Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
5
Helpful
5
Replies

ACL and Route-map work together?

lynne.meeks
Level 1
Level 1

‎10-07-2008 10:10 AM - edited ‎03-06-2019 01:48 AM

I have a route-map set up which redirects all port 80 traffic from 10.250.48.0/24 hosts to a web page which is routed on another router.

The route-map is placed on the vlan interface for the 10.250.48.0 vlan, and sets the next-hop as the IP address for the second router, where the redirect web page is routed.

The next-hop on that router for this traffic is the IP address of the redirect web page.

This works fine UNTIL I apply an extended ACL on the vlan interface for the 10.250.48.0 subnet. The ACL restricts access to certain networks and hosts, but it does explicitly allow all port 80 traffic.

As soon as I apply the ACL to the 10.250.48.0 vlan the redirect fails to work. Removing the ACL restores the redirect feature.

What am I missing here?

thanks!

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎10-07-2008 10:28 AM

Lynne

A route map is used in Policy Based Routing to examine traffic and to make a routing decision that effectively over rides the normal routing logic. Most of the time the route map makes use of an access list as the mechanism to identify the traffic. In this case any traffic permitted by the access list is policy base routed and any traffic not permitted in the access list is not policy base routed and uses the normal routing logic.

If your PBR stops working when you apply the access list then I would guess that there is a flaw in the access list and that it is not permitting the correct traffic. If you provide more details about your environment and the details of your PBR and the access list then perhaps we can make a suggestion about how to fix it.

HTH

Rick

HTH

Rick
0 Helpful

lynne.meeks
Level 1
Level 1
In response to Richard Burts

‎10-07-2008 11:06 AM

Sure. here you go:

Here's the PBR info:

route-map WirelessVPNInfo permit 10

match ip address 155

set ip next-hop 10.250.207.77

Extended IP access list 155

10 permit tcp 10.250.48.0 0.0.15.255 any eq www

20 deny ip any any

Here's the ACL; which does explicitly allow all port 80 traffic:

ip access-list extended packets-leaving-vlan15-10-07-08-01

remark scripts.uvm.edu

remark Hosting vpn.mobileconfig for iPhone

permit ip host 10.250.101.44 any

remark VPNINFO web redirect page

permit tcp any any eq www

permit ip host 10.250.101.25 any

remark Allow access to LWAPP controller

permit ip host 10.246.207.254 any

permit ip 10.246.207.0 0.0.0.255 any

remark DNS access

permit ip host 10.250.201.10 any

permit ip host 10.250.202.10 any

remark DHCP access

permit ip host 10.250.201.20 any

permit ip host 10.250.201.21 any

remark WINDOWS DOMAIN CONTROLLERS

permit ip host 10.250.102.5 any

permit ip host 10.250.102.6 any

remark LDAP access for Macs

permit ip host 10.250.101.196 any

remark VPN access

permit ip host 10.250.111.53 any

permit ip host 10.250.111.54 any

permit ip host 10.250.111.200 any

Here's the VLAN config,

interface Vlan15

ip address 10.250.48.1 255.255.240.0

ip helper-address 10.250.201.21

no ip redirects

ip dhcp relay information trusted

no ip route-cache

ip policy route-map WirelessVPNInfo

ip access-group packets-leaving-vlan15-10-07-08-01 out

mls rp vtp-domain UVMBackbone

no cdp enable

!

Lynne

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lynne.meeks

‎10-07-2008 11:27 AM

Lynne

Thank you for the additional information which does help to clarify the issue. Seeing this and re-reading your original post I realize that I did not understand correctly your question and my answer was about something different from what you were really asking. I am sorry about that.

Having seen the access list and the config I now understand what you were really asking, and I believe that I have a better answer to your question. I believe that this is the line in question:

permit tcp any any eq www

To get to the problem let us remember that when the client sends a request to the server that port 80 is the destination port. And that when the server sends a response to the client that port 80 becomes the source port. And since the access list is applied out on the VLAN interface it is permitting responses (rather than requests). So it needs to permit 80 as the source port and not as the destination port (which is what you have). I believe that if you change it to this you will find that it works:

permit tcp any eq www any

HTH

Rick

HTH

Rick
0 Helpful

lynne.meeks
Level 1
Level 1
In response to Richard Burts

‎10-08-2008 03:46 AM

BINGO!

that was exactly the problem.

I added the line permitting 80 as the source port, and it works perfectly.

Seems so obvious now, but I guess hindsight is 20/20.

Thanks for your assistance- much appreciated.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lynne.meeks

‎10-08-2008 03:55 AM

Lynne

Thanks for posting back to the thread and indicating that the problem was solved. I am glad that I was able to help you find the solution. Hindsight does tend to make things look simple when they were not nearly so obvious when it was an active issue. And the source port/destination port issue is an easy one to overlook.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card