Link to home
Create AccountLog in
Avatar of Teknocraft
TeknocraftFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco L3 Catalyst WS-C3560-8PC-S Policy Based Routing Issues

Hi There!

I've been trying to configure Policy Based Routing on a L3 switch, but unfortunately seem to have missed something really obvious!

All traffic to subnet 141.101.120.0/24 should be sent to FastEthernet 0/1 - Router 1
--This is just an example range for now, and will probably be expanded in the future.
All other traffic should be sent to FastEthernet 0/2 - Router 2

I've got a laptop connected to GigabitEthernet 0/1 on 192.168.24.55, with it's default gateway set to 192.168.24.252 - I can ping the internal vlan IPs: 10.10.10.48 and 172.16.0.1 and 192.168.24.252, but am unable to ping any internet IPs - and "debug ip policy" doesn't show any hits.

Doing the same pings from the switch does yield results, and these show up under the debug:

Switch#
*Mar  1 00:41:01.125: IP: s=10.10.10.48 (local), d=8.8.8.8, len 100, policy match
*Mar  1 00:41:01.125: IP: route map WAN1, item 20, permit
*Mar  1 00:41:01.125: IP: s=10.10.10.48 (local), d=8.8.8.8 (Vlan4), len 100, policy routed
*Mar  1 00:41:01.125: IP: local to Vlan4 10.10.10.1

Switch#ping 141.101.120.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 141.101.120.14, timeout is 2 seconds:

*Mar  1 00:41:24.093: IP: s=10.10.10.48 (local), d=141.101.120.14, len 100, policy match
*Mar  1 00:41:24.093: IP: route map WAN1, item 10, permit
*Mar  1 00:41:24.093: IP: s=10.10.10.48 (local), d=141.101.120.14 (Vlan3), len 100, policy routed
*Mar  1 00:41:24.093: IP: local to Vlan3 172.16.0.2.

So, the main problem is: The laptop doesn't seem to get routed <anywhere> - I can't even get internet access, let alone anything else - is something configured incorrectly there?

The second problem is - pings aren't returned when routed through 172.16.0.2 which is a working internet connection, as proved by this:

Switch#ping tag 141.101.120.14 source vlan 3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 141.101.120.14, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/9 ms
Switch#
*Mar  1 00:43:31.767: IP: s=172.16.0.1 (local), d=141.101.120.14, len 100, policy match
*Mar  1 00:43:31.767: IP: route map WAN1, item 10, permit
*Mar  1 00:43:31.767: IP: s=172.16.0.1 (local), d=141.101.120.14 (Vlan3), len 100, policy routed
*Mar  1 00:43:31.767: IP: local to Vlan3 172.16.0.2


Below, is the sh ru, sh ve and sh sdm prefer!

Any help gratefully received!

Many Thanks,

Dave




Switch#sh ru
Building configuration...

Current configuration : 3697 bytes
!
! Last configuration change at 00:30:08 UTC Mon Mar 1 1993
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
system mtu routing 1500
ip routing
no ip domain-lookup
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
 description Uplink to WAN Router
 switchport access vlan 3
!
interface FastEthernet0/2
 description Uplink to ADSL2+ Connection
 switchport access vlan 4
!
interface FastEthernet0/3
 shutdown
!
interface FastEthernet0/4
 shutdown
!
interface FastEthernet0/5
 shutdown
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 description Admin Access
 switchport mode access
!
interface GigabitEthernet0/1
 description Uplink to PC Switch
 no switchport
 ip address 192.168.24.252 255.255.255.0
 ip policy route-map WAN1
!
interface Vlan1
 description Admin Access
 ip address 192.168.0.1 255.255.255.0
!
interface VlaWAN1
 description Uplink to WAN Router
 ip address 172.16.0.1 255.255.255.0
!
interface Vlan4
 description Uplink to ADSL2+ Connection
 ip address 10.10.10.48 255.255.255.0
!
ip local policy route-map WAN1
ip default-gateway 10.10.10.1
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 10.10.10.0 255.255.255.0 10.10.10.1
ip route 172.16.0.0 255.255.255.0 172.16.0.2
!
access-list 101 permit ip any 141.101.120.0 0.0.0.255 log
access-list 102 permit ip any any log
access-list 104 permit ip any 192.168.24.0 0.0.0.255
access-list 104 permit ip any 172.16.0.0 0.0.0.255 log
route-map WAN1 permit 10
 match ip address 101
 set ip next-hop 172.16.0.2
!
route-map WAN1 permit 15
 match ip address 104
!
route-map WAN1 permit 20
 match ip address 102
 set ip next-hop 10.10.10.1
!
!
!
!
line con 0
 session-timeout 35791
 logging synchronous
 length 0
 width 240
line vty 0 4
 login
line vty 5 15
 login
!
end

