Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Traffic Not Passing From Subnet to Subnet Using Route-Maps

I need some help understanding why my two subnets are unable able to communicate when two particular route-maps are enabled. Yes, I do realize that this is a somewhat strange setup.

Here's the background:

I have an 1841 router, a 5505 switch, a Linux-based UTM, and several machines on different VLANs. All of these are plugged into the 5505, except for the Internet facing interfaces of the 1841.

I have machines on VLAN6 that need to have their traffic filtered by the UTM before they go to the Internet or anywhere else. The default gateway for these machines is 10.6.1.1, fe 0/0.6 of the 1841 router.

Here's the UTM interface and routing info:

Interfaces

WAN - eth0 192.168.2.2

Internal - eth1 192.168.1.2

Routes

Target Netmask Gateway

10.6.1.0 24 (255.255.255.0) 192.168.1.1

192.168.1.0 30 (255.255.255.252) eth1

192.168.2.4 30 (255.255.255.252) br.eth0

default 192.168.2.1

Here's some relevant router interface info:

Interface fastethernet 0/0.7

ip address 192.168.1.1 255.255.255.252

Interface fastethernet 0/0.8

ip address 192.168.2.1 255.255.255.252

Using the following configurations, I force all traffic from the VLAN6 machines to the internal interface of the UTM (192.168.1.2/30 - VLAN7).

ip sla 30

icmp-echo 192.168.1.2

ip sla schedule 30 life forever start-time now

track 30 ip sla 30 reachability

ip access-list extended VLAN6

permit ip 10.6.1.0 0.0.0.255 any

route-map VLAN6Filtering permit 10

match ip address VLAN6

set ip next-hop verify-availability 192.168.1.2 10 track 30

interface FastEthernet 0/0.6

ip address 10.6.1.1 255.255.255.0

ip policy route-map VLAN6Filtering

The UTM is only routing. Once traffic has gone through the UTM it arrives back at the router on a seperate sub-inteface (f0/0.8 - IP address of 192.168.2.1/30 - VLAN8). After that, the traffic goes just fine to the Internet via cable connection on f0/1.

I also have machines on VLAN9 (fastethernet 0/0.9 - IP address of 10.9.1.1). Because all outbound traffic from VLAN6 is routed through the UTM, I have to make sure that all traffic from other VLANs that needs to get to VLAN6 is routed to the external interface of the UTM (192.168.2.2/30). To do that, I do the following:

ip sla 40

icmp-echo 192.168.2.2

ip sla schedule 40 life forever start-time now

track 40 ip sla 40 reachability

ip access-list extended TrafficToVLAN6

permit ip any 10.6.1.0 0.0.0.255

route-map RouteToVLAN6

match ip address TrafficToVLAN6

set ip next-hop verify-availability 192.168.2.2 10 track 40

interface fastethernet 0/0.9

ip address 10.9.1.1 255.255.255.0

ip policy route-map RouteToVLAN6

With this setup, I can access the Internet from VLAN6 just fine via the UTM. However, with this setup, I cannot run pass traffic or run successful traceroute from a machine on VLAN9 to a machine on VLAN6. The packets stop at the Router's VLAN7 interface after initially passing through the router from VLAN6 to VLAN8, then through the UTM from VLAN 8 to 7, and then back to the router on VLAN7 (fastethernet 0/0.8 - 192.168.1.1), never reaching VLAN6 (fasthethernet 0/0.6). Here's an example:

traceroute to 10.6.1.15 (10.6.1.15), 30 hops max, 40 byte packets

1 router (10.9.1.1) 9.223 ms 20.994 ms 22.305 ms

2 192.168.2.2 (192.168.2.2) 5.731 ms 5.886 ms 6.027 ms

3 192.168.1.1 (192.168.1.1) 23.548 ms 25.738 ms 27.030 ms

4 192.168.1.1 (192.168.1.1) 29.667 ms 28.971 ms 28.304 ms

5 * * *

6 * * *

7 * * *

8 * * *

9 * * *

10 *

There are other VLANs as well and but there is no issue with connectivity from VLAN9 to those other VLANs (no route-maps involved). Please tell me how I can correct this error. Why isn't the router passing traffic out the other directly connected VLAN6 interface? What am I missing?

Thanks for any help you can give.

AB

2 REPLIES
Hall of Fame Super Silver

Re: Traffic Not Passing From Subnet to Subnet Using Route-Maps

Hello Alex,

I would suggest to move vlan6 ip subnet downstream the UTM linux box.

if also for talking with other vlan subnets you want traffic to go through the UTM box then the best choice is to move the ip subnet on the inside on the UTM.

Having a nested configuration of PBR is a problem for troubleshooting too.

then a simple static route can do the job on the router after the move.

Hope to help

Giuseppe

Community Member

Re: Traffic Not Passing From Subnet to Subnet Using Route-Maps

Thank you for the suggestion Guiseppe. I believe the client did think about that at one point but for certain reasons (I'm not sure of all of the details), they preferred the nested configuration.

I've resolved the issue by creating another route-map (applied to the VLAN6 interface) that routes all of the traffic from vlan6 to each specific VLAN through the proper interfaces and routes all other traffic, Internet traffic, through the Linux UTM.

258
Views
0
Helpful
2
Replies
CreatePlease to create content