08-12-2010 06:36 AM - edited 03-04-2019 09:23 AM
HI all,
this is my first time posting a question here, so just have a little patience
I have a problem with Policy Based routing on a client network. the machine is a 3560 switch on the edge of their network. behind this machine on their own network they have an ASA, but since it only has 2 interfaces they can only connect the internal network and then to the edge switch. That's why the switch is used to connect to the different ISPs. This ASA also has a default route to the switch. Currently the config is more or less like so:
ip access-list extended list_1
deny ip host 10.10.10.1 any
deny ip host 10.10.10.2 any
deny ip host 10.10.10.3 any
permit ip any any
ip access-list extended list_2
permit ip host 10.10.10.1 any
permit ip host 10.10.10.2 any
ip access-list extended list_3
permit ip host 10.10.10.3 any
!
route-map Map_1 permit 10
match ip address list_1
set ip next-hop 192.168.x.1
!
route-map Map_1 permit 20
match ip address list_2
set ip next-hop 192.168.x.2
!
route-map Map_1 permit 30
match ip address list_3
set ip next-hop 192.168.x.3
!
this route map is then applied to an interface on the switch that receives all traffic from the ASA. The 192. addresses would be the 3 different ISP. the basic idea behind this is to get the 10.10.10.3 traffic to use the 192.168.x.3 as its next hop, but somehow this isnt working. i am now trying to eliminate all possible confusion from the configs i have been given (no, dont have access to the machines - only configs they send me)
what i would like to know is, if a packet from source 10.10.10.3 hits this switch interface (where route-map is applied), is the traffic going to be dropped because of the ACL list_1 denying that ip? or would it just say, ok - you don't match, and move onto the routemap permit 20 statement - not match, then to the permit 30 statement and finally be routed to the correct destination?
my config of the client site is reduced a lot in its complexity - just to make it a little easier to read.
hope someone can give me just a simple answer.
just ask if im not giving enough information
Solved! Go to Solution.
08-12-2010 08:01 AM
karien.verster wrote:
ip access-list extended list_1
deny ip host 10.10.10.1 any
deny ip host 10.10.10.2 any
deny ip host 10.10.10.3 any
permit ip any any
ip access-list extended list_2
permit ip host 10.10.10.1 any
permit ip host 10.10.10.2 any
ip access-list extended list_3
permit ip host 10.10.10.3 any
!
route-map Map_1 permit 10
match ip address list_1
set ip next-hop 192.168.x.1
!
route-map Map_1 permit 20
match ip address list_2
set ip next-hop 192.168.x.2
!
route-map Map_1 permit 30
match ip address list_3
set ip next-hop 192.168.x.3
!
Once a match has been made processing of the route-map stops. If the match is a permit statement in the acl then the packet is policy routed. If the match is a deny then the packet is routed using the routing table ie. it is not policy routed.
So a packet sourced from 10.10.10.3 going to any destination will be routed using the routing table because of the entry in the access-list list_1 ie.
ip access-list extended list_1
deny ip host 10.10.10.1 any
deny ip host 10.10.10.2 any
deny ip host 10.10.10.3 any
Easiest way to fix this is to reorder your route-map and modify access-list list_1 ie.
ip access-list extended list_1
permit ip any any
ip access-list extended list_2
permit ip host 10.10.10.1 any
permit ip host 10.10.10.2 any
ip access-list extended list_3
permit ip host 10.10.10.3 any
!
route-map Map_1 permit 10
match ip address list_2
set ip next-hop 192.168.x.2
!
route-map Map_1 permit 20
match ip address list_3
set ip next-hop 192.168.x.3
route-map ,Map_2 permit 30
match ip address list_1
set ip next-hop 192.168.x.1
However if you set the default-route on your 3560 to be 192.168.x.1 then you can completely remove list_1 and the corresponding route-map entry so your final config would look like -
ip access-list extended list_2
permit ip host 10.10.10.1 any
permit ip host 10.10.10.2 any
ip access-list extended list_3
permit ip host 10.10.10.3 any
!
route-map Map_1 permit 20
match ip address list_2
set ip next-hop 192.168.x.2
!
route-map Map_1 permit 30
match ip address list_3
set ip next-hop 192.168.x.3
Jon
08-12-2010 08:01 AM
karien.verster wrote:
ip access-list extended list_1
deny ip host 10.10.10.1 any
deny ip host 10.10.10.2 any
deny ip host 10.10.10.3 any
permit ip any any
ip access-list extended list_2
permit ip host 10.10.10.1 any
permit ip host 10.10.10.2 any
ip access-list extended list_3
permit ip host 10.10.10.3 any
!
route-map Map_1 permit 10
match ip address list_1
set ip next-hop 192.168.x.1
!
route-map Map_1 permit 20
match ip address list_2
set ip next-hop 192.168.x.2
!
route-map Map_1 permit 30
match ip address list_3
set ip next-hop 192.168.x.3
!
Once a match has been made processing of the route-map stops. If the match is a permit statement in the acl then the packet is policy routed. If the match is a deny then the packet is routed using the routing table ie. it is not policy routed.
So a packet sourced from 10.10.10.3 going to any destination will be routed using the routing table because of the entry in the access-list list_1 ie.
ip access-list extended list_1
deny ip host 10.10.10.1 any
deny ip host 10.10.10.2 any
deny ip host 10.10.10.3 any
Easiest way to fix this is to reorder your route-map and modify access-list list_1 ie.
ip access-list extended list_1
permit ip any any
ip access-list extended list_2
permit ip host 10.10.10.1 any
permit ip host 10.10.10.2 any
ip access-list extended list_3
permit ip host 10.10.10.3 any
!
route-map Map_1 permit 10
match ip address list_2
set ip next-hop 192.168.x.2
!
route-map Map_1 permit 20
match ip address list_3
set ip next-hop 192.168.x.3
route-map ,Map_2 permit 30
match ip address list_1
set ip next-hop 192.168.x.1
However if you set the default-route on your 3560 to be 192.168.x.1 then you can completely remove list_1 and the corresponding route-map entry so your final config would look like -
ip access-list extended list_2
permit ip host 10.10.10.1 any
permit ip host 10.10.10.2 any
ip access-list extended list_3
permit ip host 10.10.10.3 any
!
route-map Map_1 permit 20
match ip address list_2
set ip next-hop 192.168.x.2
!
route-map Map_1 permit 30
match ip address list_3
set ip next-hop 192.168.x.3
Jon
08-12-2010 09:20 AM
Thank you very much Jon
this explains the whole situation
all i have to do now is get them to make the changes - i will remove that ACL like you suggested, and make the whole config a lot easier to read for someone like me
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide