cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
979
Views
0
Helpful
10
Replies

VLAN routing

iholdings
Level 1
Level 1

Greetings,

We have the following VLAN sub-interface, ACLs and route-map configured on one of our WAN routers on our privateIP network:

interface GigabitEthernet0/1.14
description ** JPI **
encapsulation dot1Q 14
ip address 172.28.130.1 255.255.254.0
ip access-group INETJPI-ONLY in
ip policy route-map INETONLYJPI
no snmp trap link-status

ip access-list extended INETJPI-ONLY
permit udp any any eq bootpc
deny   ip any 10.1.4.0 0.0.3.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit icmp any any
permit ip any any

route-map INETONLYJPI permit 10
match ip address JPI-INETONLY-NETS
set ip next-hop 10.255.255.5

The network behind next-hop WAN router 10.255.255.5 is 10.169.254.69/24.  In addition - all Internet traffic is currently routed to this same subnet and goes out an internet gateway on that subnet.

We need to continue to route traffic destined for the 10.169.254.69/24 subnet - but redirect Internet traffic to another WAN router that has an Internet gateway.

Can this be done??

Thank you.

1 Accepted Solution

Accepted Solutions

This should work, please test it before final deployment as I can't test it myself:

route-map INETONLYJPI permit 5
match ip address JPI-254SUBNET
set ip next-hop 10.255.255.5

route-map INETONLYJPI permit 10
match ip address JPI-INETONLY-NETS
set ip next-hop 10.255.255.2

ip access-list extended JPI-254SUBNET
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255  10.169.254.0 0.255.255.255
deny   ip any any

ip access-list extended JPI-INETONLY-NETS
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255  any
deny   ip any any

View solution in original post

10 Replies 10

Edison Ortiz
Hall of Fame
Hall of Fame

We need to continue to route traffic destined for the 10.169.254.69/24 subnet - but redirect Internet traffic to another WAN router that has an Internet gateway.



Can this be done??

We can't provide assistance on traffic destined to 10.169.254.69 based on your post.

The PBR will affect traffic leaving the Vlan below - on this case traffic matching the ACL will point to 255.5 as the next hop.

If you want to change the next hop for internet traffic, you can modify your ACL or modify the 'set ip next-hop'.

With the limited information provided, very hard to tell.

Regards

Edison.

Thanks for your reply.

I just realized that I left this off of the post:


ip access-list extended INETJPI-ONLY
permit udp any any eq bootpc
deny   ip any 10.1.4.0 0.0.3.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit icmp any any
permit ip any any

Are far as I can see in the router config. - these are the only elements that control what traffic heads for 10.255.255.5.

So - is this where I would adjust ACL parameters to split traffic exiting the VLAN?  I guess I don't know how to redefine the ACLs and apply the correct route-map to service both routes.  The WAN IP for the Internet traffic is 10.255.255.2 - and I know what to do on that router to pass traffic to the internet from this VLAN - just not how to cobfigure the ACL(s) and route-maps.

Thanks again for your assistance.

I posted the same ACL you had before. I still can't see the ACL that relates to the PBR.

Do you have any routing protocol running?

If so, what's the destination for subnets other than the internet - is it 255.5 ?

If 255.5 handles routes other than the internet in your routing table, you can change the 'set ip next hop' to 'set ip default next hop' and have 255.2 as the router to handle routes that do not exist in the routing table, in other words 0.0.0.0 (internet).

Regards

Edison

Sorry - I thought I was providing the elements needed to ask the question.

Obviously not.

I've attach the sanitized router configuration.  We employ EIGRP across our WAN routers.

Thanks

Your PBR is calling this route-map

route-map INETONLYJPI permit 10
match ip address JPI-INETONLY-NETS
set ip next-hop 10.255.255.5

The route-map is calling this ACL

ip access-list extended JPI-INETONLY-NETS
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 any
deny   ip any any

That ACL tells me that only 130.x and 131.x will use 255.5 are for all traffic, correct?

Now you want 130.x and 131.x to use 255.2 for internet and 255.5 for other traffic?

My question is, what is this other traffic and if you look at the routing table, is it pointing to 255.5 ?

And why this other traffic needs to point to 255.5 and not follow the current routing table?

My recomendation is changing the route-map as followed:

route-map INETONLYJPI permit 10
  match ip address JPI-INETONLY-NETS
  set ip default next-hop 10.255.255.2

The 'default' keyword will instruct the router to use 10.255.255.2 only for default gateway forwarding and use the routing table for other routes.

Hope it makes sense.

Regards

Edison

I really appreciate all of your prompt assistance.  Learning a lot just through this exchange.

Per the configuration, some of the other VLANS defined are strictly for guest hosts connecting to them to the Internet  - via the 10.255.255.2 route.  They do not touch to any other network - including the network behind 255.2 - just funneled directly out that Internet gateway.

The 130.x and 131.x VLAN is a special case since it does need to touch the network behind 255.5 - as well as use the Internet gateway on that network.  For various reasons - I now need to split the traffic so that traffic leaving the 130 and 131 VLAN can still get to the 255.5 network (10.169.254.69/24) but that all Internet traffic from that VLN goes to 255.2.

Given this - will your suggestion to change the route-map fix this based on our routing set-up (both EIGRP and statics)?

This should work, please test it before final deployment as I can't test it myself:

route-map INETONLYJPI permit 5
match ip address JPI-254SUBNET
set ip next-hop 10.255.255.5

route-map INETONLYJPI permit 10
match ip address JPI-INETONLY-NETS
set ip next-hop 10.255.255.2

ip access-list extended JPI-254SUBNET
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255  10.169.254.0 0.255.255.255
deny   ip any any

ip access-list extended JPI-INETONLY-NETS
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255  any
deny   ip any any

Edison,

Will do.  I'll report back on success.

Thanks.

Hi Eidson,

Ok - these changes appear to not have worked.  Internet traffic still being routed to .255.5

Here are rules I added:  (I include the VLAN sub-inteface settings in case I missed somthing there that needs to be adjusted - which I'm betting I did)

interface GigabitEthernet0/1.14
description ** JPI **
encapsulation dot1Q 14
ip address 172.28.130.1 255.255.254.0
ip access-group INETJPI-ONLY in
ip policy route-map INETONLYJPI
no snmp trap link-status

ip access-list extended INETJPI-ONLY
permit udp any any eq bootpc
deny   ip any 10.1.4.0 0.0.3.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip any any

ip access-list extended JPI-254SUBNET
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 10.0.0.0 0.255.255.255
deny   ip any any

ip access-list extended JPI-INETONLY-NETS
deny   ip 172.28.130.0 0.0.1.255 10.1.4.0 0.0.3.255
deny   ip 172.28.130.0 0.0.1.255 172.16.0.0 0.15.255.255
deny   ip 172.28.130.0 0.0.1.255 192.168.0.0 0.0.255.255
permit ip 172.28.130.0 0.0.1.255 any
deny   ip any any

route-map INETONLYJPI permit 5
match ip address JPI-254SUBNET
set ip next-hop 10.255.255.5


route-map INETONLYJPI permit 10
match ip address JPI-INETONLY-NETS
set ip next-hop 10.255.255.2

For some reason - in the JPI-254SUBNET ACL - it would not accept the 'permit ip 17.28.130.0 0.0.1.255 10.169.254.69 0.255.255.255 - but instead substituted 10.0.0.0 in place of.

Thanks again for all your help.

Thanks Edison - your help solved the problem.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco