Solved

CISCO 3750 Policy Based Routing

Posted on 2014-10-29
16
679 Views
Last Modified: 2014-12-15
Hi,

I have issue where I am just trying to get PBR to work correctly.  I tried configuring it with:

ip access-list extended 101
permit ip 172.18.0.0 0.0.255.255 any
route-map NewASA permit 10
match ip address 101
set ip next-hop 172.16.0.24
int vlan 18
set ip policy route-map NewASA

in the above config, the network devices will not get an ip address from a dhcp server on vlan 16

so I tried

Extended IP access list 101
    10 deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255    
    20 permit ip 172.18.0.0 0.0.255.255 any
route-map NewASA permit 10
match ip address 101
set ip next-hop 172.16.0.24
int vlan 18
set ip policy route-map NewASA

in this scenario I can an ip address and ping on vlan 16 and 18, but I cannot ping the 3750 ip address 172.18.0
.2 nor can I get to the Internet

I am not sure what I am doing wrong

Thank you for your help in advance
0
Comment
Question by:thomasm1948
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 3
16 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40411943
Really got to have more information...

A topology diagram maybe. What IP addresses are associated with what VLANs.  That kind of thing.
0
 
LVL 30

Expert Comment

by:Predrag
ID: 40412901
To understand what's wrong is case like this simply must be familiar with a least part of topology of network, as Don Johnston already said.
To check how packets are traveling through network, and also to see where is black hole for packets use traceroute command (that will usually narrow error location to last router that responded to traceroute or next router in line). And, BTW, it will be much faster if you disable DNS lookup with command no ip domain-lookup.
There are  two possibilities in general (excluding being blocked by ACL at some point):
packet don't go to destination - unknown route to final destination
packet don't return from destination -  unknown return route to sender of packets
0
 

Author Comment

by:thomasm1948
ID: 40415625
Hi,

I was out sick yesterday.  So what the school wants is to have the following:

 - All non-student VLANS go to the Internet through their original fiber line (Diagram: Internet Line 1)
 - If the fiber fails then failover to their cable Internet line (Diagram: Internet Line 2)
 - The student VLAN (VLAN18) should go through Internet line 2
 - If Internet line 2 fails then failover to Internet Line 1

The first part is easy for non-students.  I just configured SLA Monitoring and TRack (Static Routing).  No need to configure PBR.  the second part seems to be giving me trouble.  For some reason the PBR is not working correctly.  The student VLAN18 bust be able to communicate with VLANS 16 (servers) and VLAN 20 (student servers).  Wihtout PBR all VLANS communicate correcty and we have ACLs that prevent the student VLANS from communicating with for example administration clients and servers.  The following is a basic diagram.  I can create a more complete one if you need

Please see the attached diagram

the following is a basic diagram.
Simple-Diagram.jpg
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 40415799
Like I said, we need some information as to the topology.  A vague overview won't help much. For example, you have a next hop address of 172.16.0.24.  What device is that?  The PIX or the ASA?

What you're trying to do is pretty straightforward. But without some basic background, it's going to take forever to determine what's wrong.

So please give us the IP addresses for the network and the config of the switch would be a huge help.
0
 

Author Comment

by:thomasm1948
ID: 40416070
Attached is the config file for the CISCO 3750 (ver 12.2) switch

172.16.0.24 is the internal interface of the CISCO PIX 515e (Cable Internet)
172.16.0.23 is the internal interface of the CISCO ASA5500 (Fiber Internet)
CISCO-3750-Config.txt
0
 

Author Comment

by:thomasm1948
ID: 40416080
I removed the the ip policy for route-map ASA from VLAN 18 being that it is not working correctly.  from the config file you can see that just the SLA monitor is configured
0
 
LVL 30

Expert Comment

by:Predrag
ID: 40416204
Are there any ACLs on CISCO PIX 515e's 172.16.0.2 interface
and
show ip route
of the same device?
0
 

Author Comment

by:thomasm1948
ID: 40416217
no, just the basic firewall rules that will enable all IPs out  and deny all coming in.  This is for both firewalls.
0
 

Assisted Solution

by:thomasm1948
thomasm1948 earned 0 total points
ID: 40416262
Hi,

Below is the ip routes for the pix 515e

pix515e# sh route
        outside 0.0.0.0 0.0.0.0 64.22.148.18 1 OTHER static
        inside mgnt-network 255.255.255.0 172.16.0.1 1 OTHER static
        outside 64.22.148.18 255.255.255.252 OutsideIP 1 CONNECT static
        inside 172.16.0.0 255.255.0.0 172.16.0.24 1 CONNECT static
        inside 172.17.0.0 255.255.0.0 172.16.0.1 1 OTHER static
        inside 172.18.0.0 255.255.0.0 172.16.0.1 1 OTHER static
        inside 172.19.3.0 255.255.255.0 172.16.0.1 1 OTHER static
        inside 172.20.0.0 255.255.0.0 172.16.0.1 1 OTHER static
        inside 172.21.0.0 255.255.0.0 172.16.0.1 1 OTHER static
        inside 172.22.0.0 255.255.255.0 172.16.0.1 1 OTHER static
        inside 192.168.0.0 255.255.0.0 192.168.0.59 1 OTHER static
        inside 192.168.0.4 255.255.255.255 192.168.0.59 1 OTHER static
        DMZ 192.168.3.0 255.255.255.0 192.168.3.1 1 CONNECT static
        inside 192.168.110.0 255.255.255.0 192.168.0.59 1 OTHER static
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 40416309
This is a route-map/SLA config I did a while back.  I had to clean it up, but I'm pretty sure all the components are still there.  You should be able to adapt it to your situation.

