Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
8
Replies

Policy routing not working as expected

lalsingh
Level 1
Level 1

‎03-19-2003 07:40 AM - edited ‎03-02-2019 05:59 AM

I have the following configuration on a router -

interface FastEthernet0/0

ip address 11.100.104.1 255.255.255.0

no ip directed-broadcast

ip policy route-map Test

duplex auto

speed auto

!

interface Serial0/0

ip address 10.248.196.10 255.255.255.248

no ip directed-broadcast

no ip mroute-cache

!

router eigrp 100

network 10.0.0.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.248.196.9

ip route 192.168.50.0 255.255.255.0 10.100.104.230

no ip http server

!

access-list 110 deny tcp host 10.100.105.225 any eq www

access-list 110 deny tcp host 10.100.105.228 any eq www

access-list 110 deny tcp host 10.100.105.240 any eq www

access-list 110 deny tcp host 10.100.105.241 any eq www

access-list 110 deny tcp host 10.100.105.242 any eq www

access-list 110 deny tcp host 10.100.105.245 any eq www

access-list 110 deny tcp host 10.100.105.246 any eq www

access-list 110 deny tcp host 10.100.105.247 any eq www

access-list 110 permit tcp any any eq www

route-map Test permit 1

match ip address 110

set ip default next-hop 10.100.101.151

I would like the hosts listed in the deny statements to bypass the N2H2 server at 10.100.101.151. This is happening.

I would like any other host to get to the internet via the N2H2 host at 10.100.101.151. This is not working. Everything seems to bypass the H2H2 host.

Initiially I had a set ip next -hop instead of set ip default. Seems like in ver 12 of the IOS the set ip next hop has to be an adjacent router. In this case the N2H2 server is 2 hops away.

Any suggestions?

Labels:
0 Helpful
8 Replies 8

thisisshanky
Level 11
Level 11

‎03-19-2003 07:59 AM

Hi,

Reconfigure your access-list with the last permit statement removed.

access-list 110 permit tcp host 10.100.105.225 any eq www

access-list 110 permit tcp host 10.100.105.228 any eq www

access-list 110 permit tcp host 10.100.105.240 any eq www

access-list 110 permit tcp host 10.100.105.241 any eq www

access-list 110 permit tcp host 10.100.105.242 any eq www

access-list 110 permit tcp host 10.100.105.245 any eq www

access-list 110 permit tcp host 10.100.105.246 any eq www

access-list 110 permit tcp host 10.100.105.247 any eq www

---all statements should be permit here----

Reconfigure your route-map as follows.

route-map Test permit 1

match ip address 110

set ip default next-hop 10.100.101.151

route-map Test permit 2

(create an empty route-map instance with number 2. This will match all other traffic).

Hope this helps@!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

lalsingh
Level 1
Level 1
In response to thisisshanky

‎03-19-2003 09:17 AM

I will try your suggestion.

Your config seems to be the reverse to the way I am understanding policies to work. In the ACL that defines the match criteria, the permit statements should be the traffic you want the policy to apply to and everything denied (implicitly and explicitly) to be routed normally. In my case the specific hosts should NOT be routed to the N2H2 filter (A deny in the ACL). All other hosts to be routed through the N2H2 filter . (A permit in the ACL.) The set clause defines what happens to packets permitted in the ACL in this case to be forwarded through the N2H2 box.

Any good documents on policy based routing?

0 Helpful

thisisshanky
Level 11
Level 11
In response to lalsingh

‎03-19-2003 09:32 AM

Hi, I took your scenario in the other way, and hence the confusion.

You can still do this with my configs

access-list 110 permit tcp host 10.100.105.225 any eq www

access-list 110 permit tcp host 10.100.105.228 any eq www

access-list 110 permit tcp host 10.100.105.240 any eq www

access-list 110 permit tcp host 10.100.105.241 any eq www

access-list 110 permit tcp host 10.100.105.242 any eq www

access-list 110 permit tcp host 10.100.105.245 any eq www

access-list 110 permit tcp host 10.100.105.246 any eq www

access-list 110 permit tcp host 10.100.105.247 any eq www

route-map Test permit 1

match ip address 110

route-map Test permit 2

set ip default next-hop 10.100.101.151

In instance 1 of route-map Test, all specific host traffic are matched, and will be routed normally ( will use the default route in your routing table) because, no set clause is mentioned for this traffic class.

In instance 2 of route-map Test, all the remaining traffic is matched and will be routed to N2H2 server.

Hope this helps!

Some links to PBR

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart1/qcpolicy.htm

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

thisisshanky
Level 11
Level 11
In response to thisisshanky

‎03-19-2003 09:39 AM

Reconsidering your "set" statements, I think, you should be using "set ip next-hop 10.100.101.151", because, the command will force the router to use 10.100.101.151 as next-hop. If you use, "set ip default next-hop" , then router will use this next-hop only, if it doesnt have a explicit route to this destination. But you still have a default route in your routing table, and hence all packets, will be routed to the default gateway. That is the reason why your N2H2 host was bypassed.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

lalsingh
Level 1
Level 1
In response to thisisshanky

‎03-19-2003 12:24 PM

I had set ip next-hop 10.100.101.151 initially. This did not work. In reading the command reference for version 11.1 it says it does not have to be the adjacent router. In reading the documentation for ver 12 it says the next-hop must be the adjacent router. That is why I changed to default next-hop. This may be the problem, it seems like this also has to be an adjacent router.

0 Helpful

teru-lei
Level 1
Level 1

‎03-19-2003 05:44 PM

Hi,

After reading your case, It seems a routing problem. Does your topology like this?

----R1---R2---------R3

.................|______R4

your router is R1. And suppose you need to let some traffic to use R4 through the routing table and others through R3 using policy routing.

I think your next hop is not a connected router. That may cause problem. If the route to the next hop(10.100.101.151) and the route in the routing table for the normal traffic is through the same path (suppose it's R2 above). So the whole traffic will be sent to R2 and R2 will send the traffic through its routing table. So that your policy routing not work. I think you had better use the policy routing to set the next hop to a connected network. Hopes it help.

Best Regards

Teru Lei

0 Helpful

lalsingh
Level 1
Level 1
In response to teru-lei

‎03-20-2003 06:21 AM

Hi,

I think you are correct. I will need to set the policy on the serial interface (where the packets are received) on R2. The problem I have here is that I want to implement VOIP with a policy for traffic on the serial interface of R2 (as well as R1). I can only have one policy on an interface. Any suggestions?

0 Helpful

teru-lei
Level 1
Level 1
In response to lalsingh

‎03-20-2003 05:18 PM

Hi,

I am not very clear with your scenario. But to my understanding, You may try to set another attribute ( for example, IP precendence), for example, on R1 to set different traffic with different ip precendence, and then on the R2 interface that connected to R1, set another policy, so that you can "make" policy set in R1 has effect on R2. Hope this help.

Best Regards

Teru Lei

0 Helpful
Customers Also Viewed These Support Documents