Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
5
Helpful
2
Replies

Policy baced routing with ACLs that deny - how does it work?

Go to solution
karien.verster
Level 1
Level 1

‎08-12-2010 06:36 AM - edited ‎03-04-2019 09:23 AM

HI all,

this is my first time posting a question here, so just have a little patience

I have a problem with Policy Based routing on a client network.  the machine is a 3560 switch on the edge of their network.  behind this machine on their own network they have an ASA, but since it only has 2 interfaces they can only connect the internal network and then to the edge switch.  That's why the switch is used to connect to the different ISPs. This ASA also has a default route to the switch.  Currently the config is more or less like so:

ip access-list extended list_1

deny ip host 10.10.10.1 any

deny ip host 10.10.10.2 any

deny ip host 10.10.10.3 any

permit ip any any

ip access-list extended list_2

permit ip host 10.10.10.1 any

permit ip host 10.10.10.2 any

ip access-list extended list_3

permit ip host 10.10.10.3 any

!

route-map Map_1 permit 10

match ip address list_1

set ip next-hop 192.168.x.1

!

route-map Map_1 permit 20

match ip address list_2

set ip next-hop 192.168.x.2

!

route-map Map_1 permit 30

match ip address list_3

set ip next-hop 192.168.x.3

!

this route map is then applied to an interface on the switch that receives all traffic from the ASA.  The 192. addresses would be the 3 different ISP.  the basic idea behind this is to get the 10.10.10.3 traffic to use the 192.168.x.3 as its next hop, but somehow this isnt working.  i am now trying to eliminate all possible confusion from the configs i have been given (no, dont have access to the machines - only configs they send me)

what i would like to know is, if a packet from source 10.10.10.3 hits this  switch interface (where route-map is applied), is the traffic going to be dropped because of the ACL list_1 denying that ip?  or would it just say, ok - you don't match, and move onto the routemap permit 20 statement - not match, then to the permit 30 statement and finally be routed to the correct destination?

my config of the client site is reduced a lot in its complexity - just to make it a little easier to read.

hope someone can give me just a simple answer.

just ask if im not giving enough information

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-12-2010 08:01 AM 

karien.verster wrote:

ip access-list extended list_1
 deny ip host 10.10.10.1 any
 deny ip host 10.10.10.2 any 
 deny ip host 10.10.10.3 any
 permit ip any any
ip access-list extended list_2
 permit ip host 10.10.10.1 any 
 permit ip host 10.10.10.2 any 
ip access-list extended list_3
 permit ip host 10.10.10.3 any
!
route-map Map_1 permit 10
 match ip address list_1
 set ip next-hop 192.168.x.1
!
route-map Map_1 permit 20
 match ip address list_2
 set ip next-hop 192.168.x.2
!
route-map Map_1 permit 30
 match ip address list_3
 set ip next-hop 192.168.x.3
!

Once a match has been made processing of the route-map stops. If the match is a permit statement in the acl then the packet is policy routed. If the match is a deny then the packet is routed using the routing table ie. it is not policy routed.

So a packet sourced from 10.10.10.3 going to any destination will be routed using the routing table because of the entry in the access-list list_1 ie.

ip access-list extended list_1
 deny ip host 10.10.10.1 any
 deny ip host 10.10.10.2 any 
 deny ip host 10.10.10.3 any

Easiest way to fix this is to reorder your route-map and modify access-list list_1 ie.

ip access-list extended list_1

permit ip any any

ip access-list extended list_2

permit ip host 10.10.10.1 any

permit ip host 10.10.10.2 any

ip access-list extended list_3

permit ip host 10.10.10.3 any

!

route-map Map_1 permit 10

match ip address list_2

set ip next-hop 192.168.x.2

!

route-map Map_1 permit 20

match ip address list_3

set ip next-hop 192.168.x.3

route-map ,Map_2 permit 30

match ip address list_1

set ip next-hop 192.168.x.1

However if you set the default-route on your 3560 to be 192.168.x.1 then you can completely remove list_1 and the corresponding route-map entry so your final config would look like -

ip access-list extended list_2

permit ip host 10.10.10.1 any

permit ip host 10.10.10.2 any

ip access-list extended list_3

permit ip host 10.10.10.3 any

!

route-map Map_1 permit 20

match ip address list_2

set ip next-hop 192.168.x.2

!

route-map Map_1 permit 30

match ip address list_3

set ip next-hop 192.168.x.3

Jon

View solution in original post

2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-12-2010 08:01 AM 

karien.verster wrote:

ip access-list extended list_1
 deny ip host 10.10.10.1 any
 deny ip host 10.10.10.2 any 
 deny ip host 10.10.10.3 any
 permit ip any any
ip access-list extended list_2
 permit ip host 10.10.10.1 any 
 permit ip host 10.10.10.2 any 
ip access-list extended list_3
 permit ip host 10.10.10.3 any
!
route-map Map_1 permit 10
 match ip address list_1
 set ip next-hop 192.168.x.1
!
route-map Map_1 permit 20
 match ip address list_2
 set ip next-hop 192.168.x.2
!
route-map Map_1 permit 30
 match ip address list_3
 set ip next-hop 192.168.x.3
!

Once a match has been made processing of the route-map stops. If the match is a permit statement in the acl then the packet is policy routed. If the match is a deny then the packet is routed using the routing table ie. it is not policy routed.

So a packet sourced from 10.10.10.3 going to any destination will be routed using the routing table because of the entry in the access-list list_1 ie.

ip access-list extended list_1
 deny ip host 10.10.10.1 any
 deny ip host 10.10.10.2 any 
 deny ip host 10.10.10.3 any

Easiest way to fix this is to reorder your route-map and modify access-list list_1 ie.

ip access-list extended list_1

permit ip any any

ip access-list extended list_2

permit ip host 10.10.10.1 any

permit ip host 10.10.10.2 any

ip access-list extended list_3

permit ip host 10.10.10.3 any

!

route-map Map_1 permit 10

match ip address list_2

set ip next-hop 192.168.x.2

!

route-map Map_1 permit 20

match ip address list_3

set ip next-hop 192.168.x.3

route-map ,Map_2 permit 30

match ip address list_1

set ip next-hop 192.168.x.1

However if you set the default-route on your 3560 to be 192.168.x.1 then you can completely remove list_1 and the corresponding route-map entry so your final config would look like -

ip access-list extended list_2

permit ip host 10.10.10.1 any

permit ip host 10.10.10.2 any

ip access-list extended list_3

permit ip host 10.10.10.3 any

!

route-map Map_1 permit 20

match ip address list_2

set ip next-hop 192.168.x.2

!

route-map Map_1 permit 30

match ip address list_3

set ip next-hop 192.168.x.3

Jon

Go to solution
karien.verster
Level 1
Level 1
In response to Jon Marshall

‎08-12-2010 09:20 AM

Thank you very much Jon

this explains the whole situation

all i have to do now is get them to make the changes - i will remove that ACL like you suggested, and make the whole config a lot easier to read for someone like me

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card