Admin users get ISP-1 by default. If the tracking object out that interface is lost or the next-hop isn't reachable, then admin traffic goes to ISP-2.

Guest users get ISP-2 by default. If the tracking object out that interface is lost or the next-hop isn't reachable, then guest traffic goes to ISP-1.

track 123 ip sla 1 reachability
!
track 234 ip sla 2 reachability
! 
interface VLAN3
 description Link to LAN
 ip address 192.168.2.1 255.255.255.0
 ip policy route-map alpha
!
interface Vlan1
 description ISP-1
 ip address 1.2.3.2 255.255.255.252
!
interface Vlan2
 description ISP-2
 ip address 5.6.7.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 0.0.0.0 0.0.0.0 5.6.7.1
!
ip access-list standard admin
 permit 192.0.0.0 0.0.0.255
 permit 192.168.2.0 0.0.0.255
 permit 192.168.10.0 0.0.0.255
 permit 192.168.15.0 0.0.0.255
!
 ip access-list standard guest
 permit 192.168.20.0 0.0.0.255
 permit 192.168.25.0 0.0.0.255
 permit 192.168.30.0 0.0.0.255
 permit 192.168.35.0 0.0.0.255
!
ip sla 1
 icmp-echo 1.2.3.9 source-interface Vlan1
 timeout 1000
 threshold 1000
 frequency 3
ip sla schedule 1 life forever start-time now
!
ip sla 2
 icmp-echo 5.6.7.8 source-interface Vlan2
 timeout 1000
 threshold 2
 frequency 3
ip sla schedule 2 life forever start-time now
ip sla enable reaction-alerts
!
route-map alpha permit 10
 match ip address admin
 set ip next-hop verify-availability 1.2.3.1 10 track 123
 set ip next-hop verify-availability 5.6.7.1 20 track 234
!
route-map alpha permit 20
 match ip address guest
 set ip next-hop verify-availability 5.6.7.1 10 track 234
 set ip next-hop verify-availability 1.2.3.1 20 track 123

Open in new window

0
 

Author Comment

by:thomasm1948
ID: 40416401
I tried using the next-hop verify-availability option on the switch and i cannot get it to apply to VLAN 18.  I did notice an artical indicating that for the cisco 3750 running ver 12.x that it is an invalid option.  If I use just next-hop then I can apply it but that is where I have the issue

If I create the access list for just 172.18.0.0 0.0.255.255 which is vlan 18 IP range and apply that to the route map then the machines can only ping out to the internet but they do not have any access to any other VLANS such as VLAN 16 where the DHCP and DNS servers are

If I add a deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 then it tells PBR not to use it and then VLAN 18 can get an IP from DHCP and ping all of the IPs on VLAN 16 and 18 but I cannot get out the Internet for some reason.  It cannot ping the gateway of 172.16.0.2 which is the IP address for VLAN 16 on the cisco 3750 (which all of this is configured on)
0
 

Author Comment

by:thomasm1948
ID: 40416415
another thing I noticed is that I have to use access-list extended so that I can get the full IP range.  When I use a standard access list for example:

access-list 10 permit 172.18.0.0 0.0.255.255

Then when I show access-list, I get:

access-list 10
permit 172.18.0.0 wild card 0.0.255.255
0
 

Author Comment

by:thomasm1948
ID: 40416420
when I said

"If I add a deny ip 172.18.0.0 0.0.255.255 172.16.0.0 0.0.255.255 then it tells PBR not to use it and then VLAN 18 can get an IP from DHCP and ping all of the IPs on VLAN 16 and 18 but I cannot get out the Internet for some reason.  It cannot ping the gateway of 172.16.0.2 which is the IP address for VLAN 16 on the cisco 3750 (which all of this is configured on) "

I meant 172.18.0.2  for vlan 18 on the switch and not 172.16.0.2 for vlan 16

Sorry for the mistype
0
 
LVL 30

Expert Comment

by:Predrag
ID: 40416933
A couple thought on this:
first
IF PBR sends traffic is working and send traffic on PIX, PIX is set to send traffic to VLAN16 and VLAN16 is the only that is responding on pings.
second
IF PBR works as it should - there's really no reason for internet not to work except routing problem (find way back) or ACL is blocking traffic - since traffic is already on firewall and default route is set.

Problem with PBR and ping local addresses can be solved by removing local traffic from PBR -> so access list permit only public IP addresses for policy based routing (then local traffic will go normally). But I am afraid that internet traffic can't find way back for some design flaw, and I'm afraid that differently created choosing next hop address won't correct this error.

How routing table looks like when both interfaces are up, and when ASA5500 interface is down?
And info that really can be valuable (at least that's how it looks to me) is traceroute for some internet and locally (pingable and unpingable) locations  when internet over ASA5500 is down.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40417102
Here's the approach that I would take.

1) Drop back to a simple config.  Remove all the route maps and SLA. Create a single default route to the PIX. Make sure it works.
2) Change the default route to the ASA. Make sure it works.
3) Create a basic route map directing some traffic to the PIX and confirm the interesting traffic uses the route map.
4) Add to the route map and direct some different traffic to the ASA and verify it works.
5) Add in the SLA to force a failover.

The problem I've run into trying to implement everything at once is if it doesn't work, trying to determine the one thing that's causing the problem is very difficult.  But if you implement it one step at a time, once something doesn't work, you know exactly where to look.
0
 

Author Closing Comment

by:thomasm1948
ID: 40499954
Found out that the IOS on our switch is not capable of doing what I need.  Also the switch has software based routing so if we add a deny option then the switch CPU spikes
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Make the most of your online learning experience.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question