Solved: Re: Policy Based Routing Issue - acl being ignored?

Gremlin99 · ‎01-19-2014

Hi All,

I wonder if anyone can help with this issue?

We have many customers who come into our colcocation in Australia from a satellite feed - this terminates our 3750x. From here most of our customers then break out via our firewall (ASA5525), also connected to the same 3750x.

However we have on customer who needs the traffic from their clients comming in on the sat feed to connect to their own router which connects into the same 3750x as the firewall, their router is on 192.168.20.5. This customers client all come from the subnet 172.17.1.0/24 (all others are outside this subnet) and they need to be pushed to 192.168.20.1, they currently go to the default route – the firewall. I've applied the below config however the customers traffic is still going to the firewall, almost like the acl is being ignored. Does anyone have any ideas? thanks in advance.

interface GigabitEthernet1/0/1

description Inside link to SC-SYD1-ASA01 Primary

interface GigabitEthernet1/0/2

description Primary Sat connection

no switchport

ip address 172.30.167.26 255.255.255.252

ip policy route-map Customer1

speed 100

duplex full

interface GigabitEthernet3/0/11

description 3rdparty Link for Customer1

no switchport

ip address 192.168.20.5 255.255.255.240

access-list 101 permit ip 172.17.1.0 0.0.0.255 any

route-map Customer1 permit 10

match ip address 101

set ip next-hop 192.168.20.1

Richard Burts · ‎01-19-2014

The original post tells us that it wants to manipulate traffic originating from subnet 172.17.1.0. But I am not sure that this traffic actually arrives at the switch on interface gig1/0/2. Would the original poster be able to post the output of the command

show ip route 172.17.1.0

which should show us the interface where that subnet is located.

HTH

Rick

HTH

Rick

View solution in original post

Jon Marshall · ‎01-19-2014

If the customers IPs are 172.17.1.x then this should work.

How are you testing it ie. a traceroute from the customer end ?

Be aware that L3 switches do not always show hit counts in the acl as they are processed in hardware.

I am guessing you have IP Services and are running the SDM routing template as if i remember correctly you can't apply a PBR route map if you are not but it is worth checking ie.

"sh ver" for feature set

"sh sdm prefer" for the SDM template.

Jon

Gremlin99 · ‎01-19-2014

Hi, Thanks for your prompt response. Yes the source ips are 172.17.1.x and i know theyre not going to the PBR next-hop as i can see them hitting the firewall which is the default route on the 3750.

It is running IP services however the license type is evaluation - not sure if thats relevant? This is a brand new piece of kit. ;

License Level: ipservices

License Type: Evaluation

Next reload license Level: ipservices

SDM Prefer is 'desktop routing'

Jon Marshall · ‎01-19-2014

There is no way the next hop router is routing the traffic back to the firewall is there ? Very unlikely but just wanted to check.

I don't know about the Evaluation license bit to be honest. I'll have a bit of dig around to see if i can find anything relevant.

All i can say at the moment is that there is nothing wrong with your configuration as far i can see.

Jon

Richard Burts · ‎01-19-2014

The original post tells us that it wants to manipulate traffic originating from subnet 172.17.1.0. But I am not sure that this traffic actually arrives at the switch on interface gig1/0/2. Would the original poster be able to post the output of the command

show ip route 172.17.1.0

which should show us the interface where that subnet is located.

HTH

Rick

HTH

Rick

Gremlin99 · ‎01-22-2014

Hi Guys,

Thanks for all your help. Richard you were correct. While the interface the route-map was applied to is the physical interface there is infact a logical interface for this traffice over a tunnel. I applied it to the tunnel interface and bingo!

Thanks for your help

Kevin

Richard Burts · ‎01-22-2014

I am glad that you have been able to resolve the problem and that my suggestion was helpful. Thank you for posting back to the forum to let us know how you identified the issue and how you solved it. Also thank you for using the rating system to mark this question as answered.

HTH

Rick

HTH

Rick

Gremlin99 · ‎01-20-2014

Hi Jon,

the reciving next hop router doesnt have a route back to the fw. The customer in fact pushes this out of thier own break out, which is the intire point, they just want us to pass the traffic - they manage it.

Cheers

Hi Richard

There is no route for the 172.17.1.0 subnet on the router. The route back to the individual clients are learned and passed using BGP from the satellite link. So theres a learned route on an per client basis back to the source. The traffic is definatly arriving on that port as there is no other source for the addresses that i'm seeing hit the firewall.

thanks

Jon Marshall · ‎01-20-2014

Just a couple more checks -

can you post the IOS version you are using ?

how long have you had the evlauation license on that switch ?

Jon