Route Map issue

Unanswered Question
Sep 5th, 2008

I have 2 Internet connections, I want my branches (which have many more users) to use the HS link. The slower link one is connected to my core. The higher-speed one is 2 hops away. I have created a route map:

!

access-list 180 permit icmp 0.0.0.0 255.0.0.0 any <--for testing purposes ONLY

access-list 180 permit tcp any any eq www

access-list 180 permit tcp any any eq 443

!

route-map webtraffic permit 1

match ip address 180

set interface GigabitEthernet7/1 <-- port on my core to other core device where HS Link connects

set ip next-hop 10.66.250.1 <--DGW I want to use

!

I have this route-map applied to both interfaces on my core where my 2 branches connect from their routers. The ACL is racking up "hits" but the traffic is STILL going out my slower speed link. Here is some debug info:

Sep 5 09:48:48.654 CST: IP: s=10.61.30.56 (GigabitEthernet3/47), d=204.2.131.1, len 40, FIB policy match

Sep 5 09:48:48.654 CST: CEF-IP-POLICY: fib for address 10.66.250.1 is with flag 32

Sep 5 09:48:48.654 CST: IP: s=10.61.30.56 (GigabitEthernet3/47), d=204.2.131.1, len 40, FIB policy rejected - normal forwarding

Any ideas? TIA,

Lee

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jpoplawski Fri, 09/05/2008 - 07:40

Is the route-map configured in your NAT statement? Is it possible to post a config?

Thanks,

JB

lhoyle Fri, 09/05/2008 - 09:07

We NAT on the actual Internet routers. The traffic never seems to get to the correct router to be NAT'd.

Thanks,

Lee

paul.matthews Fri, 09/05/2008 - 07:40

First thoughts - you don't normally need to set interface *and* next hop, I would just do the next hop.

Secondly, The access list seems to be purely HTTP and HTTPS along with any ICMP traffic ending in three zeros.

The debug does not say what that traffic is, other than IP addresses.

lhoyle Fri, 09/05/2008 - 07:49

I initially had just the next-hop, but added the set interface when it did not work initially. The traffic I am try to redirect is from my branch offices, which are quite a bit larger than the HQ. Here is where I applied the RM. These are ports on the core that directly connect to the routers to the branches (I have 2 routes to each branch).

!

interface GigabitEthernet3/46

description CE-CEA-INTRT-3845-02

ip address 10.62.254.21 255.255.255.252

ip policy route-map webtraffic

service-policy output QOS-OUT

!

interface GigabitEthernet3/47

description CE-CEA-INTRT-3845-01

ip address 10.62.254.17 255.255.255.252

ip policy route-map webtraffic

service-policy output QOS-OUT

!

A tracert from a w/s at a branch looks like this...

Tracing route to msn.com [207.68.172.246]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.61.5.1

2 <1 ms <1 ms <1 ms 10.61.254.18

3 3 ms 3 ms 3 ms 192.168.254.1 <--- FWSM in the core router

4 3 ms 3 ms 3 ms 10.62.254.17 <---core router port from the branch

5 4 ms 4 ms 4 ms 72.9.88.3 <--my slower Internet connection

6 369 ms 150 ms 221 ms 69.8.1.121

7 249 ms 350 ms 333 ms dal-edge-14.inet.qwest.net [63.151.228.229]

8 376 ms 281 ms 355 ms sea-core-01.inet.qwest.net [67.14.32.74]

9 * 553 ms 580 ms sea-edge-03.inet.qwest.net [205.171.26.38]

10 63.237.224.30 reports: Destination net unreachable.

Thanks,

Lee

Giuseppe Larosa Fri, 09/05/2008 - 13:42

Hello Lee,

you say that "The higher-speed one is 2 hops away"

the ip address 10.66.250.1 <--DGW I want to use

is the ip address two hops away ?

you need to set the ip next-hop to the other core router in the route-map.

the next-hop must be reachable via a connected interface (it should have an ARP entry if it is a LAN interface).

Then you do the same on the second core router if routing does not choice the HS link as outgoing interface towards internet.

Hope to help

Giuseppe

lhoyle Fri, 09/05/2008 - 13:53

Thank you for the insight. Earlier today, the admin for the next hop gave me that IP address, and sadly, I get the same results.

Actions

This Discussion