route-map question

Discussion in 'Cisco' started by John Wrate, Oct 31, 2003.

  1. John Wrate

    John Wrate Guest

    Hi all,

    I have a small network with a group of hosts which I need to have
    routed through a NAT/ADSL connection (the rest of the hosts have a
    default route to a dedicated link).

    So I am using route-map to use the source address of this hosts and
    then the set-ip next-hop xxx.xxx.xxx.xxx to route them through the
    ADSL/NAT connection.

    My question is, this servers do not have contiguous addresses, so I
    cannot create an access-list using a net mask that includes them all.
    I need to use the access-list xxx permit ip host xxx.xxx.xxx.xxx...
    and I want to know, if the exact same "rule" will apply to all this
    addresses, is there a way to create a list of non-contiguos hosts, or
    should I do this instead:

    route-map ADSL permit 10
    match ip address 110
    set ip next-hop xxx.xxx.xxx.xxx
    route-map ADSL permit 20
    match ip address 120
    set ip next-hop xxx.xxx.xxx.xxx
    route-map ADSL permit 30
    match ip address 130
    set ip next-hop xxx.xxx.xxx.xxx
     
    John Wrate, Oct 31, 2003
    #1
    1. Advertisements

  2. John Wrate

    Matej Pivac Guest


    Access-list have wildcard bits, not net-mask, right? So, you oatta be able
    to wildcard whole class of address'?

    I have some problems with route-map also. I have two different sets of
    address' behind router (two ISPs) on, let's call it interface 1. On the
    other side (interface 0), I have two gateways - A and B. Default route
    points to A. Well, I want address' from first ISP routed to gw A, and
    address' from second ISP to gw B. Questions are: do i apply route-map on
    interface 1 or 0? Do I have to remove default route? Is there any other way
    to do source based routing?

    Thanks a lot.


    Matt
     
    Matej Pivac, Oct 31, 2003
    #2
    1. Advertisements

  3. You can do an acl with multiple lines including many hosts.
    That can mean a lot of permit ip host xxx -lines though.

    Route map is processing is stopped when the first match
    is found. So, this might give you some benifits if some
    kind of wildcard can be used for mathing the rest of
    the remaining hosts.
     
    Harri Suomalainen, Oct 31, 2003
    #3
  4. Interface 1, the ingress. You want to monkey with the routing before you
    process the packet, not afterwards.
    Depends on what you want to do. Do you want your traffic to always go
    "somwhere", the default, or only exactly where you want, and otherwise
    in the bit bucket?
    I don't believe so.
     
    Martin Gallagher, Oct 31, 2003
    #4
  5. John Wrate

    Matej Pivac Guest

    Ok, that's what documentation says also. But...
    I want packets with A.x.x.x address' routed to A.x.x.1 and pockets with
    B.x.x.x routed to B.x.x.1. Can I route-map only one set of address' and
    leave default route for other set, or do I have to route-map both classes?
    What would sample config look like?

    Matt
     
    Matej Pivac, Nov 2, 2003
    #5
  6. John Wrate

    CCIE8122 Guest

    I have some problems with route-map also. I have two different sets of
    OK, using your description, here is what you are after:

    Assuming GW A = 1.2.3.10
    GW B = 1.2.3.20
    ISP1 = 10.10.10.0/24 (out GW A)
    ISP2 = 20.20.20.0/24 (out GW B)

    ===================================

    int e0
    ip address 1.2.3.4/24

    int e1
    ip address 4.3.2.1/24
    ip policy route-map POLICY

    route-map POLICY permit 10
    match address ISP-1
    set ip default next-hop 1.2.3.20

    route-map POLICY permit 20
    match address ISP-2
    set ip next-hop 1.2.3.20

    ip access-list ext ISP-1
    permit ip 10.10.10.0 0.0.0.255 any

    ip access-list ext ISP-2
    permit ip 20.20.20.0 0.0.0.255 any

    ip route 0.0.0.0 0.0.0.0 1.2.3.10

    ===================================

    Here is the explanation:

    The static route obviously sends all traffic with no destination match
    in the route table to GW A (except, of course, the traffic that is PBR'd).

    the ACLs specify source nets of ISPs 1 and 2.

    Seq 10 of the route-map matches all traffic from ISP 1 and sets the
    default next-hop (not the next hop) for that traffic to GW B. What this
    means is that if the static route goes down, all traffic from ISP1 will
    go out GW B. Until then, it will not be policy routed--it will just go
    out GW A, the default route.

    Seq 20 of the route-map matches all traffic from ISP 2 and overrides the
    static route, policy routing all ISP 2 traffic out GW B. (In the event
    that static went down, all traffic would follow the routing table-i.e.,
    go out GW A).

    The policy statement applies the policy to all traffic coming in
    interface e1.

    Please note that although technically correct, this is all very
    theoretical, since in reality the static route would never go down,
    unless the e0 interface transitioned, in which case, no traffic is going
    anywhere.

    But if either GW A or B all of a sudden went down, the policy
    routes/static routes wouldnt know, since there is no dynamic proto that
    would time out -- as long as the interface is up, the IOS assumes that
    GW A and B are both there.

    HTH

    kr
     
    CCIE8122, Nov 3, 2003
    #6
  7. John Wrate

    CCIE8122 Guest

    Actually, I think there might be a hook in the set next hop command that
    verifies connectivity via CDP.

    You may want to check that.

    kr
     
    CCIE8122, Nov 3, 2003
    #7
  8. John Wrate

    Matej Pivac Guest

    Hm... thanks a lot. Just one more thing, would proxy arp (on eth0) mind?


    Matt
     
    Matej Pivac, Nov 3, 2003
    #8
  9. I continue to be confused as to whether or not "set ip default
    next-hop" overrides a default route. Barry Margolin said a couple
    weeks ago that it does, you indicate above (and in prior posts) that
    it does not. Since you're both extremely knowledgable about this
    stuff, I'm left at a loss.

    Maybe I can test this tomorrow if no one else beats me to it.

    -Terry
     
    Terry Baranski, Nov 4, 2003
    #9
  10. Well, in testing done with 12.2(6a) a default next-hop does indeed
    override a default route. I don't recall having ever seen reference
    to this being the case. Has it always been this way?

    -Terry
     
    Terry Baranski, Nov 4, 2003
    #10
  11. John Wrate

    CCIE8122 Guest

    Hm... thanks a lot. Just one more thing, would proxy arp (on eth0) mind?
    No. Unrelated issue.

    kr
     
    CCIE8122, Nov 5, 2003
    #11
  12. John Wrate

    CCIE8122 Guest


    Well, in testing done with 12.2(6a) a default next-hop does indeed
    override a default route. I don't recall having ever seen reference
    to this being the case. Has it always been this way?

    -Terry[/QUOTE]

    According to the Cisco documentation, the set ip default next hop and
    set default interface commands are processed after normal routing is
    processed.

    So, if you have no entry in your routing table for a particular route,
    then it will be PBRd. If you do have a route in your routing table, it
    will not.

    Set ip next hop and set interface are processed before routing is
    processed. As long as the specified "next hop" is reachable (i.e., the
    int is up), or the specified interface is up, the packet will be PBR'd,
    else it will follow the routing table.

    As to whether a default route qualifies in the first scenario as a valid
    route, I would assume so, but if yours and Barry's experience dictates
    otherwise, then there you have it.

    I have only use the set interface and set ip next hop in production,
    never the "default" commands. I only remember them from reading the IOS
    set when studying for the lab.

    kr
     
    CCIE8122, Nov 5, 2003
    #12
  13. John Wrate

    Matej Pivac Guest

    Now... I did everything, even got all messed up removing proxy-arp and
    trying without it, but without success. Looking through debuging lines never
    showed anything, I only get packets from 192.168.x.x cought in policy.
    Yes, it isn't a cisco, it's f* motorola.

    Here's snippet of conf (192.168.1.0 is for local servers, 192.168.2.0 for
    cable modems):

    interface ethernet 0/0
    ip address a.a.75.2 255.255.255.224
    ip address 192.168.1.254 255.255.255.0 secondary
    ip address b.b.210.2 255.255.255.224 secondary
    no shutdown
    no ip redirects
    no ip unreachables
    !

    ....

    !
    interface cable 0/0
    ip address 192.168.2.254 255.255.255.0
    ip address a.a.75.65 255.255.255.192 secondary
    ip address b.b.210.129 255.255.255.128 secondary
    ip address a.a.75.129 255.255.255.128 secondary
    ip address b.b.210.35 255.255.255.224 secondary
    ip address b.b.210.65 255.255.255.192 secondary
    ip address b.b.211.254 255.255.255.0 secondary
    ip address a.a.75.35 255.255.255.224 secondary
    ip access-group 111 in
    ip access-group 111 out
    no shutdown
    !

    ....

    !
    ip route 0.0.0.0 0.0.0.0 213.202.75.1
    !
    !
    route-map eq permit 10
    match ip address 101
    set ip next-hop a.a.75.1
    route-map eq permit 20
    match ip address 102
    set ip next-hop b.b.210.1
    !

    ....

    !
    access-list 1 permit a.a.75.0 0.0.0.255
    access-list 2 permit b.b.210.0 0.0.0.255
    access-list 101 permit ip a.a.75.0 0.0.0.255 any
    access-list 102 permit ip b.b.210.0 0.0.0.255 any
    access-list 111 deny udp any any eq netbios-ns
    access-list 111 deny udp any any eq netbios-dgm
    access-list 111 deny udp any any eq netbios-ss
    access-list 111 deny tcp any any eq 137
    access-list 111 deny tcp any any eq 138
    access-list 111 deny tcp any any eq 139
    access-list 111 deny tcp any any eq 445
    access-list 111 deny udp any any eq 445
    access-list 111 permit ip any any
    !

    --
    Matt



    ....
     
    Matej Pivac, Nov 5, 2003
    #13
  14. AFAIK, yes.

    The idea is that you often only want to redirect the way outbound traffic
    is routed. If the traffic is destined for one of your other internal
    networks, you don't want to send the traffic out to the ISP associated with
    the source address. "set ip route" would override all the specific routes
    in your routing table, so it's not appropriate in that situation. "set ip
    default route" only overrides the default route, which is usually the route
    to one of your ISPs.
     
    Barry Margolin, Nov 5, 2003
    #14
  15. John Wrate

    CCIE8122 Guest

    Now... I did everything, even got all messed up removing proxy-arp and
    Looks like you have done everything except apply the policy:

    conf t

    int cable 0/0
    ip policy route-map eq



    kr
     
    CCIE8122, Nov 8, 2003
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.