Route-Map and ACL question

Unanswered Question
Jun 22nd, 2009
User Badges:
  • Silver, 250 points or more

I have an interesting scenerio, it is only for testing purposes and not what we will use for production. This is just for testing! Here is what I am trying to do.


I have a VLAN that is set-up for all workstations:

VLAN 100


interface Vlan100

description VLAN-100

ip address 10.1.0.1 255.255.240.0

ip ospf priority 10

ip policy route-map VLAN100_POLICY


In this router/msfc we are running EIGRP and OSPF, now this is now where the issue is at, this is pretty straight forward. We then have a default route:


ip route 0.0.0.0 0.0.0.0 192.168.3.10


This is the interface IP on the firewall.


In this path there is a proxy 192.168.3.5


Here is the route-map that is applied to the VLAN interface:

route-map VLAN100_POLICY permit 10

match ip address GOTO_FIREWALL

set ip default next-hop 10.254.1.10


In this acl we have IP's that will be used to bypass the proxy. The list is quite long so I will not bore you all with the info.


Ok onto what I need to do.

I am setting up a new proxy with more features and need to test a handful of users. I have my IP 10.1.15.100 that needs to take a different path:

New VLAN103 192.168.103.1

New proxy 192.168.103.5

New firewall interface 192.168.103.10


Here are the ACL's I have created so far:

ip access-list extended BYPASS-BC2-TO-DMZ

permit ip host 10.1.15.100 192.168.0.0 0.0.255.255

!

ip access-list extended BYPASS-BC2-TO-E1

permit ip host 10.1.15.100 10.1.252.0 0.0.0.255

!

ip access-list extended GOTO-BLUECOAT2

permit ip host 10.1.15.100 any

!


And the route-maps for manipulation:

route-map VLAN100_POLICY permit 15

match ip address BYPASS-BC2-TO-DMZ

set ip next-hop 10.254.1.10

!

route-map VLAN100_POLICY permit 20

match ip address GOTO-BLUECOAT2

set ip next-hop 192.168.103.10


I am trying to get internal access set-up and having a difficult time.


For instance I need to get to 10.1.252.54, which is directly connected:


interface Vlan252

description VLAN252-CSM

ip address 10.1.252.1 255.255.255.0

!

MONR001#sh ip route 10.1.252.54

Routing entry for 10.1.252.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via eigrp 555, ospf 100

Advertised by ospf 100

Routing Descriptor Blocks:

* directly connected, via Vlan252

Route metric is 0, traffic share count is 1


Is there a way to get my workstation to go to 10.1.252.0/24 network with a route-map to a directly connected IP?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Yudong Wu Mon, 06/22/2009 - 14:17
User Badges:
  • Gold, 750 points or more

If I understand your question correctly, what you need is just to use PBR to route your traffic to the specified host. So, you need apply the related route-map under the interface of the Vlan where your PC 10.1.15.100 is in.

Rick Morris Tue, 06/23/2009 - 06:03
User Badges:
  • Silver, 250 points or more

that is the question.

I know I need a PBR to get the traffic where I need it. The question in all of this is how do you build the PBR for a directly connected network.


I think I provided enough detail in the post, at least I hope, to explain what I am trying to do.

Yudong Wu Tue, 06/23/2009 - 06:38
User Badges:
  • Gold, 750 points or more

Can you clarify your topology?

10.1.252.0/24 is directly connected to MONR001, is your pc 10.1.15.100 directly connected to this router as well?


If not, is MONR001 the last hop for 10.1.15.100 to access 10.1.252.0/24 network?


Rick Morris Tue, 06/23/2009 - 06:44
User Badges:
  • Silver, 250 points or more

On the 6509 MSFC I have the following


interface Vlan100

description VLAN-100

ip address 10.1.0.1 255.255.240.0

ip ospf priority 10

ip policy route-map VLAN100_POLICY



This is my default route for my workstation


Also on this same 6509 is:


interface Vlan252

description VLAN252-CSM

ip address 10.1.252.1 255.255.255.0


This is the network I am trying to get to.


In this set-up according to my routing policy set-up I have a default route of 0.0.0.0 0.0.0.0 192.168.3.10


So if something does not match the policy applied to interface vlan 100 the traffic will go here.


So from a topology standpoint these networks are all local that I am referring to, which is why the networks show directly connected.


How do you create a PBR to a directly connected network?

Is it possible?

This is what I am trying to do.

Yudong Wu Tue, 06/23/2009 - 07:30
User Badges:
  • Gold, 750 points or more

Ok, I hope I understood it now.

Saying you would like your PC to access 10.1.252.0/24 network which is a directly connected network to the same 6509, do you want to forward the packet to a specified host first? If not, why don't you just let routing table make the decision? If yes, just use related "match ip address " and "set ip next hop x.x.x.x" command in your route-map. Make sure there is no overlap entry in your existing ACL "GOTO_FIREWALL".

Rick Morris Tue, 06/23/2009 - 07:42
User Badges:
  • Silver, 250 points or more

I cannot let routing make the decision because I am trying to manipulate the routing table because of the test I am trying to run. I am trying to send traffic to a new location for internet, and non directly connected networks and that is just fine. When trying to direct that host to a local network it normally has access to it does not route. I need some way to do this via PBR. What you propose is cannot be technically done, IOS will not allow you to use a next-hop to an IP that is self, in this case the directly connected network? I am looking for a way to get around this.

Actions

This Discussion