12-15-2009 07:00 AM - edited 03-04-2019 06:58 AM
Greetings,
We have the following VLAN sub-interface and acls configured on our router. The idea is to split traffic outbound from this VLAN to two different networks - pointing traffic destined for 10.169.254.69/24 at router with WAN IP of 10.255.255.5 - and all Internet traffic pointed to router WAN 10.255.255.2 that has an Internet gateway (the traffic will not touch any other part of the network behind 255.2 - just be immediately shuttled out the Internet gateway).
interface GigabitEthernet0/1.14
description ** JPI **
encapsulation dot1Q 14
ip address 172.28.130.1 255.255.254.0
ip access-group INETJPI-ONLY in
ip policy route-map INETONLYJPI
no snmp trap link-status
ip access-list extended INETJPI-ONLY
permit udp any any eq bootpc
deny ip any 10.1.4.0 0.0.3.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended JPI-254SUBNET
deny ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 10.169.254.0 0.255.255.255
deny ip any any
ip access-list extended JPI-INETONLY-NETS
deny ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 any
deny ip any any
route-map INETONLYJPI permit 5
match ip address JPI-254SUBNET
set ip next-hop 10.255.255.5
route-map INETONLYJPI permit 10
match ip address JPI-INETONLY-NETS
set ip next-hop 10.255.255.2
These ar the only routing protocols and statics we have configured on this router:
router eigrp 1
network 10.0.0.0
network 172.28.0.0
no auto-summary
ip classless
ip route 10.223.0.0 255.255.255.0 10.255.255.1
ip route 29.0.0.0 255.0.0.0 172.28.101.250
ip route 192.168.94.9 255.255.255.255 172.28.101.250
ip route 205.132.168.184 255.255.255.255 172.28.100.250
ip route 205.132.168.185 255.255.255.255 172.28.100.250
ip route 205.132.168.192 255.255.255.255 172.28.100.250
ip route 205.132.168.224 255.255.255.224 172.28.100.250
It is not working as confgured but I cannot see why it shouldn't work.
Can anyone help?
Thanks
Solved! Go to Solution.
12-15-2009 10:23 AM
based on this it is working exactly the way it should be. The source is 172.28.130.10 and it is going to 10.169.254.127 and the gateway is 10.255.255.5. This is matching the PBR:
ip access-list extended JPI-254SUBNET
deny ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 10.169.254.0 0.255.255.255 <----matching this line
deny ip any any
Then using this route-map
route-map INETONLYJPI permit 5
match ip address JPI-254SUBNET
set ip next-hop 10.255.255.5
12-15-2009 07:12 AM
Are you getting any hits on the ACL's?
sh access-list
12-15-2009 07:24 AM
Here are th results of 'sho access-list'
Extended IP access list INETJPI-ONLY
10 permit udp any any eq bootpc
20 deny ip any 10.1.4.0 0.0.3.255
30 deny ip any 172.16.0.0 0.15.255.255 (6715 matches)
40 deny ip any 192.168.0.0 0.0.255.255
50 permit ip any any (636141 matches)
Extended IP access list JPI-254SUBNET
10 deny ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
20 deny ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
30 deny ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
40 permit ip 172.28.130.0 0.0.1.255 10.0.0.0 0.255.255.255 (634458 matches)
Extended IP access list JPI-INETONLY-NETS
10 deny ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
20 deny ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
30 deny ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
40 permit ip 172.28.130.0 0.0.1.255 any (10533991 matches)
50 deny ip any any (529 matches)
The big problem (which I guess I should have mentioned in the post) is that at one time all of the traffic exiting this VLAN - Internet included - was routed to the 255.5 router. For various reasons we now need to split Internet from the rest and route it to 255.2.
I see the hits on the ACLs but don't know how they're being routed - only know that Internet traffic is still being routed to 255.5. Also, the permit statement under JPI-254SUBNET '40 permit ip 172.28.130.0 0.0.1.255 10.0.0.0 0.255.255.255' ended up that way even though I atempted to add it in as '10.169.154.69/24.
Thanks.
12-15-2009 07:33 AM
Correct me if I am wrong:
Traffic from 172.28.130.0/23 to 10.169.254.0/24 next-hop is 10.255.255.5
Traffic from 172.28.130.0/23 to ANY next-hop is 10.255.255.2
Is this what you want?
12-15-2009 07:35 AM
Yes - that is our exact desire.
Thank you.
12-15-2009 07:44 AM
According to the config it is set-up and I do not see anything blocking it. Where do your traces go from a workstation to the internet?
Have you done any debugs and checked the logs to see where it is going?
12-15-2009 08:14 AM
I haven't done anything in the way of debugging - only getting reports from users on that VLAN that they are being routed to 255.5 for Internet.
Which debug commands should I employ - and what's the best way to gather the data for uploading results here?
12-15-2009 08:22 AM
Let's try looking at the policy first
Here is a link for debugging the policy
http://www.cisco.com/en/US/docs/ios/12_1/debug/command/reference/dbdippim.html#wp1017236
12-15-2009 08:37 AM
OK - I issued 'debug ip policy' (it only allowed the global option ( only choice after the intial command was 'dynamic' (I couldn't designate a specific access-list name))
How do I grab the output? Not seeing anything coming up.
12-15-2009 08:50 AM
do this
undebug all
term mon
clear log
then issue the debug command again
Then run test to any internet site.
The output should scroll across the screen
issue undebug all
cut and paste the output to here
or
issue undebug all
sh log
and look for the debug output in the logs and paste here.
12-15-2009 09:02 AM
OK - this is a remote network from where I sit - so I'm sending someone there to generate some Internet traffic. I did grab some initial data from the policy debug - but it's only for the network behind the 255.5 router:
Dec 15 16:52:58.583: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 44, FIB policy match
Dec 15 16:52:58.583: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 44, FIB policy routed
Dec 15 16:52:58.583: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 86, FIB policy match
Dec 15 16:52:58.583: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 86, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 44, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 44, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 72, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 72, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 533, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 533, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 340, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 340, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 292, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 292, FIB policy routed
Dec 15 16:52:58.663: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 44, FIB policy match
Dec 15 16:52:58.663: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 44, FIB policy routed
I'l post the results from ping/traceroutes here when I get them.
Again - thank for all of your assistance!
12-15-2009 10:23 AM
based on this it is working exactly the way it should be. The source is 172.28.130.10 and it is going to 10.169.254.127 and the gateway is 10.255.255.5. This is matching the PBR:
ip access-list extended JPI-254SUBNET
deny ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 10.169.254.0 0.255.255.255 <----matching this line
deny ip any any
Then using this route-map
route-map INETONLYJPI permit 5
match ip address JPI-254SUBNET
set ip next-hop 10.255.255.5
12-15-2009 12:30 PM
Ah .... (shamed faced)
Forgot an additional PBR configuration on an internal core switch behind the 10.255.255.2 router. In effect - the PBRs on the VLAN3 router were working fine - the traffic just made a left turn after it entered 255.2 through another Internet gateway instead of a right turn to the correct gateway.
Sorry for all the confusion and wasting of your time.
Thanks again for all the help.
.... and Thanks to Edison too for his original assistance on an earlier post for the same issue.
12-15-2009 12:50 PM
not a waste of time at all.
This is one of the biggest benefits of this forum. This can be used as such a useful tool. Sometimes it helps to bounce things off of someone and we often times find the answer or, like in this case, find something we missed.
I am glad it is working now!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: