range of 172.18, you need to remove that interface.

Masoud

Jon Marshall · ‎01-14-2016

The route on the proxy server for the 172.18.0.0/24 subnet is wrong.

The next hop IP should not be 172.18.0.1 because it does not have an interface in this subnet.

It should be 10.50.0.3 because it has an interface in that subnet.

Jon

Masoud Pourshabanian · ‎01-14-2016

edited

ciraompf1 · ‎01-15-2016

You are right Jon.

Actually the Routes on Proxy server are:

10.50.0.0/24 -> 10.50.0.3
0.0.0.0 0.0.0.0 -> INTERNET
172.18.0.0/24 -> 10.50.0.3

3rd party - 172.18.0.0/24
Interface vlan10 - 10.50.0.1
Proxy server - 10.50.0.18

route-map+SVI