-----

Switch#sh ve
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(2)SE2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 05-Feb-13 12:24 by prod_rel_team

ROM: Bootstrap program is C3560 boot loader
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(35r)SE2, RELEASE SOFTWARE (fc1)

Switch uptime is 40 minutes
System returned to ROM by power-on
System image file is "flash:/c3560-ipservicesk9-mz.150-2.SE2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3560-8PC (PowerPC405) processor (revision G0) with 131072K bytes of memory.
Processor board ID FOC1632V0T2
Last reset from power-on
3 Virtual Ethernet interfaces
8 FastEthernet interfaces
1 Gigabit Ethernet interface
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 88:75:56:59:84:80
Motherboard assembly number     : 73-10612-09
Power supply part number        : 341-0207-02
Motherboard serial number       : #########
Power supply serial number      : #########
Model revision number           : G0
Motherboard revision number     : A0
Model number                    : WS-C3560-8PC-S
System serial number            : #########
Top Assembly Part Number        : 800-28131-04
Top Assembly Revision Number    : D0
Version ID                      : V04
CLEI Code Number                : COML900ARA
Hardware Board Revision Number  : 0x01


Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 9     WS-C3560-8PC       15.0(2)SE2            C3560-IPSERVICESK9-M


Configuration register is 0xF


----

Switch#sh sdm prefer
 The current template is "desktop routing" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv6 multicast groups:                  0
  number of directly-connected IPv6 addresses:      0
  number of indirect IPv6 unicast routes:           0
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K
  number of IPv6 policy based routing aces:         0
  number of IPv6 qos aces:                          20
  number of IPv6 security aces:                     25
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

I usually handle these types of problems from a simplistic approach.

First I like to get rid of the fluff. The things that aren't needed.

For example, the following routes aren't doing anything.

ip route 10.10.10.0 255.255.255.0 10.10.10.1
ip route 172.16.0.0 255.255.255.0 172.16.0.2

So remove them.

Second, did you post the actual config? Or just type it in. Because you don't have a VLAN1 interface.  You've got a "VlaWAN1" interface which can't really exist, so I don't know what to make of that.

Third, what are you trying to accomplish with statement 15 in the route map?

route-map WAN1 permit 15
 match ip address 104

What I would do, is remove the route map from the g0/1 interface. Verify that the PC can access the internet. Then change the default route and point it to the 172.16.0.2 and verify internet access. Once you've validated that, then add the route-map back to the g0/1 interface and see what you've got. If it doesn't work, use a trace-route to see where it's dropping.

Finally, when you're posting long configs and output, please use the code feature. It makes it much easier to separate information types.
Avatar of Teknocraft

ASKER

Many thanks for the reply Don,

I've removed the extraneous ip routes as suggested.

I copied the config, but had to sanitize some of the names, unfortunately along the way I seem to have changed Vlan3 to VlaWAN1 which may be the cause of some confusion.

Statement 15 seemed to stop PBR trying to route packets destined for one of the local ranges to 10.10.10.1 - I've removed it anyway.

I've also removed the route map completely.

Unfortunately, as I guessed, I seem to have a bigger problem - the PBR might actually be working!

So, instead of just jumping to that config state I should have checked that routing was working correctly - because it isn't! The laptop connected to g0/1 is unable to connect to the internet. I can ping the gateway IP of 192.168.24.252, I can ping the other two interfaces (10.10.10.48 and 172.16.0.1), but am unable to ping anything beyond that, and the internet.

Is there a simple command that I'm missing that isn't turned on? I experimented with "ip router" commands but this doesn't seem to assist.

