Solved

CISCO 3750 Policy Based Routing

Posted on 2014-10-29
16
454 Views
Last Modified: 2014-12-15
Hi,

I have issue where I am just trying to get PBR to work correctly.  I tried configuring it with:

ip access-list extended 101
permit ip 172.18.0.0 0.0.255.255 any
route-map NewASA permit 10
match ip address 101
set ip next-hop 172.16.0.24
int vlan 18
set ip policy route-map NewASA

in the above config, the network devices will not get an ip address from a dhcp server on vlan 16

so I tried

Extended IP access list 101
    10 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255    
    20 permit ip 172.18.0.0 0.0.255.255 any
route-map NewASA permit 10
match ip address 101
set ip next-hop 172.16.0.24
int vlan 18
set ip policy route-map NewASA

in this scenario I can an ip address and ping on vlan 16 and 18, but I cannot ping the 3750 ip address 172.18.0
.2 nor can I get to the Internet

I am not sure what I am doing wrong

Thank you for your help in advance
0
Comment
Question by:thomasm1948
  • 9
  • 4
  • 3
16 Comments
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Really got to have more information...

A topology diagram maybe. What IP addresses are associated with what VLANs.  That kind of thing.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
To understand what's wrong is case like this simply must be familiar with a least part of topology of network, as Don Johnston already said.
To check how packets are traveling through network, and also to see where is black hole for packets use traceroute command (that will usually narrow error location to last router that responded to traceroute or next router in line). And, BTW, it will be much faster if you disable DNS lookup with command no ip domain-lookup.
There are  two possibilities in general (excluding being blocked by ACL at some point):
packet don't go to destination - unknown route to final destination
packet don't return from destination -  unknown return route to sender of packets
0
 

Author Comment

by:thomasm1948
Comment Utility
Hi,

I was out sick yesterday.  So what the school wants is to have the following:

 - All non-student VLANS go to the Internet through their original fiber line (Diagram: Internet Line 1)
 - If the fiber fails then failover to their cable Internet line (Diagram: Internet Line 2)
 - The student VLAN (VLAN18) should go through Internet line 2
 - If Internet line 2 fails then failover to Internet Line 1

The first part is easy for non-students.  I just configured SLA Monitoring and TRack (Static Routing).  No need to configure PBR.  the second part seems to be giving me trouble.  For some reason the PBR is not working correctly.  The student VLAN18 bust be able to communicate with VLANS 16 (servers) and VLAN 20 (student servers).  Wihtout PBR all VLANS communicate correcty and we have ACLs that prevent the student VLANS from communicating with for example administration clients and servers.  The following is a basic diagram.  I can create a more complete one if you need

Please see the attached diagram

the following is a basic diagram.
Simple-Diagram.jpg
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Like I said, we need some information as to the topology.  A vague overview won't help much. For example, you have a next hop address of 172.16.0.24.  What device is that?  The PIX or the ASA?

What you're trying to do is pretty straightforward. But without some basic background, it's going to take forever to determine what's wrong.

So please give us the IP addresses for the network and the config of the switch would be a huge help.
0
 

Author Comment

by:thomasm1948
Comment Utility
Attached is the config file for the CISCO 3750 (ver 12.2) switch

172.16.0.24 is the internal interface of the CISCO PIX 515e (Cable Internet)
172.16.0.23 is the internal interface of the CISCO ASA5500 (Fiber Internet)
CISCO-3750-Config.txt
0
 

Author Comment

by:thomasm1948
Comment Utility
I removed the the ip policy for route-map ASA from VLAN 18 being that it is not working correctly.  from the config file you can see that just the SLA monitor is configured
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
Are there any ACLs on CISCO PIX 515e's 172.16.0.2 interface
and
show ip route
of the same device?
0
 

Author Comment

by:thomasm1948
Comment Utility
no, just the basic firewall rules that will enable all IPs out  and deny all coming in.  This is for both firewalls.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Assisted Solution

by:thomasm1948
thomasm1948 earned 0 total points
Comment Utility
Hi,

Below is the ip routes for the pix 515e

pix515e# sh route
        outside 0.0.0.0 0.0.0.0 64.22.148.18 1 OTHER static
        inside mgnt-network 255.255.255.0 172.16.0.1 1 OTHER static
        outside 64.22.148.18 255.255.255.252 OutsideIP 1 CONNECT static
        inside 172.16.0.0 255.255.0.0 172.16.0.24 1 CONNECT static
        inside 172.17.0.0 255.255.0.0 172.16.0.1 1 OTHER static
        inside 172.18.0.0 255.255.0.0 172.16.0.1 1 OTHER static
        inside 172.19.3.0 255.255.255.0 172.16.0.1 1 OTHER static
        inside 172.20.0.0 255.255.0.0 172.16.0.1 1 OTHER static
        inside 172.21.0.0 255.255.0.0 172.16.0.1 1 OTHER static
        inside 172.22.0.0 255.255.255.0 172.16.0.1 1 OTHER static
        inside 192.168.0.0 255.255.0.0 192.168.0.59 1 OTHER static
        inside 192.168.0.4 255.255.255.255 192.168.0.59 1 OTHER static
        DMZ 192.168.3.0 255.255.255.0 192.168.3.1 1 CONNECT static
        inside 192.168.110.0 255.255.255.0 192.168.0.59 1 OTHER static
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
Comment Utility
This is a route-map/SLA config I did a while back.  I had to clean it up, but I'm pretty sure all the components are still there.  You should be able to adapt it to your situation.

Admin users get ISP-1 by default. If the tracking object out that interface is lost or the next-hop isn't reachable, then admin traffic goes to ISP-2.

Guest users get ISP-2 by default. If the tracking object out that interface is lost or the next-hop isn't reachable, then guest traffic goes to ISP-1.

track 123 ip sla 1 reachability
!
track 234 ip sla 2 reachability
! 
interface VLAN3
 description Link to LAN
 ip address 192.168.2.1 255.255.255.0
 ip policy route-map alpha
!
interface Vlan1
 description ISP-1
 ip address 1.2.3.2 255.255.255.252
!
interface Vlan2
 description ISP-2
 ip address 5.6.7.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 0.0.0.0 0.0.0.0 5.6.7.1
!
ip access-list standard admin
 permit 192.0.0.0 0.0.0.255
 permit 192.168.2.0 0.0.0.255
 permit 192.168.10.0 0.0.0.255
 permit 192.168.15.0 0.0.0.255
!
 ip access-list standard guest
 permit 192.168.20.0 0.0.0.255
 permit 192.168.25.0 0.0.0.255
 permit 192.168.30.0 0.0.0.255
 permit 192.168.35.0 0.0.0.255
!
ip sla 1
 icmp-echo 1.2.3.9 source-interface Vlan1
 timeout 1000
 threshold 1000
 frequency 3
ip sla schedule 1 life forever start-time now
!
ip sla 2
 icmp-echo 5.6.7.8 source-interface Vlan2
 timeout 1000
 threshold 2
 frequency 3
ip sla schedule 2 life forever start-time now
ip sla enable reaction-alerts
!
route-map alpha permit 10
 match ip address admin
 set ip next-hop verify-availability 1.2.3.1 10 track 123
 set ip next-hop verify-availability 5.6.7.1 20 track 234
!
route-map alpha permit 20
 match ip address guest
 set ip next-hop verify-availability 5.6.7.1 10 track 234
 set ip next-hop verify-availability 1.2.3.1 20 track 123

Open in new window

0
 

Author Comment

by:thomasm1948
Comment Utility
I tried using the next-hop verify-availability option on the switch and i cannot get it to apply to VLAN 18.  I did notice an artical indicating that for the cisco 3750 running ver 12.x that it is an invalid option.  If I use just next-hop then I can apply it but that is where I have the issue

If I create the access list for just 172.18.0.0 0.0.255.255 which is vlan 18 IP range and apply that to the route map then the machines can only ping out to the internet but they do not have any access to any other VLANS such as VLAN 16 where the DHCP and DNS servers are

If I add a deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 then it tells PBR not to use it and then VLAN 18 can get an IP from DHCP and ping all of the IPs on VLAN 16 and 18 but I cannot get out the Internet for some reason.  It cannot ping the gateway of 172.16.0.2 which is the IP address for VLAN 16 on the cisco 3750 (which all of this is configured on)
0
 

Author Comment

by:thomasm1948
Comment Utility
another thing I noticed is that I have to use access-list extended so that I can get the full IP range.  When I use a standard access list for example:

access-list 10 permit 172.18.0.0 0.0.255.255

Then when I show access-list, I get:

access-list 10
permit 172.18.0.0 wild card 0.0.255.255
0
 

Author Comment

by:thomasm1948
Comment Utility
when I said

"If I add a deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 then it tells PBR not to use it and then VLAN 18 can get an IP from DHCP and ping all of the IPs on VLAN 16 and 18 but I cannot get out the Internet for some reason.  It cannot ping the gateway of 172.16.0.2 which is the IP address for VLAN 16 on the cisco 3750 (which all of this is configured on) "

I meant 172.18.0.2  for vlan 18 on the switch and not 172.16.0.2 for vlan 16

Sorry for the mistype
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
A couple thought on this:
first
IF PBR sends traffic is working and send traffic on PIX, PIX is set to send traffic to VLAN16 and VLAN16 is the only that is responding on pings.
second
IF PBR works as it should - there's really no reason for internet not to work except routing problem (find way back) or ACL is blocking traffic - since traffic is already on firewall and default route is set.

Problem with PBR and ping local addresses can be solved by removing local traffic from PBR -> so access list permit only public IP addresses for policy based routing (then local traffic will go normally). But I am afraid that internet traffic can't find way back for some design flaw, and I'm afraid that differently created choosing next hop address won't correct this error.

How routing table looks like when both interfaces are up, and when ASA5500 interface is down?
And info that really can be valuable (at least that's how it looks to me) is traceroute for some internet and locally (pingable and unpingable) locations  when internet over ASA5500 is down.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Here's the approach that I would take.

1) Drop back to a simple config.  Remove all the route maps and SLA. Create a single default route to the PIX. Make sure it works.
2) Change the default route to the ASA. Make sure it works.
3) Create a basic route map directing some traffic to the PIX and confirm the interesting traffic uses the route map.
4) Add to the route map and direct some different traffic to the ASA and verify it works.
5) Add in the SLA to force a failover.

The problem I've run into trying to implement everything at once is if it doesn't work, trying to determine the one thing that's causing the problem is very difficult.  But if you implement it one step at a time, once something doesn't work, you know exactly where to look.
0
 

Author Closing Comment

by:thomasm1948
Comment Utility
Found out that the IOS on our switch is not capable of doing what I need.  Also the switch has software based routing so if we add a deny option then the switch CPU spikes
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now