[c-nsp] Policy routing on a 3750 - What am I doing wrong?
Aaron Gifford
astounding at gmail.com
Thu Mar 19 17:57:28 EDT 2009
Hi,
In trying to do some IP policy routing on a 3750, I ran into some odd
behavior. I'd appreciate any pointers/help to get this working.
I have a pretty simple set-up. A Cisco Catalyst 3750 switch running
IOS 12.2(46)SE connects a host IP network (10.20.30.0/24) on one VLAN
to an "upstream" network (10.20.32.0/24) on another VLAN. All I want
to do is apply a route-map to policy route traffic that originates
from a subset of hosts (for the test, one host only) to a different
next-hop gateway on the "upstream" network.
HOST NETWORK 10.20.30.0/24 (VLAN 123):
10.20.30.1 <== 3750's interface IP on VLAN 123
...
10.20.30.94 <=== This is the test host whose traffic I want to policy route
UPSTREAM NETWORK 10.20.32.0/24 (VLAN 100):
10.20.32.1 <== This is the normal upstream gateway router -- it
talks OSPF with the 3750
10.20.32.2 <== 3750's interface IP on VLAN 100
...
10.20.32.11 <== The other upstream gateway device (no OSPF) to which
the policy should route traffic
THE 3750's CONFIGURATION SO FAR:
PBR (policy based routing) has been enabled on the 3750 running IOS
12.2(46)SE, and "sho sdm prefer" states that the current template is
the "desktop routing" template.
ACCESS LIST:
ip access-list extended delme
permit ip host 10.20.30.94 any
!
ROUTE MAP:
route-map delme permit 10
match ip address delme
set ip next-hop 10.20.32.11
!
3750's HOST NETWORK VLAN INTERFACE:
interface Vlan123
ip address 10.20.30.1 255.255.255.0
ip policy route-map delme
end
3750's UPSTREAM NETWORK VLAN INTERFACE
intervace Vlan100
ip address 10.20.32.2 255.255.255.0
***ospf configuration omitted***
end
TEST HOST AT 10.20.30.94:
The test host at 10.20.30.94 during testing was primarily sending ICMP
ECHO REQUESTs to remote IPs (networks NOT directly connected to the
3750).
WHAT I OBSERVED:
With debugging turned on, on the 3750 I would see:
Mar 19 15:05:34.960: IP: s=10.20.30.94 (Vlan123), d=255.255.255.255,
len 94, policy match
Mar 19 15:05:34.960: IP: route map delme, item 10, permit
Mar 19 15:05:34.968: IP: s=10.20.30.94 (Vlan123), d=255.255.255.255
(Vlan100), len 94, policy routed
Mar 19 15:05:34.968: IP: Vlan123 to Vlan100 10.20.32.11
...and other repeats of the above...
It appeared that broadcast traffic was happily matching my ACL and
being policy routed. However, no non-broadcast traffic was matching,
or at least none was showing up with debugging. Not one non-broadcast
packet.
When I checked the route-map and ACL counters on the router I saw:
router#sho route-map delme
route-map delme, permit, sequence 10
Match clauses:
ip address (access-lists): delme
Set clauses:
ip next-hop 10.20.32.11
Nexthop tracking current: 0.0.0.0
10.20.32.11, fib_nh:0,oce:0,status:0
Policy routing matches: 23 packets, 2484 bytes
router#sho ip access-lists delme
Extended IP access list delme
10 permit ip host 10.20.30.94 any (23 matches)
router#
Only 23 matching packets, over a time interval when thousands of ICMP
ECHO REQUESTs were sent.
So I checked things on the policy route's next-hop gateway device at
IP 10.20.32.11. Its logs showed that NO packets had reached it. And
on the 10.20.30.94 testing host saw no responses to the outbound
pings.
SO...
I reset the policy's next hop to 10.20.32.1 which is the normal
next-hop IP that non-policy-routed traffic is sent to:
route-map delme permit 10
match ip address delme
set ip next-hop 10.20.32.1
!
I repeated my test as above. I saw the exact same behavior on the
3750, only broadcast packets matching in logs and ACL/route-map
counters. But now the test host at 10.20.30.94 was getting all the
echo replies it should have.
WHAT I THINK THIS TELLS ME:
Even though the 3750 was NOT logging/debugging/counting packets from
the test host, it MUST have been doing something to those packets
because during the first test it appears it was NOT sending the
traffic to the normal gateway IP. But it was also NOT sending it to
the policy-route next-hop gateway IP. Once I changed the policy
route-map to set the next-hop to the same IP as non-policy routed
traffic, traffic from the test host DID seem to flow.
I'm confused. Is the 3750 policy routing traffic, or not? Why are
only packets to the 255.255.255.255 broadcast being matched? What am
I doing wrong?
Thanks in advance for any/all help, advice, pointers, tips, etc.
Aaron out.
More information about the cisco-nsp
mailing list