Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Policy Routing on 6509's over port-channels

All,

I'm trying to run policy routing over a 6509 without much success. The switch will not take the route-map commands on the port-channel interfaces which are layer 3, so I have put them on the gig interfaces. Still no joy. I've also got it configured on a vlan interface and that's not doing the trick either!!

My config is:-

ip access-list extended WanTraffic

deny ip 10.64.0.0 0.0.255.255 180.1.32.0 0.0.15.255

deny ip 10.64.0.0 0.0.255.255 180.1.96.0 0.0.31.255

permit ip 10.64.0.0 0.0.255.255 any

ip access-list extended WanTraffic

deny ip 10.64.0.0 0.0.255.255 180.1.32.0 0.0.15.255

deny ip 10.64.0.0 0.0.255.255 180.1.96.0 0.0.31.255

permit ip 10.64.0.0 0.0.255.255 any

route-map WanTraffic permit 10

match ip address WanTraffic

set ip next-hop 10.64.254.251

!

route-map WanTraffic permit 20

match ip address WanStandard

set ip next-hop 10.64.254.251

interface GigabitEthernet1/1

description ** Physical GF East link 1 **

no ip address

ip route-cache policy

ip policy route-map WanTraffic

logging event link-status

logging event bundle-status

logging event trunk-status

snmp ifindex persist

channel-group 2 mode on

interface Vlan1

ip address 180.1.32.244 255.255.240.0

ip route-cache policy

ip policy route-map WanTraffic

#sh route-map

route-map WanTraffic, permit, sequence 10

Match clauses:

ip address (access-lists): WanTraffic

Set clauses:

ip next-hop 10.64.254.251

Policy routing matches: 0 packets, 0 bytes

route-map WanTraffic, permit, sequence 20

Match clauses:

ip address (access-lists): WanStandard

Set clauses:

ip next-hop 10.64.254.251

Policy routing matches: 4942 packets, 5298548 bytes

#sh access-lists

Standard IP access list WanStandard

10 deny 180.1.32.0, wildcard bits 0.0.15.255 (909 matches)

20 deny 180.1.96.0, wildcard bits 0.0.31.255

30 permit 10.64.0.0, wildcard bits 0.0.255.255

Extended IP access list WanTraffic

10 deny ip 10.64.0.0 0.0.255.255 180.1.32.0 0.0.15.255

20 deny ip 10.64.0.0 0.0.255.255 180.1.96.0 0.0.31.255

100 permit ip 10.64.0.0 0.0.255.255 any

This is on a new 6509 and it's running destributed CEF - the version in 12.2x works with PBR

Any thoughts appreciated

LH

4 REPLIES

Re: Policy Routing on 6509's over port-channels

Standard IP access list WanStandard

10 deny 180.1.32.0, wildcard bits 0.0.15.255 (1384 matches)

20 deny 180.1.96.0, wildcard bits 0.0.31.255

30 permit 10.64.0.0, wildcard bits 0.0.255.255

For the WanStandard ACL - note the hits..

Re: Policy Routing on 6509's over port-channels

All,

I've fixed this now - so not to worry.

I was trying to apply the config to a port-channel that was layer 2 !!

I put it onto the layer 3 port channels and it works a charm.

Many thanks,

LH

Hall of Fame Super Gold

Re: Policy Routing on 6509's over port-channels

Leigh

There are some aspects of what you have posted that do not make sense. Perhaps if we had a more full view of the config they would be better understood. For example your route map is setting the next hop to 10.64.254.251 but nothing to indicate that this address is reachable. Also your access lists call out 180.1.96.0 and 10.64.0.0 but there is nothing to indicate where or what these addresses are.

Looking at what you did post there is only one interface with IP addressing assigned:

interface Vlan1

ip address 180.1.32.244 255.255.240.0

This implies that traffic coming into this interface will have source addresses 180.1.32.0/20. But your access list WanStandard denies these addresses and your access list WanTraffic does not permit them (so they are denied). I believe this is the major reason that PBR is not working.

[edit] I see that you have fixed this while I was writing my response by applying the PBR on a different interface. Does this imply that the IP addressing on the other interface was different and fit your access lists better?

HTH

Rick

Re: Policy Routing on 6509's over port-channels

Hey there Rick,

Thank you very much for your reply.

The main problem was that I was trying to put layer 3 config onto a layer 2 interface !! There are 24 port-channels on the 6509 and they are all layer 3, 3 gig links to a 3750 stack. Except for port-channel 1 which is a 6 gig bundle between the 2 cores and is trunked.

I was trying to put the config onto the Layer 2 port-channel 1. When I realised what I was doing wrong, I popped the config onto the layer 3 port-channels and it worked no problems.

This network is for a customer moving a datacente and the 180.1.3.x address is uesed privately(!) for their servers. The 10.64.x.x range is the new server and user range.

There are 2 sites (old and new) and a 1gig les between the two, which is why the 180.1.32.xx address is on one of the interfaces. The customer wanted the servers that have been moved to the new site (which are now in a routed access solution) to still go out of the wan link at the old site, but wanted the new range to go out of the wan link at the new site (as this is where they are advertised from).

10.64.254.251 is the wan gateway at the new site. I used some deny statements in the acl's to ensure that 10.64.x.x users/servers that wanted to speak to the old site went out over the les.

Once again, many thanks for your swift response on a Sunday!!

LH

494
Views
19
Helpful
4
Replies
CreatePlease to create content