Sorry about not using the code feature in the past... will use it now :)

I don't know if this is of any use, but here is the debug ip packet output for a ping to 8.8.8.8 from the laptop at 192.168.24.55:

*Mar  1 21:30:58.038: IP: s=192.168.24.55 (GigabitEthernet0/1), d=8.8.8.8, len 76, input feature
*Mar  1 21:30:58.038:     UDP src=63201, dst=53, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar  1 21:30:58.038: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 192.168.24.55 dst 8.8.8.8
*Mar  1 21:30:58.038: FIBfwd-proc: D
Switch#efault:0.0.0.0/0 process level forwarding
*Mar  1 21:30:58.038: FIBfwd-proc: depth 0 first_idx 0 paths 1 long 0(0)
*Mar  1 21:30:58.038: FIBfwd-proc: try path 0 (of 1) v4-sp first short ext 0(-1)
*Mar  1 21:30:58.038: FIBfwd-proc: v4-sp valid
*Mar  1 21:30:58.038: FIBfwd-proc:  no nh type 8  - deag
*Mar  1 21:30:58.038: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if none nh none deag 1 chg_if 0 via fib 0 path type special prefix
*Mar  1 21:30:58.038: FIBfwd-proc: Default:0.0.0.0/0 not enough info t
Switch#o forward via fib (none none)
*Mar  1 21:30:58.038: FIBipv4-packet-proc: packet routing failed
*Mar  1 21:30:58.038: IP: s=192.168.24.55 (GigabitEthernet0/1), d=8.8.8.8, len 76, unroutable
*Mar  1 21:30:58.038:     UDP src=63201, dst=53

Open in new window


Many thanks for your assistance - Dave
Please post the current config and output from a "show ip route".
Switch(config-if)#do sh ru
Building configuration...

Current configuration : 3372 bytes
!
! Last configuration change at 00:27:45 UTC Mon Mar 1 1993
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
system mtu routing 1500
vtp domain Cisco
vtp mode transparent
ip routing
no ip domain-lookup
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
 description Uplink to WAN Router
 no switchport
 ip address 172.16.0.1 255.255.255.0
!
interface FastEthernet0/2
 description Uplink to ADSL2+ Connection
 no switchport
 ip address 10.10.10.48 255.255.255.0
!
interface FastEthernet0/3
 shutdown
!
interface FastEthernet0/4
 shutdown
!
interface FastEthernet0/5
 shutdown
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 description Admin Access
 switchport mode access
!
interface GigabitEthernet0/1
 description Uplink to PC Switch
 switchport access vlan 2
 switchport mode access
!
interface Vlan1
 description Admin Access
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 description Uplink to PCs
 ip address 192.168.24.252 255.255.255.0
!
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1 name BITC
!
access-list 101 permit ip any 141.101.120.0 0.0.0.255 log
access-list 102 permit ip any any log
access-list 110 permit icmp any any
access-list 111 permit icmp host 192.168.24.55 any
!
!
!
line con 0
 session-timeout 35791
 logging synchronous
 length 0
 width 240
line vty 0 4
 login
line vty 5 15
 login
!
end

Open in new window


and

Switch#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 10.10.10.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.10.10.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/24 is directly connected, FastEthernet0/2
L        10.10.10.48/32 is directly connected, FastEthernet0/2
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/24 is directly connected, FastEthernet0/1
L        172.16.0.1/32 is directly connected, FastEthernet0/1
      192.168.24.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.24.0/24 is directly connected, Vlan2
L        192.168.24.252/32 is directly connected, Vlan2

Open in new window

Hi Don,

I've missed something really obvious - although perhaps I was expecting the switch to do more than it was able to...

On both of next-hops, these routers were just plain-simple routers and had no routes to allow traffic to get back to the source interface...

This meant that they didn't know how to get back to 192.168.24.0/24... I enabled a route and NAT on one of the external routers, and suddenly I was able to get out to the internet! Hurray!

I did the same on the second router, and was also able to get out to the internet.

I then put the original configuration back in place, and policy-based routing works perfectly.

I suppose my remaining question is this:

Is it possible to forge the source address of the packets so that I don't need to define NAT and routes on the external routers? (In this scenario I have access to both of these routers, but what would happen if I didn't?)... This is what I was expecting to happen already and explains my confusion (I suppose via NAT... which doesn't exist on a L3 switch?)

For a best-practice scenario, would this in future be better on a router such as an 881, or an ASA?

Many thanks for your time,

Dave
ASKER CERTIFIED SOLUTION
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks Don!

This makes a lot more sense in my head now!

Cheers;

Dave