Re: Cisco 891 route-map setup

taylorcw1 · ‎07-08-2013

! Last configuration change at 23:48:37 EDT Mon Jul 8 2013 by admin

! NVRAM config last updated at 23:48:38 EDT Mon Jul 8 2013 by admin

!

ip dhcp pool office-pool

import all

network 172.25.11.0 255.255.255.0

default-router 172.25.11.1

dns-server 209.18.47.61 209.18.47.62

lease 0 2

!

interface FastEthernet8

description ASA Connection

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0

description Defualt WLAN

ip address dhcp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan4

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport trunk native vlan 4

switchport mode trunk

!

interface Vlan4

description Default Office VLAN

ip address 172.25.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map RMAP-TO-VPN

!

ip local policy route-map RMAP-TO-VPN

!

ip nat inside source list ACL-NAT-ROUTING interface GigabitEthernet0 overload

!

ip access-list extended ACL-NAT-ROUTING

deny ip 172.25.11.0 0.0.0.255 172.25.11.0 0.0.0.255

permit ip 172.25.11.0 0.0.0.255 any

ip access-list extended ACL-ROUTE-TO-VPN

permit tcp 172.25.11.0 0.0.0.255 host 173.194.37.40

permit icmp 172.25.11.0 0.0.0.255 host 173.194.37.40

!

route-map RMAP-TO-VPN permit 10

match ip address ACL-ROUTE-TO-VPN

set ip next-hop 10.116.40.113

set ip next-hop verify-availability

!

end

Hi,

I'm trying to setup a basic route-map. For testing I just have a couple test permits in the route map (google's IP). If IP maches address in ACL-ROUTE-TO-VPN, I want it to route through 10.116.40.113 (Fast8). I'm able to ping 10.116.40.113 from a machine attached to the router. When I use "set ip next-hop verify-availability" the ping to 173.194.37.40 succeeds. (falls back to normal route)

Jul 9 04:25:04.600: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, FIB policy match

Jul 9 04:25:04.600: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, PBR Counted

Jul 9 04:25:04.600: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, FIB policy rejected - normal forwarding

If I turn off verify-availability, I see it trying to route to 10.116.40.113, and then fails.

Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, FIB policy match

Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, PBR Counted

Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, g=10.116.40.113, len 60, FIB policy routed

If I shut down int Gig0 and set default route for all traffic to 10.116.40.113, I'm able to access via int Fast8. I'm only through the route-map it's failing.

What am I missing?

Thanks!

XIE YAO · ‎07-09-2013

Hi,

reason why PRB is working after you delete "verify-availability" is:

set ip next-hop verify-availability needs CDP, more information can refer here:

http://www.cisco.com/en/US/docs/ios/iproute_pi/command/reference/iri_pi2.html#wp1012541

Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, FIB policy match

Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, PBR Counted

Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, g=10.55.40.50, len 60, FIB policy routed

this should already indicate packet is policy routed per my understanding.

Regards

taylorcw1 · ‎07-09-2013

Hi,

I enabled CDP and no luck. Just to clarify, PBR is not working when I delete verify-availability. The routing is going through Gig0 when I enable verify-availability because it rejects the policy...It thinks 10.116.40.113 is unreachable. At this point any traffic it tries to route via PBR appears to be dropped.

This is what i can't figure out. I'm able to ping 10.116.40.113.

C:\>ping 10.116.40.113

Pinging 10.116.40.113 with 32 bytes of data:
Reply from 10.116.40.113: bytes=32 time=82ms TTL=110
Reply from 10.116.40.113: bytes=32 time=79ms TTL=110
Reply from 10.116.40.113: bytes=32 time=81ms TTL=110
Reply from 10.116.40.113: bytes=32 time=84ms TTL=110

XIE YAO · ‎07-10-2013

Hi,

Seems interface FastEthernet8 is connecting to ASA, which disable cdp by default, when you show cdp nei on this router, are u able to see the asa?

Could you post "show ip route" and "show ip int b" ?

taylorcw1 · ‎07-10-2013

Hi,

Yes, when I show cdp neighbors, I'm able to see the route hanging off the Fast8 interface. Here is my routing and int details below.

Thanks!

router-891#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP....

...removed....

Gateway of last resort is 172.20.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 172.20.1.1

[254/0] via 10.116.40.113

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.116.40.112/28 is directly connected, FastEthernet8

L 10.116.40.119/32 is directly connected, FastEthernet8

172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.20.1.0/24 is directly connected, GigabitEthernet0

L 172.20.1.123/32 is directly connected, GigabitEthernet0

172.25.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.25.11.0/24 is directly connected, Vlan4

L 172.25.11.1/32 is directly connected, Vlan4

router-891#show ip int b

Interface IP-Address OK? Method Status Protocol

Async1 unassigned YES NVRAM down down

FastEthernet0 unassigned YES unset down down

FastEthernet1 unassigned YES unset down down

FastEthernet2 unassigned YES unset down down

FastEthernet3 unassigned YES unset down down

FastEthernet4 unassigned YES unset down down

FastEthernet5 unassigned YES unset down down

FastEthernet6 unassigned YES unset down down

FastEthernet7 unassigned YES unset down down

FastEthernet8 10.116.40.119 YES DHCP up up

GigabitEthernet0 172.20.1.123 YES DHCP up up

NVI0 unassigned YES unset administratively down down

Vlan1 unassigned YES NVRAM up up

Vlan4 172.25.11.1 YES NVRAM up up

Wlan-GigabitEthernet0 unassigned YES unset up up

wlan-ap0 172.25.11.1 YES TFTP up up

XIE YAO · ‎07-14-2013

Hi Chris,

Sorry for the late reply.

Today, I have tested this in lab, and I can achieve the policy routing, here is the details.

The topology is very simple, R1 will acts as your Cisco891, and R2 is client, R3 and R4 act as two different next hop, R3 has ip 10.116.40.113 and 173.194.37.40 as a loopback (to simluate google) and R4 has ip 172.20.1.1

To start with, I removed "ip local policy route-map RMAP-TO-VPN" as this configuration is only for local traffic, it's not necessary.

S* 0.0.0.0/0 [254/0] via 172.20.1.1

[254/0] via 10.116.40.113

And I notice you have configured two equal-cost default route to both 172.20.1.1 and 10.116.40.113, this is actually contradicting to the purposing of PBR, we can use PBR to select traffic and forward to desired next hop, so I used 172.20.1.1 as the only default route.

I copied most your configuration to R1, and when R2 ping to 173.194.37.40, the debug is as follow, which means the PBR is working.

*Mar 1 00:30:21.815: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, g=10.116.40.113, len 100, FIB policy routed

*Mar 1 00:30:22.055: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, len 100, FIB policy match

Then the next thing I tested is "set ip next-hop verify-availability"

If I disable the CDP on R3, then traffic won't forward to R3, this is in line with the above document.

R3(config-if)#int f0/0

R3(config-if)#no cdp enable

R1#sh cdp n

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

R2.lab.local Fas 0/1 146 R S I 3640 Fas 0/0

R4.lab.local Fas 2/0 137 R S I 3640 Fas 0/0

*Mar 1 00:29:30.523: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, len 100, FIB policy match

*Mar 1 00:29:30.523: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, len 100, FIB policy rejected - normal forwarding

If turn it on, traffic will send to R3 again.

R1#sh cdp n

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

R2.lab.local Fas 0/1 138 R S I 3640 Fas 0/0

R3.lab.local Fas 1/0 176 R S I 3640 Fas 0/0

R4.lab.local Fas 2/0 128 R S I 3640 Fas 0/0

*Mar 1 00:29:57.083: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, len 100, FIB policy match

*Mar 1 00:29:57.083: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, g=10.116.40.113, len 100, FIB policy routed

Hope this clears your doubt.

Regards

taylorcw1 · ‎07-14-2013

Hi,

Thank you for taking the time to set this up. Would you mind posting the config you have setup on R1 and R3 if you still have it. I wanted to see how you have the IP routing configured.

Cheers,

Chris

XIE YAO · ‎07-15-2013

R1(config-if)#do sh run

Building configuration...

Current configuration : 2288 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip subnet-zero

!

ip cef

no ip domain lookup

ip domain name lab.local

no ip dhcp use vrf connected

!

ip dhcp pool office-pool

import all

network 172.25.11.0 255.255.255.0

default-router 172.25.11.1

dns-server 209.18.47.61 209.18.47.62

lease 0 2

!

no crypto isakmp ccm

!

interface FastEthernet0/0

switchport access vlan 4

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet1/0

ip address 10.116.40.119 255.255.255.240

duplex auto

speed auto

!

interface FastEthernet2/0

ip address 172.20.1.123 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

no ip address

!

interface Vlan4

description Default Office VLAN

ip address 172.25.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map RMAP-TO-VPN

!

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 172.20.1.1

!

ip nat inside source list ACL-NAT-ROUTING interface FastEthernet2/0 overload

!

ip access-list extended ACL-NAT-ROUTING

deny ip 172.25.11.0 0.0.0.255 172.25.11.0 0.0.0.255

permit ip 172.25.11.0 0.0.0.255 any

ip access-list extended ACL-ROUTE-TO-VPN

permit tcp 172.25.11.0 0.0.0.255 host 173.194.37.40

permit icmp 172.25.11.0 0.0.0.255 host 173.194.37.40

!

route-map RMAP-TO-VPN permit 10

match ip address ACL-ROUTE-TO-VPN

set ip next-hop 10.116.40.113

set ip next-hop verify-availability

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

R2(config-if)#do sh run

Building configuration...

Current configuration : 740 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip subnet-zero

!

ip cef

no ip domain lookup

ip domain name lab.local

no ip dhcp use vrf connected

!

no crypto isakmp ccm

!

interface FastEthernet0/0

ip address dhcp

duplex auto

speed auto

!

no ip http server

no ip http secure-server

ip classless

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

R3#sh run

Building configuration...

Current configuration : 868 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip subnet-zero

!

ip cef

no ip domain lookup

ip domain name lab.local

no ip dhcp use vrf connected

!

no crypto isakmp ccm

!

interface Loopback0

ip address 173.194.37.40 255.255.255.255

!

interface FastEthernet0/0

ip address 10.116.40.113 255.255.255.240

duplex auto

speed auto

!

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 10.116.40.119

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

R4(config)#do sh run

Building configuration...

Current configuration : 760 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R4

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip subnet-zero

!

ip cef

no ip domain lookup

ip domain name lab.local

no ip dhcp use vrf connected

!

no crypto isakmp ccm

!

interface FastEthernet0/0

ip address 172.20.1.1 255.255.255.0

duplex auto

speed auto

!

no ip http server

no ip http secure-server

ip classless

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end