Solved: Re: ip policy route-map

josephschung · ‎11-05-2013

Sir,

I have the following conf on a 3750X.

interface Vlan250

ip address 172.16.252.10 255.255.255.0

ip policy route-map INTERNET_ONLY

!

access-list 10 deny 10.0.0.0 0.0.0.255

access-list 10 deny 172.16.0.0 0.15.255.255

access-list 10 deny 192.168.0.0 0.0.255.255

access-list 10 permit any

!

route-map INTERNET_ONLY permit 10

match ip address 10

set ip next-hop 192.168.70.2

The purpose is to direct all traffic from non-private IP to 192.168.70.2. But the route-map figure is zero. Is there anything wrong with it?

Thank you.

Richard Burts · ‎11-05-2013

Perhaps it would help if we had a better understanding of your topology. But here is what I see so far. You have configured PBR on a vlan interface which has subnet 172.16.252.0/24. So I would expect traffic coming into that interface to have source addresses of 172.16.252.x. And your access list is denying any traffic with source address in 172.16.0.0 0.15.255.255. So is there traffic coming into interface vlan 250 whose source address is not 172.16.252.x?

HTH

Rick

HTH

Rick

View solution in original post

Julio Carvajal · ‎11-05-2013

Hello Joseph,,

Totally agree with Richard Burts

The only thing that would make this route-map to take effect is if you have all of the pivate subnet ranges (or at least some) reachable via this VLAN interface.

You know what I mean,

Otherwise you are not going to match it, to make it happen with the current setup do

access-list 13 permit 172.16.252.0 0.0.0.255

route-map INTERNET_ONLY permit 10

no match ip address 10

match ip address 13

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Richard Burts · ‎11-05-2013

If there is traffic being sent into vlan 250 that has source addresses that are public Internet addresses then the PBR that you have configured should redirect that traffic to 192.168.70.2.

HTH

Rick

HTH

Rick

View solution in original post

daniel.dib · ‎11-06-2013

Unfortunately on Catalyst switches from my experience the counters can't be trusted. It might have to do with that it's a hardware based platform using ASICs so counters might not always be increased as long as the traffic is CEF switched.

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

View solution in original post

Richard Burts · ‎11-05-2013

Perhaps it would help if we had a better understanding of your topology. But here is what I see so far. You have configured PBR on a vlan interface which has subnet 172.16.252.0/24. So I would expect traffic coming into that interface to have source addresses of 172.16.252.x. And your access list is denying any traffic with source address in 172.16.0.0 0.15.255.255. So is there traffic coming into interface vlan 250 whose source address is not 172.16.252.x?

HTH

Rick

HTH

Rick

Julio Carvajal · ‎11-05-2013

Hello Joseph,,

Totally agree with Richard Burts

The only thing that would make this route-map to take effect is if you have all of the pivate subnet ranges (or at least some) reachable via this VLAN interface.

You know what I mean,

Otherwise you are not going to match it, to make it happen with the current setup do

access-list 13 permit 172.16.252.0 0.0.0.255

route-map INTERNET_ONLY permit 10

no match ip address 10

match ip address 13

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

josephschung · ‎11-05-2013

Thanks for both.

The objective is to seperate the Internet traffic from the Internal LAN traffic while all traffic will be received on the VLAN250 interface.

Assumptions:

1) The internal LAN traffic is sourced from any of the priviate IP range only.

2) The Internet traffic should be sourced from none of the private IP range.

What I want to achieve are:

1) Let internal LAN traffice follow the routing table on the switch as usual.

2) Force received internet traffic to 192.168.70.2.

If I permit the VLAN traffic(172.16.252.0 0.0.0.255), it will break the logic above.

Any idea? Thank you all.

Richard Burts · ‎11-05-2013

I asked some questions which you have chosen to not answer. Until you are willing to tell us whether there are devices sending traffic "inbound" to vlan 250 whose IP address is not in 172.16.252.x we will not be able to offer very good advice.

HTH

Rick

HTH

Rick

josephschung · ‎11-05-2013

Hello Rick,

Yes, "there are devices sending traffic "inbound" to vlan 250 whose IP address is not in 172.16.252.x". Actually, the interface is receiving traffic from both private IP and public IP ranges.

Thank you.

PS: a diagram is added.

Richard Burts · ‎11-05-2013

If there is traffic being sent into vlan 250 that has source addresses that are public Internet addresses then the PBR that you have configured should redirect that traffic to 192.168.70.2.

HTH

Rick

HTH

Rick

josephschung · ‎11-06-2013

Thanks Rick, it seems working.

But I see the counter in "show route-map" is zero.

SW#sh route-map all

STATIC routemaps

route-map INTERNET_ONLY, permit, sequence 10

Match clauses:

ip address (access-lists): 10

Set clauses:

ip next-hop 192.168.70.2

Policy routing matches: 0 packets, 0 bytes

DYNAMIC routemaps

Also, from "show access-list", the counter of "permit any" entry always shows zero.

Any idea why?

Thank you.

daniel.dib · ‎11-06-2013

Unfortunately on Catalyst switches from my experience the counters can't be trusted. It might have to do with that it's a hardware based platform using ASICs so counters might not always be increased as long as the traffic is CEF switched.

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.