Help me, Route-map on Catalyst 4503

Answered Question
Mar 5th, 2012

Hello,

i'm performing configuration PBR on catalyst 4503, but it doesn't work. Here is the configuration and basic diagram:

                                                                         --> Router 3845 (10.4.30.20)

Server(10.4.28.60)--> ASA5520--> Catalyst 4503

                                                                         --> Router 3945 (10.4.30.21)

Catalyst 4503:

access-list 110 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255

access-list 110 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255

access-list 110 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255

access-list 110 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255

!

route-map Corebank_policy permit 20

match ip address 110

set ip next-hop 10.4.30.20

!

Route-map is applied on interface vlan 10 (using connect from ASA to Catalyst 4503)

interface Vlan10

ip address 10.4.30.11 255.255.255.248

ip policy route-map Corebank_policy

standby 10 ip 10.4.30.9

standby 10 priority 200

standby 10 preempt

end

Show route-map command on 4503:

route-map Corebank_policy, permit, sequence 20

  Match clauses:

    ip address (access-lists): 110

  Set clauses:

    ip next-hop 10.4.30.20

  Policy routing matches: 30 packets, 1800 bytes

Sometime, Traffic still pass through Router 3945 (10.4.30.21).

If there is any one there have an idea what it is then pls tell

Thanks

I have this problem too.
0 votes
Correct Answer by mukti_chandwani about 2 years 1 month ago

ok.what i think is Reason you have /32 route is because your ospf network type is point to multipoint.So even though you have the network as directly connected ,it is seeing the interface as /32 host route.and your debug shows that it is not able to reach the next hop

26179: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20Policy NextHop Inquiry: Corebank_policy seq: 20, type: INVALID SW_OBJ_TYPE: 0, SW_HANDLE: 0

The moment you make ospf network point to multipoint it wil inject host route  /32 for interface.Now to get around this problem

1.changing the network type of ospf(I am not sure how feasible it would be in your production)

2.IOS which supports the recursive command

I will look for the command support for this platform side by side could you please let me know if you have got chance to test it with connected interface.

Correct Answer by v.ganapathi about 2 years 1 month ago

Just to add, is it possible for you to run a debug - debug ip policy ?

  • This is to be done on your HSRP primary switch for VLAN 10.
  • Attempt to access from the host 10.4.28.60 to any of those specified destinations in your ACL.

As you are running OSPF between 4500 & Router. Being that the next hop is not seen as a directly connected network, you may need to change your configs to have it look something like this

access-list 110 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255

!

route-map Corebank_policy permit 20
match ip address 110
set ip next-hop recursive 10.4.30.20
!
interface Vlan10
ip address 10.4.30.11 255.255.255.248
ip policy route-map Corebank_policy
standby 10 ip 10.4.30.9
standby 10 priority 200
standby 10 preempt

Please post the results.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
v.ganapathi Mon, 03/05/2012 - 22:16

Hello,

Your topology seems to be unclear.

                                                                         --> Router 3845 (10.4.30.20)

Server(10.4.28.60)--> ASA5520--> Catalyst 4503

                                                                         --> Router 3945 (10.4.30.21)

Could you please provide me a diagramatic representation of your topology to further help?

Thanks

Vivek

mukti_chandwani Mon, 03/05/2012 - 23:02

Hello,

how are you verifying that sometimes traffic is passing through  Router 3945 (10.4.30.21)?

Can we check which traffic it is.?

I see very less hits in PBR,i would like to see hits in ACL

Policy routing matches: 30 packets, 1800 bytes

is it a testing enviorment or production?Do you see anything is logs that  PBR is failing?

is the next-hop a connected interface or we have to perform RIB lookup to reach 10.4.30.20 or 21?

can you paste output of sh ip route 10.4.30.20

sh access-list 110

romeo_2002 Mon, 03/05/2012 - 23:13

Dear Mukti Chandwani,

it's our production environment, i perform tracert 10.5.1.1 on Server (10.4.28.60) and see traffic pass through Router 3945.

here is the output of sh ip route 10.4.30.20 and sh access-list 110:

sh ip route 10.4.30.20

Routing entry for 10.4.30.20/32

  Known via "ospf 1", distance 110, metric 1, type intra area

  Last update from 10.4.30.20 on Vlan11, 00:06:12 ago

  Routing Descriptor Blocks:

  * 10.4.30.20, from 10.4.30.20, 00:06:12 ago, via Vlan11

      Route metric is 1, traffic share count is 1

sh access-lists 110

Extended IP access list 110

    10 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255

    20 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255

    30 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255 (30 matches)

    40 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255

Thanks,

thiyagu_cisco Mon, 03/05/2012 - 23:19

Hi,

Few things which might not be 100% correct but wanted to share here..

Scenario#1.

How would you expect the PBR to work where the Server is in Different VLAN than the PBR applied VLAN#10.

VLAN#10 is = 10.4.30.8/29  but Server(10.4.28.60) is in Different VLAN. Should the Server traffic come to VLAN#10 and Route based on PBR ?. No.

Scenario#2. PBR will work, If you met the following,

    If you have Users in VLAN#10 and the users are tyring to communicate to and fro the Server.

    Along with the first line you should have "access-list 110 permit ip host 10.4.28.60 VLAN#10"

Thanks,

ThiyaguVG.

romeo_2002 Mon, 03/05/2012 - 23:29

Dear ThiyaguVG,

Thank for your advice, but i want all important traffic (Server: 10.4.28.60) come to branches pass through leased-line connection (on Router 3845) and all other traffic (other server) pass through MPLS connection (On Router 3945). Vlan#10 doesn't have user, it's using to connect from 4503 to ASA.

Thanks

mukti_chandwani Mon, 03/05/2012 - 23:55

ok.reason i was wondering is because if you notice matches in ACL and matches in PBR ,its exact same.Means whatever traffic matching the ACL is getting PBR.

please paste tracert from the server to 10.5.1.1

I hope there is no nat for source /destination addresses when crossing the ASA

Also could you please make a slight change in your configuration as instead of setting

set ip next-hop 10.4.30.20 ,please change it to set ip next-hop recursive 10.4.30.20

its not considering it as connected route.

Routing entry for 10.4.30.20/32

  Known via "ospf 1", distance 110, metric 1, type intra area


v.ganapathi Mon, 03/05/2012 - 23:41

Hello,

Looks to me like one of your ACL is being matched.

30 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255 (30 matches)

Have tried attempting to hit those other destinations like 10.1.0.0 etc as defined in ACL?

Or Do you mean, PBR is intermittently not kicking in?

Thanks

Vivek

romeo_2002 Mon, 03/05/2012 - 23:56

Dear Vivek

yes, I've tried to tracert other IP but it seem that PBR doesn't work. 30 packet is very small because  we have many people in the branches using application on server 10.4.28.60

Thanks

Correct Answer
v.ganapathi Mon, 03/05/2012 - 23:56

Just to add, is it possible for you to run a debug - debug ip policy ?

  • This is to be done on your HSRP primary switch for VLAN 10.
  • Attempt to access from the host 10.4.28.60 to any of those specified destinations in your ACL.

As you are running OSPF between 4500 & Router. Being that the next hop is not seen as a directly connected network, you may need to change your configs to have it look something like this

access-list 110 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255

!

route-map Corebank_policy permit 20
match ip address 110
set ip next-hop recursive 10.4.30.20
!
interface Vlan10
ip address 10.4.30.11 255.255.255.248
ip policy route-map Corebank_policy
standby 10 ip 10.4.30.9
standby 10 priority 200
standby 10 preempt

Please post the results.

romeo_2002 Tue, 03/06/2012 - 00:17

Dear Vivek, Mukti Chandwani,

i add ip addres 10.4.28.2 to access-list, and this is the output of tracert 10.5.1.1:

traceroute 10.5.1.1

  Type escape sequence to abort.

Tracing the route to 10.5.1.1

   1 10.4.30.11 9 msec 0 msec 0 msec

  2 10.4.30.21 8 msec 0 msec 0 msec

  3 10.0.253.30 17 msec *  9 msec

In the route-map config, it doesn't have set ip next-hop recursive command. (IOS version: Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 15.0(2)SG3, RELEASE SOFTWARE (fc2))

(config-route-map)#set ip next-hop ?

  A.B.C.D       IP address of next hop

  dynamic       application dynamically sets next hop

  peer-address  Use peer address (for BGP only)

Thanks

mukti_chandwani Tue, 03/06/2012 - 00:35

Thanks for the outpu.

Can you tell me why do you have hostroute /32 via ospf .Please paste output of

sh run int vlan 11
.

I want to see the subnet.Reason it is failing is because by defult PBR considers next hop as directly connected ,however in our case router has to go through routing table to reach 10.4.30.20

This issue is recursive lookup related.You might need to upgarde the IOS.

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

if you want to verify that this is the case ,you can check via adding a test set ip next-hop with next hop which is directly connected to 4500 and that will work.

Regards,

Mukti

romeo_2002 Tue, 03/06/2012 - 00:45

Thanks Mukti Chandwani,

Here is the output of sh int vlan 11 and sh int bvi 1 on router

interface Vlan11

description ****Vlan ket noi toi Router 3845****

ip address 10.4.30.19 255.255.255.248

ip ospf network point-to-multipoint

standby 11 ip 10.4.30.17

standby 11 priority 200

standby 11 preempt

end

interface BVI1

description ***Connect to CoreSwitch 4503***

ip address 10.4.30.21 255.255.255.248

ip ospf network point-to-multipoint

ip ospf cost 10

end


Does the "ip ospf network point-to-multipoint"  command is the Problem?

v.ganapathi Tue, 03/06/2012 - 01:02

Yes, ip ospf network point-to-multipoint advertises a /32. You may need to change them to a point-to-point.

Also, why do you require to have a BVI interface between your 4500 & Router?

v.ganapathi Tue, 03/06/2012 - 00:48

Hello Mr Anh,

Did you get a chance to run those debugs as requested by me? Debugs will provide us a good picture of what could be happening.

Thanks

Vivek

romeo_2002 Tue, 03/06/2012 - 00:55

Dear Vivek,

Sorry for late reply, Here is the output of debug ip policy when i tracer 10.5.1.1 on ip 10.4.28.2

026155: 2w2d: IP: s=10.4.28.9 (Vlan10), d=10.4.29.60, len 1029, FIB policy rejected(no match) - normal forwardingPolicy NextHop Inquiry: Corebank_policy seq: 20, type: INVALID SW_OBJ_TYPE: 0, SW_HANDLE: 0

026156: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1, len 28, policy match

026157: 2w2d: IP: route map Corebank_policy, item 20, permit

026158: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1 (Vlan11), len 28, policy routed

026159: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20

026160: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1, len 28, policy match

026161: 2w2d: IP: route map Corebank_policy, item 20, permit

026162: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1 (Vlan11), len 28, policy routed

026163: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20

026164: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1, len 28, policy match

026165: 2w2d: IP: route map Corebank_policy, item 20, permit

026166: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1 (Vlan11), len 28, policy routed

026167: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20Policy NextHop Inquiry: Corebank_policy seq: 20, type: INVALID SW_OBJ_TYPE: 0, SW_HANDLE: 0

Policy NextHop Inquiry: Corebank_policy seq: 20, type: INVALID SW_OBJ_TYPE: 0, SW_HANDLE: 0

HOHN_CS4503_02#Policy NextHop Inquiry: Corebank_policy seq: 20, type: INVALID SW_OBJ_TYPE: 0, SW_HANDLE: 0

026168: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1, len 28, policy match

026169: 2w2d: IP: route map Corebank_policy, item 20, permit

026170: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1 (Vlan11), len 28, policy routed

026171: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20

026172: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1, len 28, policy match

026173: 2w2d: IP: route map Corebank_policy, item 20, permit

026174: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1 (Vlan11), len 28, policy routed

026175: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20

026176: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1, len 28, policy match

026177: 2w2d: IP: route map Corebank_policy, item 20, permit

026178: 2w2d: IP: s=10.4.28.2 (Vlan10), d=10.5.1.1 (Vlan11), len 28, policy routed

026179: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20Policy NextHop Inquiry: Corebank_policy seq: 20, type: INVALID SW_OBJ_TYPE: 0, SW_HANDLE: 0

  026180: 2w2d: IP: s=10.4.28.9 (Vlan10), d=10.4.29.60, len 1029, FIB policy rejected(no match) - normal forwarding

and here is the tracer result:

traceroute 10.5.1.1

Type escape sequence to abort.

Tracing the route to 10.5.1.1

  1 10.4.30.11 8 msec 0 msec 8 msec

  2 10.4.30.21 0 msec 9 msec 0 msec

  3 10.0.253.30 8 msec *  8 msec

Correct Answer
mukti_chandwani Tue, 03/06/2012 - 01:21

ok.what i think is Reason you have /32 route is because your ospf network type is point to multipoint.So even though you have the network as directly connected ,it is seeing the interface as /32 host route.and your debug shows that it is not able to reach the next hop

26179: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20Policy NextHop Inquiry: Corebank_policy seq: 20, type: INVALID SW_OBJ_TYPE: 0, SW_HANDLE: 0

The moment you make ospf network point to multipoint it wil inject host route  /32 for interface.Now to get around this problem

1.changing the network type of ospf(I am not sure how feasible it would be in your production)

2.IOS which supports the recursive command

I will look for the command support for this platform side by side could you please let me know if you have got chance to test it with connected interface.

romeo_2002 Fri, 03/09/2012 - 07:56

Dear Vivek, Mukti Chandwani,

I chang the network type of OSPF and PBR Works ok.

Thanks

Actions

Login or Register to take actions

This Discussion

Posted March 5, 2012 at 8:17 PM
Stats:
Replies:21 Avg. Rating:5
Views:1155 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,720
4 7,078
5 6,723
Rank Username Points
175
80
60
59
55