06-09-2017 01:55 PM - edited 03-05-2019 08:41 AM
I have a requirement to insure all traffic between 10.200.210.0/24 (in CA) and 10.200.210.0/24 (in AZ) be sent over a point-to-point between the two sites. Only traffic between the two above subnets are supposed to route over the P2P. All other traffic must be routed normally over an MPLS circuit.
I tried to to this using route-maps but it doesn't seem to be working.
Here are what I hope are the relevant configurations on each end
#------------------------------------------------
CA side (6506)
Extended IP access list ca2az-backups
10 permit ip 10.212.210.0 0.0.0.255 10.200.210.0 0.0.0.255 (573975 matches)
20 deny ip any any (28451 matches)
route-map ca2az-backups, permit, sequence 10
Match clauses:
ip address (access-lists): ca2az-backups
Set clauses:
ip next-hop 192.168.100.18
Policy routing matches: 294281 packets, 65891982 bytes
interface Vlan210
description Router to Branches
ip address 10.212.210.1 255.255.255.0
ip helper-address 10.212.3.3
ip policy route-map ca2az-backups
#------------------------------------------------
AZ size (3850)
Extended IP access list az2ca-backups
10 permit ip 10.200.210.0 0.0.0.255 10.212.210.0 0.0.0.255 (444 matches)
20 deny ip any any (27223 matches)
route-map az2ca-backups, permit, sequence 10
Match clauses:
ip address (access-lists): az2ca-backups
Set clauses:
ip next-hop 192.168.100.17
Policy routing matches: 222 packets, 134376 bytes
interface Vlan210
ip address 10.200.210.1 255.255.255.0
ip helper-address 10.200.100.250
ip policy route-map az2ca-backups
The traceroute indicate the traffic is not using the P2P when going from AZ to CA.
#------------------------------------------------
Traceroute using mtr
CA -> AZ
HOST: scamanda01.lereta.com Loss% Snt Last Avg Best Wrst StDev
1. 10.212.210.1 0.0% 10 0.3 1.5 0.2 11.8 3.6
2. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
3. 10.200.210.50 0.0% 10 16.4 16.5 16.2 16.9 0.2
AZ -> CA
HOST: sazmanda01.lereta.net Loss% Snt Last Avg Best Wrst StDev
1. 10.200.210.1 0.0% 10 2.4 2.5 2.3 2.8 0.2
2. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
3. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
4. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
5. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
6. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
7. 10.212.210.50 0.0% 10 16.2 16.2 16.1 16.2 0.0
#------------------------------------------------
To make the situation even more weird
Traceroute using traceroute
CA -> AZ
traceroute to 10.200.210.50 (10.200.210.50), 30 hops max, 60 byte packets
1 10.212.210.1 (10.212.210.1) 60.886 ms 60.886 ms 60.840 ms
2 * * *
3 az-backup-bc.lereta.net (10.200.210.50) 16.232 ms 16.125 ms 16.207 ms
AZ -> CA
traceroute to 10.212.210.50 (10.212.210.50), 30 hops max, 60 byte packets
1 10.200.210.1 (10.200.210.1) 4.954 ms 5.024 ms 5.088 ms
2 * * *
3 10.212.210.50 (10.212.210.50) 16.144 ms 16.137 ms 16.092 ms
Firewalls are normally on but are turned off at both ends for testing.
Is the even the right approach? I found some example configs on the Internet that suggest it should but they are wrong or I messed something up.
Solved! Go to Solution.
06-09-2017 02:14 PM
Hi
Your configuration looks fine, are you trying the traceroute from a windows computer over that vlan.
192.168.100.18 -- is the IP of the next hop, I mean AZ router?
192.168.100.17 -- is the IP of CA router?
Your could modify the config to:
CA Router
ip access-list extended CA-ROUTER
permit ip 10.212.210.0 0.0.0.255 10.200.210.0 0.0.0.255
route-map ca2az-backups permit 5
match ip access CA-ROUTER
set ip next-hop 192.168.100.18 <--- next hop IP, it should be the IP on AZ router.
route-map ca2az-backups permit 100 <--- the rest of the traffic originated from this SVI 210 will use the MPLS Circuit.
interface Vlan210
ip policy route-map ca2az-backups
* I removed the deny ip any any
The configuration should be similar in AZ Router.
06-09-2017 02:14 PM
Hi
Your configuration looks fine, are you trying the traceroute from a windows computer over that vlan.
192.168.100.18 -- is the IP of the next hop, I mean AZ router?
192.168.100.17 -- is the IP of CA router?
Your could modify the config to:
CA Router
ip access-list extended CA-ROUTER
permit ip 10.212.210.0 0.0.0.255 10.200.210.0 0.0.0.255
route-map ca2az-backups permit 5
match ip access CA-ROUTER
set ip next-hop 192.168.100.18 <--- next hop IP, it should be the IP on AZ router.
route-map ca2az-backups permit 100 <--- the rest of the traffic originated from this SVI 210 will use the MPLS Circuit.
interface Vlan210
ip policy route-map ca2az-backups
* I removed the deny ip any any
The configuration should be similar in AZ Router.
06-09-2017 02:39 PM
That worked. Thank you.
I think I even know why it worked and my configuration did not. Any day I learn something new is a good day.
#------------------------------------------------
CA side
Extended IP access list ca2az-backups
10 permit ip 10.212.210.0 0.0.0.255 10.200.210.0 0.0.0.255
route-map ca2az-backups, permit, sequence 10
Match clauses:
ip address (access-lists): ca2az-backups
Set clauses:
ip next-hop 192.168.100.18
Policy routing matches: 295829 packets, 66612462 bytes
route-map ca2az-backups, permit, sequence 100
Match clauses:
Set clauses:
Policy routing matches: 455964 packets, 69443897 bytes
interface Vlan210
description Router to Branches
ip address 10.212.210.1 255.255.255.0
ip helper-address 10.212.3.3
ip policy route-map ca2az-backups
#------------------------------------------------
AZ side
Extended IP access list az2ca-backups
10 permit ip 10.200.210.0 0.0.0.255 10.212.210.0 0.0.0.255
route-map az2ca-backups, permit, sequence 10
Match clauses:
ip address (access-lists): az2ca-backups
Set clauses:
ip next-hop 192.168.100.17
Policy routing matches: 1632 packets, 844164 bytes
route-map az2ca-backups, permit, sequence 100
Match clauses:
Set clauses:
Policy routing matches: 3 packets, 729 bytes
interface Vlan210
ip address 10.200.210.1 255.255.255.0
ip helper-address 10.200.100.250
ip policy route-map az2ca-backups
06-09-2017 02:42 PM
Hi Stephen,
It was a pleasure,
have a great day!
:-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide