Policy-Based Routing + ACLs on Switches

Bryan Geoghan · ‎04-01-2008

Hello,

We have a 6500 and are using VLAN interfaces (or SVIs) to perform interVLAN routing.

My scenario is that I have a route-map referencing an ACL that is matching destination RTP traffic (UDP 16384 - 32767) from a source subnet to a destination subnet. Then I am setting the next-hop IP to be the MPLS router which is connected to the 6500.

When RTP traffic goes through the switch that I am pretty sure matches the ACL, I don't see the ACL incrementing with matches nor do I see the route-map/policy being matched. Again, I am almost a 100% that it has to be matching the ACL.

I don't know how to tell if traffic is really being rerouted through my MPLS instead of its default path. Is there a reason I don't see matches on the ACL or the route-map/policy. Is it something to do with doing this on a multilayer switch (6509)?

Would appreciate any help, thanks!

lamav · ‎04-01-2008

Hi:

Perhaps you can post the config in question...

Bryan Geoghan · ‎04-02-2008

The 6509 sits at one site and the 3750 sits at the remote site. I am wanting to capture the Voice traffic from the shown VLAN and route it according the policy below. I think I have it setup right, but I don't it incrementing on the ACL or the policy on either switch.

-----------

6509 Switch

-----------

interface Vlan103

ip address 10.1.103.1 255.255.255.0

ip policy route-map PBR

ip access-list extended MPLS

permit udp 10.1.0.0 0.0.255.255 10.152.0.0 0.0.255.255 range 16384 32767

route-map PBR permit 10

match ip address MPLS

set ip next-hop 10.1.101.254

Switch_6509#sh ip access MPLS

Extended IP access list MPLS

10 permit udp 10.1.0.0 0.0.255.255 10.152.0.0 0.0.255.255 range 16384 32767

-----------

3750 Switch

-----------

interface Vlan102

ip address 10.152.102.1 255.255.255.0

ip policy route-map PBR

ip access-list extended MPLS

permit udp 10.152.0.0 0.0.255.255 10.1.0.0 0.0.255.255 range 16384 32767

permit ip host 10.152.1.10 host 10.1.2.50

permit ip host 10.152.102.50 host 10.1.103.53

route-map PBR permit 10

match ip address MPLS

set ip next-hop 10.152.101.254

Switch_3750#show ip access MPLS

Extended IP access list MPLS

10 permit udp 10.152.0.0 0.0.255.255 10.1.0.0 0.0.255.255 range 16384 32767

lamav · ‎04-02-2008

Bryan:

Putting the ACL issue aside for a second, is the voice traffic being policy routed according to your map? Just taking an educated guess, I imagine the 3750 is routing end-station voice traffic to a centralized VoIP switch. So, are the calls going through successfully?

As for the ACL, why did you select those udp port ranges? If the traffic is not going through, have you tried to leave the port ranges out and instead just increased the subnet bit mask length to get more granular indications when the ACL gets hit up?

VL

Bryan Geoghan · ‎04-02-2008

I don't believe it is and haven't found a way to verify it is. Calls are still working yes but I don't know if it is through the default path or according to the policy. I figured the way to verify if its using the policy is to view the hits on the ACL and the hits on the route-map, which neither are showing hits on.

Voice traffic or RTP use the UDP port range 16384 - 32767. That is why I chose those. I wanted to match specifically voice traffic.

And actually, the 3750 is performing the interVLAN routing for that site (small site).

lamav · ‎04-02-2008

Bryan:

Can you perform a traceroute from the source network, behind the 3750, and see what route it takes to the destination network?

Thanks for the info on the udp voice ports -- not a VoIP wiz. :-)

Thanks