cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3057
Views
0
Helpful
13
Replies

Split traffic routing

iholdings
Level 1
Level 1

Greetings,

We have the following VLAN sub-interface and acls configured on our router.  The idea is to split traffic outbound from this VLAN to two different networks - pointing traffic destined for 10.169.254.69/24 at router with WAN IP of 10.255.255.5 - and all Internet traffic pointed to router WAN 10.255.255.2 that has an Internet gateway (the traffic will not touch any other part of the network behind 255.2 - just be immediately shuttled out the Internet gateway).

interface GigabitEthernet0/1.14
description ** JPI **
encapsulation dot1Q 14
ip address 172.28.130.1 255.255.254.0
ip access-group INETJPI-ONLY in
ip policy route-map INETONLYJPI
no snmp trap link-status

ip access-list extended INETJPI-ONLY
permit udp any any eq bootpc
deny   ip any 10.1.4.0 0.0.3.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip any any

ip access-list extended JPI-254SUBNET
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 10.169.254.0 0.255.255.255
deny   ip any any


ip access-list extended JPI-INETONLY-NETS
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 any
deny   ip any any

route-map INETONLYJPI permit 5
match ip address JPI-254SUBNET
set ip next-hop 10.255.255.5

route-map INETONLYJPI permit 10
match ip address JPI-INETONLY-NETS
set ip next-hop 10.255.255.2

These ar the only routing protocols and statics we have configured on this router:

router eigrp 1
network 10.0.0.0
network 172.28.0.0
no auto-summary

ip classless
ip route 10.223.0.0 255.255.255.0 10.255.255.1
ip route 29.0.0.0 255.0.0.0 172.28.101.250
ip route 192.168.94.9 255.255.255.255 172.28.101.250
ip route 205.132.168.184 255.255.255.255 172.28.100.250
ip route 205.132.168.185 255.255.255.255 172.28.100.250
ip route 205.132.168.192 255.255.255.255 172.28.100.250
ip route 205.132.168.224 255.255.255.224 172.28.100.250

It is not working as confgured but I cannot see why it shouldn't work.

Can anyone help?

Thanks

1 Accepted Solution

Accepted Solutions

based on this it is working exactly the way it should be.  The source is 172.28.130.10 and it is going to 10.169.254.127 and the gateway is 10.255.255.5.  This is matching the PBR:

ip access-list extended JPI-254SUBNET
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 10.169.254.0 0.255.255.255  <----matching this line
deny   ip any any

Then using this route-map


route-map INETONLYJPI permit 5
match ip address JPI-254SUBNET
set ip next-hop 10.255.255.5

View solution in original post

13 Replies 13

Rick Morris
Level 6
Level 6

Are you getting any hits on the ACL's?

sh access-list

Here are th results of 'sho access-list'

Extended IP access list INETJPI-ONLY
    10 permit udp any any eq bootpc
    20 deny ip any 10.1.4.0 0.0.3.255
    30 deny ip any 172.16.0.0 0.15.255.255 (6715 matches)
    40 deny ip any 192.168.0.0 0.0.255.255
    50 permit ip any any (636141 matches)

Extended IP access list JPI-254SUBNET
    10 deny ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
    20 deny ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
    30 deny ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
    40 permit ip 172.28.130.0 0.0.1.255 10.0.0.0 0.255.255.255 (634458 matches)

Extended IP access list JPI-INETONLY-NETS
    10 deny ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
    20 deny ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
    30 deny ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
    40 permit ip 172.28.130.0 0.0.1.255 any (10533991 matches)
    50 deny ip any any (529 matches)

The big problem (which I guess I should have mentioned in the post) is that at one time all of the traffic exiting this VLAN - Internet included - was routed to the 255.5 router.  For various reasons we now need to split Internet from the rest and route it to 255.2.

I see the hits on the ACLs  but don't know how they're being routed - only know that Internet traffic is still being routed to 255.5.  Also, the permit statement under JPI-254SUBNET  '40 permit ip 172.28.130.0 0.0.1.255 10.0.0.0 0.255.255.255' ended up that way even though I atempted to add it in as '10.169.154.69/24.

Thanks.

Correct me if I am wrong:

Traffic from 172.28.130.0/23 to 10.169.254.0/24 next-hop is 10.255.255.5

Traffic from 172.28.130.0/23 to ANY next-hop is 10.255.255.2

Is this what you want?

Yes - that is our exact desire.

Thank you.

According to the config it is set-up and I do not see anything blocking it.  Where do your traces go from a workstation to the internet?

Have you done any debugs and checked the logs to see where it is going?

I haven't done anything in the way of debugging - only getting reports from users on that VLAN that they are being routed to 255.5 for Internet.

Which debug commands should I employ - and what's the best way to gather the data for uploading results here?

Let's try looking at the policy first

Here is a link for debugging the policy

http://www.cisco.com/en/US/docs/ios/12_1/debug/command/reference/dbdippim.html#wp1017236

OK - I issued 'debug ip policy' (it only allowed the global option ( only choice after the intial command was 'dynamic' (I couldn't designate a specific access-list name))

How do I grab the output? Not seeing anything coming up.

do this

undebug all

term mon

clear log

then issue the debug command again

Then run test to any internet site.

The output should scroll across the screen

issue undebug all

cut and paste the output to here

or

issue undebug all

sh log

and look for the debug output in the logs and paste here.

OK - this is a remote network from where I sit - so I'm sending someone there to generate some Internet traffic.  I did grab some initial data from the policy debug - but it's only for the network behind the 255.5 router: 

Dec 15 16:52:58.583: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 44, FIB policy match
Dec 15 16:52:58.583: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 44, FIB policy routed
Dec 15 16:52:58.583: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 86, FIB policy match
Dec 15 16:52:58.583: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 86, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 44, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 44, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 72, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 72, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 533, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 533, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 340, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 340, FIB policy routed
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 292, FIB policy match
Dec 15 16:52:58.615: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 292, FIB policy routed
Dec 15 16:52:58.663: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, len 44, FIB policy match
Dec 15 16:52:58.663: IP: s=172.28.130.10 (GigabitEthernet0/1.14), d=10.169.254.127, g=10.255.255.5, len 44, FIB policy routed

I'l post the results from ping/traceroutes here when I get them.

Again - thank for all of your assistance!

based on this it is working exactly the way it should be.  The source is 172.28.130.10 and it is going to 10.169.254.127 and the gateway is 10.255.255.5.  This is matching the PBR:

ip access-list extended JPI-254SUBNET
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 10.169.254.0 0.255.255.255  <----matching this line
deny   ip any any

Then using this route-map


route-map INETONLYJPI permit 5
match ip address JPI-254SUBNET
set ip next-hop 10.255.255.5

Ah .... (shamed faced)

Forgot an additional PBR configuration on an internal core switch behind the 10.255.255.2 router.  In effect - the PBRs on the VLAN3 router were working fine - the traffic just made a left turn after it entered 255.2 through another Internet gateway instead of a right turn to the correct gateway.

Sorry for all the confusion and wasting of your time.

Thanks again for all the help.

.... and Thanks to Edison too for his original assistance on an earlier post for the same issue.

not a waste of time at all.

This is one of the biggest benefits of this forum.  This can be used as such a useful tool.  Sometimes it helps to bounce things off of someone and we often times find the answer or, like in this case, find something we missed.

I am glad it is working now!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco