DeltaR7
asked on
Policy based routing issue
Hi
i've got a problem with policy based routing.
Setup: 4 locations in Europe, MPLS. For my main location I've got a Cisco 4507, with VLANs and acting as router, connected to a cisco router (10.40.0.2, internet access through MPLS ) and a backup router (10.40.0.3, VPN site to site, direct internet access). Now, for the IT people here I would like to use the backup line ONLY for internet access.
All traffic for other sites must go over the MPLS.
As test i used my own IP 10.40.0.164
I have added following statements to the 4507:
access-list 110 remark Set DG for IT to 10.40.0.2
access-list 110 permit ip host 10.40.0.164 10.10.0.0 0.0.15.255
access-list 110 permit ip host 10.40.0.164 10.20.0.0 0.0.0.255
access-list 110 permit ip host 10.40.0.164 10.30.0.0 0.0.0.255
access-list 110 permit ip host 10.40.0.164 10.40.0.0 0.0.15.255
access-list 110 permit ip host 10.40.0.164 192.168.100.28 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.20 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.40 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.60 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.80 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.100 0.0.0.3
access-list 110 deny ip host 10.40.0.164 any
access-list 110 permit ip any any
access-list 111 description Set DG for IT to 10.40.0.3
access-list 111 permit ip any any
route-map InternetIT permit 10
match ip address 110
set ip next-hop 10.40.0.2
route-map InternetIT permit 20
match ip address 111
set ip next-hop 10.40.0.3
interface vlan 1
ip policy route-map InternetIT
the test proves to be working for me, all my internet traffic is routed to the backup router.
HOWEVER: all people connected to other VLANs than VLAN1 on my 4507 can't reach the other 3 locations any more.
Any help would much appreciated
i've got a problem with policy based routing.
Setup: 4 locations in Europe, MPLS. For my main location I've got a Cisco 4507, with VLANs and acting as router, connected to a cisco router (10.40.0.2, internet access through MPLS ) and a backup router (10.40.0.3, VPN site to site, direct internet access). Now, for the IT people here I would like to use the backup line ONLY for internet access.
All traffic for other sites must go over the MPLS.
As test i used my own IP 10.40.0.164
I have added following statements to the 4507:
access-list 110 remark Set DG for IT to 10.40.0.2
access-list 110 permit ip host 10.40.0.164 10.10.0.0 0.0.15.255
access-list 110 permit ip host 10.40.0.164 10.20.0.0 0.0.0.255
access-list 110 permit ip host 10.40.0.164 10.30.0.0 0.0.0.255
access-list 110 permit ip host 10.40.0.164 10.40.0.0 0.0.15.255
access-list 110 permit ip host 10.40.0.164 192.168.100.28 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.20 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.40 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.60 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.80 0.0.0.3
access-list 110 permit ip host 10.40.0.164 192.168.100.100 0.0.0.3
access-list 110 deny ip host 10.40.0.164 any
access-list 110 permit ip any any
access-list 111 description Set DG for IT to 10.40.0.3
access-list 111 permit ip any any
route-map InternetIT permit 10
match ip address 110
set ip next-hop 10.40.0.2
route-map InternetIT permit 20
match ip address 111
set ip next-hop 10.40.0.3
interface vlan 1
ip policy route-map InternetIT
the test proves to be working for me, all my internet traffic is routed to the backup router.
HOWEVER: all people connected to other VLANs than VLAN1 on my 4507 can't reach the other 3 locations any more.
Any help would much appreciated
Try removing this line: access-list 110 permit ip any any.
ASKER
if I would remove:
access-list 110 permit ip any any
, all the traffic other than my own would go via the backup router 10.40.0.3 instead of the primary 10.40.0.2 no?
access-list 110 permit ip any any
, all the traffic other than my own would go via the backup router 10.40.0.3 instead of the primary 10.40.0.2 no?
Sorry. I was confused by this line: "access-list 110 remark Set DG for IT to 10.40.0.2 ".
Also, rereading, I see that folks on Vlan1 are still routed correctly, but that users on other Vlan interfaces run into problems.
Could the PBR rule be blocking/rerouting dynamic routing updates?
Also, rereading, I see that folks on Vlan1 are still routed correctly, but that users on other Vlan interfaces run into problems.
Could the PBR rule be blocking/rerouting dynamic routing updates?
ASKER
is it possible that i.e. a user from VLAN 20 ip 10.40.2.33 would want to get to a local server 10.40.0.5 or to another location 10.10.0.5
the first routing policy accepts the packet as 110 permit ip any any and sets the next hop to 10.40.0.2 rather than forwarding it out to the correct Vlan interface. The router accepts the packet and forwards it back to the switch 10.40.0.5 in Vlan 1. Here i think the packet is stuck due to the PBR.
In case the packet is for another location, it arrives there but it cannot get back to VLAN 20 due to the same PBR rule.
now, if my theory is correct how do i solve this issue? :)
the first routing policy accepts the packet as 110 permit ip any any and sets the next hop to 10.40.0.2 rather than forwarding it out to the correct Vlan interface. The router accepts the packet and forwards it back to the switch 10.40.0.5 in Vlan 1. Here i think the packet is stuck due to the PBR.
In case the packet is for another location, it arrives there but it cannot get back to VLAN 20 due to the same PBR rule.
now, if my theory is correct how do i solve this issue? :)
I think you are exactly correct.
To fix, add deny statements at the beginning of your access lists for all internal destinations, just as you have in access list 110 for host 10.40.0.164.
Just replicate the lines, but replace "host 10.40.0.164" with "any".
To fix, add deny statements at the beginning of your access lists for all internal destinations, just as you have in access list 110 for host 10.40.0.164.
Just replicate the lines, but replace "host 10.40.0.164" with "any".
ASKER
I think a deny any 10.40.0.0 0.0.15.255 would cause traffic to go to:
route-map InternetIT permit 20
match ip address 111
set ip next-hop 10.40.0.3
This would route all traffic over the backup line (10.40.0.3)
However i've come up with a different solution:
Instead of applying the routemap to the Core swtich, i've placed it on the primary router 10.40.0.2:
same ACL's
route-map InternetIT permit 10
match ip address 110
set ip next-hop 192.168.100.42 -- WAN IP
!
route-map InternetIT permit 20
match ip address 111
set ip next-hop 10.40.0.3
This seems to do the job as required
route-map InternetIT permit 20
match ip address 111
set ip next-hop 10.40.0.3
This would route all traffic over the backup line (10.40.0.3)
However i've come up with a different solution:
Instead of applying the routemap to the Core swtich, i've placed it on the primary router 10.40.0.2:
same ACL's
route-map InternetIT permit 10
match ip address 110
set ip next-hop 192.168.100.42 -- WAN IP
!
route-map InternetIT permit 20
match ip address 111
set ip next-hop 10.40.0.3
This seems to do the job as required
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
ok i'll try this solution this friday evening when I can have some downtime.
ASKER
I finally had som spare time to test this and indeed the deny for both acl did the trick. thank you!