Solved: PBR Issues

Brent Rockburn · ‎04-12-2010

Ok, here goes.

I've implemented policy based routing on my 4507 in the following manner

route-map routeASA permit 10

match ip address acl-routeASA

set ip next-hop 10.xx.xx.65

int vlan50

ip policy route-map routeASA

sw-core#sh access-lists acl-routeASA
Extended IP access list acl-routeASA
50 permit ip host 10.xx.x.57 any (3115 matches)
200 deny ip any any (292921 matches)
sw-core#

So what I am seeing is that I can get out to the internet fine (the next hop IP is an ASA) but I can't reach anything outside my subnet 10.xx.x.0/23

I thought that by putting the deny statement in place(I know there is an implicit deny I just put it in for visual help) after my ip address it would stop my IP from going to the next hop IP for all the internal subnets but that doesn't seem to be the case .. any ideas?

Jon Marshall · ‎04-12-2010

b.rockburn wrote:

Ok, here goes.

I've implemented policy based routing on my 4507 in the following manner

route-map routeASA permit 10

match ip address acl-routeASA

set ip next-hop 10.xx.xx.65

int vlan50

ip policy route-map routeASA

sw-core#sh access-lists acl-routeASA
Extended IP access list acl-routeASA
50 permit ip host 10.xx.x.57 any (3115 matches)
200 deny ip any any (292921 matches)
sw-core#

So what I am seeing is that I can get out to the internet fine (the next hop IP is an ASA) but I can't reach anything outside my subnet 10.xx.x.0/23

I thought that by putting the deny statement in place(I know there is an implicit deny I just put it in for visual help) after my ip address it would stop my IP from going to the next hop IP for all the internal subnets but that doesn't seem to be the case .. any ideas?

Brent

You need to deny your internal subnets first then have the permit because your first permit is catching all traffic -

ip access-list extended acl-routeASA

50 deny ip host 10.x.x.57

60 deny ip host 10.x.x.57

etc.. for all your internal subnets then

150 permit ip host 10.x.x.57 any

Jon

View solution in original post

Jon Marshall · ‎04-12-2010

b.rockburn wrote:

Ok, here goes.

I've implemented policy based routing on my 4507 in the following manner

route-map routeASA permit 10

match ip address acl-routeASA

set ip next-hop 10.xx.xx.65

int vlan50

ip policy route-map routeASA

sw-core#sh access-lists acl-routeASA
Extended IP access list acl-routeASA
50 permit ip host 10.xx.x.57 any (3115 matches)
200 deny ip any any (292921 matches)
sw-core#

So what I am seeing is that I can get out to the internet fine (the next hop IP is an ASA) but I can't reach anything outside my subnet 10.xx.x.0/23

I thought that by putting the deny statement in place(I know there is an implicit deny I just put it in for visual help) after my ip address it would stop my IP from going to the next hop IP for all the internal subnets but that doesn't seem to be the case .. any ideas?

Brent

You need to deny your internal subnets first then have the permit because your first permit is catching all traffic -

ip access-list extended acl-routeASA

50 deny ip host 10.x.x.57

60 deny ip host 10.x.x.57

etc.. for all your internal subnets then

150 permit ip host 10.x.x.57 any

Jon

Giuseppe Larosa · ‎04-12-2010

Hello Brent,

what is not permitted by the ACL is simply destination based routed not dropped

so your deny any line could be removed but it shouldn't cause the issue.

I would try with a new ACL without that line to see what happens the multilayer switch has to map the PBR action in the TCAM entries but again it should not be an issue.

Edit:

Jon is on spot here again:

you may want to use PBR only for internet access so you should deny internal networks but check on ASA if these networks are known.

Hope to help

Giuseppe

lamav · ‎04-12-2010

"I thought that by putting the deny statement in place(I know there is an implicit deny I just put it in for visual help) after my ip address it would stop my IP from going to the next hop IP for all the internal subnets but that doesn't seem to be the case .. any ideas?"

Brent, I would like to expound a bit on what Jon and Giuseppe have told you.

Access Control Lists (ACLs) are processed from the top statement down to the last statement in search of a possible match. A packet that is tested against the rules indicated in the extended IP ACL will have its source and destination IP addresses examined. If there is a match with one of the statements in the ACL, the configured action will occur -- etither be permitted or denied -- and no further processing takes place.

If, however, there is no match after each configured rule of the ACL is tested against the packet's header, the implicit deny any any at the end will catch it and the packet will either be discarded (if the ACL is used for securty purposes) or it will be routed according to its destination address, if the ACL is part of PBR; in other words, it will not be policy-routed.

In your case, as Jon explained, the explicit deny at the end of your ACL is worthless because the first statement of the ACL has a destination address of "any," which means that all packets from the source host -- and destined for any address at all -- will match the terms of that statement and be "permitted" and therefore will be policy-routed.

From what I gather, you only want Internet-destined traffic to be policy-routed according to your PBR configuration, so you don't need a deny statement for each subnet on your network; that may be time consuming and you may miss one or 2. All you need to do is create one deny statement for the private address space you are using on your network first, and then the permit statement from the host to any for Internet traffic.

ip access-list extended Internet_traffic

deny ip host 10.x.x.57 10.0.0.0 0.255.255.255

permit ip host 10.x.x.57 any

HTH

Victor