cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
579
Views
0
Helpful
6
Replies

Local Policy routing

hugo.picado
Level 1
Level 1

Hello,

I have a question regarding local policy routing.

I have a 4507R wich I use as a layer 3 network core (collapse core) in a building. It has different gateways (vlan interfaces) for 5 floors, and basically I have two path to my HQ, a router with some leased lines for critical information and a VPN for the rest. The router I use to connect to our HQ is in one vlan,I have a vlan interface in the 4507 and they both use eigrp, the VPN is in a pix, I have another vlan for the pix subnet too, and I use static routing for it.

My problem is: When I receive traffic from a floor I can set the next hop for a destination in the same vlan interface so since the pix is a different vlan from the floors writing the policy rule command in the interface where I receive the floor's traffic does not work. How can I solve this? I have though of using local policy routing since the documentation I have says "packets originating in the router" but I am not sure what this expression means. Are packets from the different floors being "originated" in my 4507 since it is the layer three device in this scenario? Should this solve my inconvenient.

I can not use static routes since sometimes only some ports between server are sent via VPN and the others applications are sent via leased lines.

I hope my question is clear.

Thank you in advance for all your answers.

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Local policy routing is for traffic sourced by the 4507R itself and this does not cover the traffic sourced from a user on one of your floor vlans.

I'm not sure why your policy routing will not work. If the pix and the 4507R share a vlan you should be able to set the next hop as the pix inside interface - are you saying this doesn't work ?

Jon

Jon,

Just to make my mind, please check the configuration I have written below. You think this should work even when the floor's interface ip address is not in the same subnet as the pix subnet? Do you think this should work?

4507 and HQ router are interchanging routes using eigrp, I can reach the remote servers using either path.

Thank you.

HUGO

inteface vlan 10

description Floor 1

ip address 10.10.10.1 255.255.255.0

ip policy route-map vpnpix2pix

interface vlan 20

description Floor 2

ip address 10.10.20.1 255.255.255.0

ip policy route-map vpnpix2pix

Interface vlan 30

Description Flor 3

ip address 10.10.30.1 255.255.255.0

Interface vlan 80

Description HQ router and main COM equipment

ip address 10.10.80.1 255.255.255.0

Interface vlan 81

Description PIX and vpn

ip addresss 10.10.81.1 255.255.255.0

The pix address is 10.10.81.231

route-map vpnpix2pix permit 10

match ip address VPN_Local_HQ

set ip next-hop 10.10.81.231

Hugo

What does the access-list VPN_Local_HQ look like.

Jon

Jon,

The access list looks like:

ip access-list extended VPN_Local_HQ

permit tcp 10.10.10.0 0.0.0.255 host 10.200.10.15 eq 2199

permit tcp 10.10.20.0 0.0.0.255 host 10.200.10.15 eq 2199

etc...

permit ip 10.10.10.0 0.0.0.255 host 10.200.10.25

etc...

permit tcp 10.10.120.0 0.0.0.255 host 10.200.10.15 eq 2199

permit tcp 10.10.121.0 0.0.0.255 host 10.200.10.15 eq 2199

(this are remote buildings, one or two floors, I connect to our main building using layer three switches and fiber optic). Local gateways for those building are in the remote L3 switches and I use 30 bits subnet to interconnec those L3 with this 4507.

10.200.X.X is our HQ, 10.10.X.X is my region.

I could replace the matches for 10.200.10.25 (full IP) for a static route, but in any time I could use redistribute static so I prefer policy routing..

Thanks

HUGO

Hugo

There is no reason why this should not work. Are you seeing matches on the access-list.

If you debug on the pix do you see packets arriving that match up with your policy routing ?

Jon

Jon,

I didn't see any traffic on my pix. Since you confirm this should work I will change my next hop in one route map and apply it to one interface where the effect, in case it could be negative, does not affect my operation.

To tell you the truth, I remember once I had to set full IP (not TCP Port) in my access list because just TCP/port was not working. Could it be an IOS bug, maybe? (I have cat4000-i5k91s-mz.122-25.EWA8)

Anyway, I will let this conversation open just in case after changing I find something else that could help me know what is causing the apparently misrouting.

I will do my changes tomorrow morning since at night we have a heavy load on our network.

I will update you tomorrow morning.

Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco