cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1195
Views
0
Helpful
14
Replies

whats wrong with my config in applying ip policy route-map ?????!!!!!!

Dr.X
Level 2
Level 2

hi ,

plz help about applying ip policy  with the current config below :

here is my interface      Gi0/1 and want to apply ip policy route-map :

=================================

interface Gi0/1

ip address 10.160.150.5 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip policy route-map bills

load-interval 30

duplex auto

speed auto

media-type rj45

negotiation auto

=============================

B2#sh route-map

route-map bills, permit, sequence 1

  Match clauses:

    ip address (access-lists): bills

  Set clauses:

    ip next-hop 172.16.5.5

  Policy routing matches: 0 packets, 0 bytes

route-map bills, permit, sequence 6

  Match clauses:

  Set clauses:

  Policy routing matches: 98050742 packets, 3244274112 bytes

==========================================================

B2#sh ip access-lists bills

Extended IP access list bills

    10 permit tcp 172.16.0.0 0.0.255.255 any eq www

    20 permit ip 172.16.0.0 0.0.255.255 any

=========================================================

the problem is the access list hits is no longer being appear and seems the ips of 172.16.0.0 are matched by  the sequence 6 of the route map !!!!!!

why the ips 172.16.0.0/16 are matched by the sequence 6 of route map ?????????????

why the ips of 172.16.0.0/16 is no longer being matched by the access list bills and no hits on acl ???

im dying to know that !!!!!!!!

regards

14 Replies 14

cadet alain
VIP Alumni
VIP Alumni

Hi,

traffic entering g0/1 should be  in the 10.150.160.0/24 subnet as i see you set the next-hop to 172.16.5.5 so there is never a match on your ACL and so traffic matches sequence 6, by the way you don't need this sequence 6 for PBR because traffic not matching sequence 1 will get routed by the RIB.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

hi ,

i know about the next hop reachability ,

anyway ,

i changed the next hop to 10.160.150.2 which is the next hop router .

look ,

i removed the sequence 1   and typed it agian with seq 2  , and here is the result:

#sh route-map

route-map bills, permit, sequence 2

  Match clauses:

    ip address (access-lists): bills

  Set clauses:

    ip next-hop 10.160.150.2

  Policy routing matches: 130094 packets, 117677862 bytes

route-map bills, permit, sequence 6

  Match clauses:

  Set clauses:

  Policy routing matches: 132187407 packets, 3980490707 bytes

i noted an important thing :

note that now there is a match  on sequency 2   but   that match only occured  only when i remove seuqnce 1 and added sequence 2

but the same thing the match is no longer being increased and im sure im using the ip 172.16.1.1

!!!!!!!!!!!!!!!!!!!!!!!!!

i mean the match is not increasing and seems it is a shot of matches occured when i typed the sequence 2  but the same thing the im being matched by the sequence  6

i wish u understood my problem

its not nexthop reahcbility issu , im sure

regards

also its noty logical that my single ip could match all that traffic :

: 130094 packets, 117677862 bytes

!!!!!!!!!!!

Does subnet 172.16.0.0/16 behind the interface Gi0/1?

hi , i changed it to my next hop router that has the ip 10.160.150.2  

ive discussed the strange of my issue above

it doesnt look problem with next hop-ip rechability but source matching with ACL, does subnet behind the interface Gi0/1 you applied the route-map?

interface Gi0/1

ip address 10.160.150.5 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip policy route-map bills

load-interval 30

duplex auto

speed auto

media-type rj45

negotiation auto

hi ,

the user with ip 172.16.0.0/24 connect with router by vpdn by adsl  , i mean it appear as directly connectd route in router /32 .

also i cant type debug because alot of match occurs and may hang my router

im using ciosco 7206 with ios ip serive

is there any solution ?

Hi,

I think it would be easier for us if you provided a logical  and/or physical diagram of your topology.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

if you do "show ip route 172.16.0.10" (or any ip in subnet 172.16.0.0/24 subnet), then route resolving for what interface? does it resolving with interface Gi0/1 or else?, please help with subnet topology on 7200 or config if you have any will help us to give you better soln.

=User=========PSTN============ISP Router1========== 10.160.150.2 ROUter2

                                                                                                              |

                                                                                                              |

                                                                                                      10.160.150.3

                                                                                                        ROUter 3

here is config of router 1 that i want to apply the polcy map on :

i removed my passwords and my puclic ips for privacy

wish 2 help

=======================================

Bs2#sh run

Building configuration...

Current configuration : 7637 bytes

!

upgrade fpd auto

version 12.4

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

no service dhcp

!

hostname B2

!

boot-start-marker

boot system disk2:c7200p-advipservicesk9-mz.124-24.T4.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 256000

enable secret 5xxxxxxxx

!

aaa new-model

!

!

aaa group server radius radiusservers

server-private 10.160.150.x auth-port 1xxcct-port xxx key xxx

server-private 10.160.150.x auth-port 1xxx acct-port 1xxx key xxxxxx

!

aaa authentication login adminstaff local

aaa authentication login sdm_vpn_xauth_ml_1 group radius

aaa authentication login ahmad local

aaa authentication ppp vpdn local group radiusservers

aaa authorization network default group radius local

aaa authorization network vpdn local group radiusservers

aaa authorization network sdm_vpn_group_ml_1 local

aaa accounting delay-start

aaa accounting update newinfo periodic 10

aaa accounting network vpdn

action-type start-stop

broadcast

group radiusservers

!        

