Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

why isn't routing broken?

Hey...

My organization has multiple sites, and multiple connections to the internet. I set up the following to get vlan 18 internet traffic going out the connection at another site. There's a mistake here - The IP address in the route-map doesn't exist.

Yet, I have functioning internet access from workstations in Vlan 18. When I traceroute from a workstation in Vlan 18, I go out the default route.

I would have thought that for matching traffic, the route-map's default next-hop overwrote the router's default route.

Clearly I'm wrong on that - Can anyone clarify what's actually happening?

TIA...

#sh access-l 181

Extended IP access list 181

10 permit ip x.x.18.0 0.0.0.255 any (845093 matches)

#sh route-map

route-map Wireless, permit, sequence 10

Match clauses:

ip address (access-lists): 181

Set clauses:

ip default next-hop 10.30.202.3

Policy routing matches: 845115 packets, 97431971 bytes

#sh run int vlan18

Building configuration...

Current configuration : 344 bytes

!

interface Vlan18

description DOv0018_Wireless

ip address x.x.18.2 255.255.255.0

ip access-group 109 in

ip helper-address x.x.x.x

no ip redirects

no ip proxy-arp

ip wccp web-cache redirect out

ip wccp web-cache redirect in

ip policy route-map Wireless

standby 18 ip x.x.18.1

standby 18 priority 200

standby 18 preempt

end

#sh access-l 109

Extended IP access list 109

10 permit tcp any any established (653532 matches)

20 permit udp any any eq bootps (739 matches)

30 permit icmp any any (359 matches)

40 permit udp x.0.0.0 0.255.255.255 x.0.0.0 0.255.255.255 eq domain

50 permit tcp x.0.0.0 0.255.255.255 x.0.0.0 0.255.255.255 eq domain

60 deny ip any x.0.0.0 0.255.255.255 (22758 matches)

70 permit ip x.0.0.0 0.255.255.255 any (307368 matches)

#sh run | i 0.0.0.0

ip route 0.0.0.0 0.0.0.0 x.x.2.254

1 ACCEPTED SOLUTION

Accepted Solutions

Re: why isn't routing broken?

When the only route to the destination is the default route,there is no specific route for that destination in the routing tale, the packet is policy routed.

When you loose the next hop, the packet follows the normal forwarding (routing table)

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

HTH

Narayan

5 REPLIES
Community Member

Re: why isn't routing broken?

I may be wrong here but if the route map has a bad IP, there there is no match.

Therefore, the default route does apply.

Re: why isn't routing broken?

When the only route to the destination is the default route,there is no specific route for that destination in the routing tale, the packet is policy routed.

When you loose the next hop, the packet follows the normal forwarding (routing table)

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

HTH

Narayan

Re: why isn't routing broken?

Linea,

See the response(s) below.

"The IP address in the route-map doesn't exist"

I assume you mean the 'next-hop' address in the route map.

"Yet, I have functioning internet access from workstations in Vlan 18. When I traceroute from a workstation in Vlan 18, I go out the default route"

If the router doesn't have a specific route to the destination then it should use the default next-hop address specified in the route map and not the default route.

"I would have thought that for matching traffic, the route-map's default next-hop overwrote the router's default route"

Yes the default next-hop should be used if the router didn't have a specific route to the destination of the IP packet.

HTH

Sundar

Community Member

Re: why isn't routing broken?

Thanks Narayan,

Case Study 2 makes it perfectly clear:

when the next-hop defined by the route-map is unavailable, you get "policy rejected -- normal forwarding".

Thanks again...

Community Member

Re: why isn't routing broken?

Hey...

As it turns out, there is a match, however, since the route doesn't exist, you get a "policy rejected" message if you turn on debug ip policy.

156
Views
0
Helpful
5
Replies
CreatePlease to create content