Re: Route-Map and ACL question

Rick Morris · ‎06-22-2009

I have an interesting scenerio, it is only for testing purposes and not what we will use for production. This is just for testing! Here is what I am trying to do.

I have a VLAN that is set-up for all workstations:

VLAN 100

interface Vlan100

description VLAN-100

ip address 10.1.0.1 255.255.240.0

ip ospf priority 10

ip policy route-map VLAN100_POLICY

In this router/msfc we are running EIGRP and OSPF, now this is now where the issue is at, this is pretty straight forward. We then have a default route:

ip route 0.0.0.0 0.0.0.0 192.168.3.10

This is the interface IP on the firewall.

In this path there is a proxy 192.168.3.5

Here is the route-map that is applied to the VLAN interface:

route-map VLAN100_POLICY permit 10

match ip address GOTO_FIREWALL

set ip default next-hop 10.254.1.10

In this acl we have IP's that will be used to bypass the proxy. The list is quite long so I will not bore you all with the info.

Ok onto what I need to do.

I am setting up a new proxy with more features and need to test a handful of users. I have my IP 10.1.15.100 that needs to take a different path:

New VLAN103 192.168.103.1

New proxy 192.168.103.5

New firewall interface 192.168.103.10

Here are the ACL's I have created so far:

ip access-list extended BYPASS-BC2-TO-DMZ

permit ip host 10.1.15.100 192.168.0.0 0.0.255.255

!

ip access-list extended BYPASS-BC2-TO-E1

permit ip host 10.1.15.100 10.1.252.0 0.0.0.255

!

ip access-list extended GOTO-BLUECOAT2

permit ip host 10.1.15.100 any

!

And the route-maps for manipulation:

route-map VLAN100_POLICY permit 15

match ip address BYPASS-BC2-TO-DMZ

set ip next-hop 10.254.1.10

!

route-map VLAN100_POLICY permit 20

match ip address GOTO-BLUECOAT2

set ip next-hop 192.168.103.10

I am trying to get internal access set-up and having a difficult time.

For instance I need to get to 10.1.252.54, which is directly connected:

interface Vlan252

description VLAN252-CSM

ip address 10.1.252.1 255.255.255.0

!

MONR001#sh ip route 10.1.252.54

Routing entry for 10.1.252.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via eigrp 555, ospf 100

Advertised by ospf 100

Routing Descriptor Blocks:

* directly connected, via Vlan252

Route metric is 0, traffic share count is 1

Is there a way to get my workstation to go to 10.1.252.0/24 network with a route-map to a directly connected IP?

Yudong Wu · ‎06-22-2009

If I understand your question correctly, what you need is just to use PBR to route your traffic to the specified host. So, you need apply the related route-map under the interface of the Vlan where your PC 10.1.15.100 is in.

Rick Morris · ‎06-23-2009

that is the question.

I know I need a PBR to get the traffic where I need it. The question in all of this is how do you build the PBR for a directly connected network.

I think I provided enough detail in the post, at least I hope, to explain what I am trying to do.

Yudong Wu · ‎06-23-2009

Can you clarify your topology?

10.1.252.0/24 is directly connected to MONR001, is your pc 10.1.15.100 directly connected to this router as well?

If not, is MONR001 the last hop for 10.1.15.100 to access 10.1.252.0/24 network?

Rick Morris · ‎06-23-2009

On the 6509 MSFC I have the following

interface Vlan100

description VLAN-100

ip address 10.1.0.1 255.255.240.0

ip ospf priority 10

ip policy route-map VLAN100_POLICY

This is my default route for my workstation

Also on this same 6509 is:

interface Vlan252

description VLAN252-CSM

ip address 10.1.252.1 255.255.255.0

This is the network I am trying to get to.

In this set-up according to my routing policy set-up I have a default route of 0.0.0.0 0.0.0.0 192.168.3.10

So if something does not match the policy applied to interface vlan 100 the traffic will go here.

So from a topology standpoint these networks are all local that I am referring to, which is why the networks show directly connected.

How do you create a PBR to a directly connected network?

Is it possible?

This is what I am trying to do.

Yudong Wu · ‎06-23-2009

Ok, I hope I understood it now.

Saying you would like your PC to access 10.1.252.0/24 network which is a directly connected network to the same 6509, do you want to forward the packet to a specified host first? If not, why don't you just let routing table make the decision? If yes, just use related "match ip address " and "set ip next hop x.x.x.x" command in your route-map. Make sure there is no overlap entry in your existing ACL "GOTO_FIREWALL".

Rick Morris · ‎06-23-2009

I cannot let routing make the decision because I am trying to manipulate the routing table because of the test I am trying to run. I am trying to send traffic to a new location for internet, and non directly connected networks and that is just fine. When trying to direct that host to a local network it normally has access to it does not route. I need some way to do this via PBR. What you propose is cannot be technically done, IOS will not allow you to use a next-hop to an IP that is self, in this case the directly connected network? I am looking for a way to get around this.