!

aaa server radius dynamic-author

client 10.160.150.101 server-key xxxxxxxxx

!

aaa session-id common

clock timezone GMT+3 3

no ip source-route

no ip gratuitous-arps

ip cef

!

!

!

!

no ip bootp server

ip name-server xxxx

ip name-server xxxxx

login block-for 180 attempts 3 within 60

login quiet-mode access-class telnet

login on-failure log

login on-success log

ipv6 unicast-routing

ipv6 cef

ipv6 dhcp pool dhcp6

address prefix 2A03:C40::/64 lifetime infinite infinite

link-address 2A03:C40::/64

dns-server 2001:4860:4860::8888

dns-server 2001:4860:4860::8844

!

!

multilink bundle-name authenticated

vpdn enable

vpdn logging

vpdn logging local

vpdn history failure table-size 50

!

vpdn-group xxxx

accept-dialin

  protocol l2tp

  virtual-template 1

terminate-from hostname xxxx

local name xxxx

lcp renegotiation on-mismatch

l2tp tunnel password 5674565465464

l2tp tunnel timeout no-session 60

ip mtu adjust

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

archive

log config

  hidekeys

!

!

!

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

!

!

!

!

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface Loopback1

ip address 185.6.19.255 255.255.255.255

!

interface Loopback2

no ip address

ipv6 address 2A03:C40::ACFD:A881:F5F1:FFFF/64

!

interface Loopback30

no ip address

!

interface Loopback44

no ip address

!

interface Loopback110

no ip address

ipv6 address 1:2:3:0:3C8E:7FC8:CEC7:A5DD/64

!

interface GigabitEthernet0/1

description Bras2toLAN

ip address 10.160.150.5 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip policy route-map bills

load-interval 30

duplex auto

speed auto

media-type rj45

negotiation auto

ipv6 address 2A03:C40:1::2/64

!

interface GigabitEthernet0/1.1

descriptiong gg

encapsulation dot1Q 22

ip address x.x.x.x 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface GigabitEthernet0/1.2

description To-DMZ

encapsulation dot1Q 2

ip address 1x.x.x.x 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface FastEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

media-type rj45

negotiation auto

ipv6 address 2A03:C40::10/64

!

interface GigabitEthernet0/3

no ip address

shutdown

duplex auto

speed auto

media-type rj45

negotiation auto

!

interface Virtual-Template1

ip unnumbered Loopback1

ip tcp adjust-mss 1412

no logging event link-status

peer default ip address pool iiii

ppp mtu adaptive

ppp authentication pap vpdn

ppp authorization vpdn

ppp accounting vpdn

!

interface Virtual-Template11 type tunnel

ip unnumbered GigabitEthernet0/1.2

!

no ip http server

no ip http secure-server

!

!

ip access-list extended bills

permit tcp 172.16.0.0 0.0.255.255 any eq www

permit ip 172.16.0.0 0.0.255.255 any

!

ip radius source-interface GigabitEthernet0/1

logging alarm informational

access-list 110 permit tcp 172.16.0.0 0.0.255.255 any eq www

ipv6 local pool a1 2A03:CA40::/64 128

!

!

!

!

route-map bills permit 2

match ip address bills

set ip next-hop 10.160.150.3

!

route-map bills permit 6

!

!

radius-server attribute nas-port format d

radius-server configure-nas

radius-server host 10.160.150.101 auth-port 555555 acct-port 5555 key 6575676566767

radius-server retransmit 0

radius-server key dfvsdfsdfsdffdsfsdfs

radius-server vsa send cisco-nas-port

radius-server vsa send accounting

radius-server vsa send authentication

!

control-plane

!

!

!

!

!

!

-

^C

!

line con 0

exec-timeout 60 0

password 7 ghfhfg

logging synchronous

login authentication aghghgf

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 35790 0

password czxcxzczxcxzcxz

logging synchronous

login authentication ooooooo

!

end

The USER you showing for, is that has subnet 172.16.0.0/24? if yes then PSTN connecting to Router-1 is on what interface? secondly I dont see any route for subnet 172.16.0.0/24 on Router-1, are you able to ping any of host in subnet 172.16.0.0/24 from Router-1?

Please verify again, the source traffic (172.16.0.0/24) you would like to divert over Router-3 its related to what interface on Router-1? on that particular interface you have to apply route-map policy.

Br2#sh users

    Line       User       Host(s)              Idle       Location

*  2 vty 0     admin  idle                 00:00:00 x.x.x.x

  Interface    User               Mode         Idle     Peer Address

  Vi2.1        123456@zzz     PPPoVPDN     -       172.16.2.2

@

Alain

did u fiand any problems in my config ?

Okay,

can you remove the route-map command "ip policy route-map bills" from interface Gi0/1 and apply it under

interface "interface Virtual-Template1"? and see if it does works and matching the packets? any issue haapen remove it...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco