Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Policy Based Routing Issue - acl being ignored?

Hi All,

I wonder if anyone can help with this issue?

We have many customers who come into our colcocation in Australia from a satellite feed - this terminates our 3750x. From here most of our customers then break out via our firewall (ASA5525), also connected to the same 3750x.

However we have on customer who needs the traffic from their clients comming in on the sat feed to connect to their own router which connects into the same 3750x as the firewall, their router is on 192.168.20.5. This customers client all come from the subnet 172.17.1.0/24 (all others are outside this subnet) and they need to be pushed to 192.168.20.1,  they currently go to the default route – the firewall. I've applied the below config however the customers traffic is still going to the firewall, almost like the acl is being ignored. Does anyone have any ideas? thanks in advance.

interface GigabitEthernet1/0/1

description Inside link to SC-SYD1-ASA01 Primary

interface GigabitEthernet1/0/2

description Primary Sat connection

no switchport

ip address 172.30.167.26 255.255.255.252

ip policy route-map Customer1

speed 100

duplex full

interface GigabitEthernet3/0/11

description 3rdparty Link for Customer1

no switchport

ip address 192.168.20.5 255.255.255.240

access-list 101 permit ip 172.17.1.0 0.0.0.255 any

route-map Customer1 permit 10

match ip address 101

set ip next-hop 192.168.20.1

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Policy Based Routing Issue - acl being ignored?

The original post tells us that it wants to manipulate traffic originating from subnet 172.17.1.0. But I am not sure that this traffic actually arrives at the switch on interface gig1/0/2. Would the original poster be able to post the output of the command

show ip route 172.17.1.0

which should show us the interface where that subnet is located.

HTH

Rick

8 REPLIES
Hall of Fame Super Blue

Policy Based Routing Issue - acl being ignored?

If the customers IPs are 172.17.1.x then this should work.

How are you testing it ie. a traceroute from the customer end ?

Be aware that L3 switches do not always show hit counts in the acl as they are processed in hardware.

I am guessing you have IP Services and are running the SDM routing template as if i remember correctly you can't apply a PBR route map if you are not but it is worth checking ie.

"sh ver" for feature set 

"sh sdm prefer" for the SDM template.

Jon

Community Member

Policy Based Routing Issue - acl being ignored?

Hi,  Thanks for your prompt response. Yes the source ips are 172.17.1.x and i know theyre not going to the PBR next-hop as i can see them hitting the firewall which is the default route on the 3750.

It is running IP services however the license type is evaluation - not sure if thats relevant? This is a brand new piece of kit.  ;

License Level: ipservices

License Type: Evaluation

Next reload license Level: ipservices

SDM Prefer is 'desktop routing'

Hall of Fame Super Blue

Re: Policy Based Routing Issue - acl being ignored?

There is no way the next hop router is routing the traffic back to the firewall is there ? Very unlikely but just wanted to check.

I don't know about the Evaluation license bit to be honest. I'll have a bit of dig around to see if i can find anything relevant.

All i can say at the moment is that there is nothing wrong with your configuration as far i can see.

Jon

Hall of Fame Super Gold

Policy Based Routing Issue - acl being ignored?

The original post tells us that it wants to manipulate traffic originating from subnet 172.17.1.0. But I am not sure that this traffic actually arrives at the switch on interface gig1/0/2. Would the original poster be able to post the output of the command

show ip route 172.17.1.0

which should show us the interface where that subnet is located.

HTH

Rick

Community Member

Policy Based Routing Issue - acl being ignored?

Hi Guys,

Thanks for all your help. Richard you were correct. While the interface the route-map was applied to is the physical interface there is infact a logical interface for this traffice over a tunnel. I applied it to the tunnel interface and bingo!

Thanks for your help

Kevin

Hall of Fame Super Gold

Policy Based Routing Issue - acl being ignored?

I am glad that you have been able to resolve the problem and that my suggestion was helpful. Thank you for posting back to the forum to let us know how you identified the issue and how you solved it. Also thank you for using the rating system to mark this question as answered.

HTH

Rick

Community Member

Policy Based Routing Issue - acl being ignored?

Hi Jon,

the reciving next hop router doesnt have a route back to the fw. The customer in fact pushes this out of thier own break out, which is the intire point, they just want us to pass the traffic - they manage it.

Cheers

Hi Richard

There is no route for the 172.17.1.0 subnet on the router. The route back to the individual clients are learned and passed using BGP from the satellite link. So theres a learned route on an per client basis back to the source. The traffic is definatly arriving on that port as there is no other source for the addresses that i'm seeing hit the firewall.

thanks

Hall of Fame Super Blue

Policy Based Routing Issue - acl being ignored?

Just a couple more checks -

can you post the IOS version you are using  ?

how long have you had the evlauation license on that switch ?

Jon

235
Views
0
Helpful
8
Replies
CreatePlease to create content