12-24-2007 11:13 PM - edited 03-03-2019 08:02 PM
Are tunnel encpsulated packets subject to local policy routing or not?
I have a router with two different ISP's channels and set up two tunnel interfaces with different source IPs accordingly. I set up a local policy to route each source IP to corresponding ISP gateway, but only one tunnel actually works, perhaps by means of CEF destination load sharing, but disabling CEF turns on packet based load sharing and only half of packets gets passed through tunnel, and local policy doesn't work.
Any workarounds?
12-25-2007 02:15 AM
Also looks like load-balancig ruins static NAT as well.
here is full config:
version 12.4
!
ip cef
!
!
ip sla monitor 10
type echo protocol ipIcmpEcho CENT.RAL.SITE.IP source-interface FastEthernet0/0
request-data-size 512
verify-data
frequency 10
ip sla monitor schedule 10 life forever start-time now
ip sla monitor 20
type echo protocol ipIcmpEcho CENT.RAL.SITE.IP source-interface FastEthernet0/1
request-data-size 512
verify-data
frequency 10
ip sla monitor schedule 20 life forever start-time now
!
!
voice-card 0
!
!
!
!
!
!
ip ssh version 2
!
track 10 rtr 10
delay down 20 up 30
!
track 20 rtr 20
delay down 20 up 30
!
!
!
!
!
interface Tunnel0
ip address 10.35.4.110 255.255.255.252
tunnel source MY.ISP.1.IP
tunnel destination CENT.RAL.CITE.IP
!
interface Tunnel1
ip address 10.35.4.114 255.255.255.252
tunnel source MY.ISP.2.IP
tunnel destination CENT.RAL.CITE.IP
!
interface FastEthernet0/0
ip address MY.ISP.1.IP 255.255.255.240
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1
ip address MY.ISP.2.IP 255.255.255.252
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
ip address 10.23.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router ospf 1
router-id 10.23.5.1
network 10.0.0.0 0.255.255.255 area 0.0.0.0
!
ip local policy route-map rm_local
ip route 0.0.0.0 0.0.0.0 MY.ISP.1.GW track 10
ip route 0.0.0.0 0.0.0.0 MY.ISP.2.GW track 20
ip route 0.0.0.0 0.0.0.0 MY.ISP.1.GW 200
ip route 0.0.0.0 0.0.0.0 MY.ISP.2.GW 200
!
!
ip nat pool pool_isp1 MY.ISP.1.IP MY.ISP.1.IP prefix-length 28
ip nat pool pool_isp2 MY.ISP.2.IP MY.ISP.2.IP prefix-length 30
!
ip nat inside source route-map rm_nat_isp1 pool pool_isp1 overload
ip nat inside source route-map rm_nat_isp2 pool pool_isp2 overload
!
ip nat inside source static tcp 10.23.7.2 3389 MY.ISP.2.IP 3389 extendable
ip nat inside source static tcp 10.23.6.123 3389 MY.ISP.2.IP 3390 extendable
ip nat inside source static tcp 10.23.7.2 3389 MY.ISP.1.IP 3389 extendable
ip nat inside source static tcp 10.23.6.123 3389 MY.ISP.1.IP 3390 extendable
!
ip access-list extended local_isp12any
deny ip host MY.ISP.1.IP 10.0.0.0 0.255.255.255
permit ip host MY.ISP.1.IP any
ip access-list extended local_isp22any
deny ip host MY.ISP.2.IP 10.0.0.0 0.255.255.255
permit ip host MY.ISP.2.IP any
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit 10.0.0.0 0.255.255.255
!
route-map rm_nat_isp2 permit 10
match ip address 1
match interface FastEthernet0/1
!
route-map rm_nat_isp1 permit 10
match ip address 1
match interface FastEthernet0/0
!
route-map rm_local permit 10
match ip address local_isp12any
match interface FastEthernet0/0
set ip next-hop MY.ISP.1.GW
!
route-map rm_local permit 20
match ip address local_isp22any
match interface FastEthernet0/1
set ip next-hop MY.ISP.2.GW
!
12-26-2007 02:03 AM
What do you see when you do a debug ip policy?
It should show you that the policy is bein matched
Narayan
12-26-2007 02:42 AM
nothing
i've got messages about packets sent back into tunnel
but no messages about encapsulated packets generated by that tunnel itself.
like:
Dec 26 2007 13:36:31 MSK: IP: s=10.35.4.114 (local), d=10.35.4.113, len 84, policy rejected -- normal forwarding
and i see with tcpdump on monitoring unix box that packets leaving out of wrong interface destined to wrong gateway with correct source address and of course get filtered by ISP.
12-26-2007 02:50 AM
Have you allowed the source interface from where you are trying in the access-list referencing the local policy?
You need to do an extedned trace with the above source interface to verify
Narayan
12-26-2007 02:57 AM
of course i did.
here is what i googled:
CSCds24740 Bug Details
GRE packets are not subject to local policy routing
Symptom and conditions:
GRE packets are not subject to local policy routing though they are
originated by router itself. I.e. it is expected that in this configuration:
!
interface Tunnel0
ip address 192.168.2.1 255.255.255.0
tunnel source Loopback0
tunnel destination 192.168.1.2
!
ip local policy route-map dev
!
route-map dev permit 10
set ip precedence critical
set ip next-hop 192.168.4.2
!
GRE packets will receive higher priority and deviate from normal routing path.
But currently GRE-encapsulated packets ignore this policy routing map.
i can't access that link myself. is there any kind of bugfix in near future or more recent IOSes?
PS: the proposed workaround would not work for me, because i try to make two tunnels to the same destination address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide