Wired Intelligent Edge

Hi Everyone,

Looking for a little advice here. I have a switch at a remote location. At that location I have a connection back to our datacenter via an MPLS network. I also have a local internet location via DSL onsite. I have three VLANs setup. VLAN 1 connects back to our Datacenter. VLAN 102 is for our wireless clients, and VLAN 150 is the DSL VLAN. I can't seem to get any clients on VLAN 102 to connect to the internet on VLAN 150. I am using Policy Based routing on VLAN 102. Any advice would be appreciated. Below are some details about the switch config.

Gateway of last resort is 10.100.43.1 to network 0.0.0.0 at cost 0
S       * 0.0.0.0  /0 [0] via 10.100.43.1
C        10.100.43.0/24 is directly connected: vlan1
C        10.100.43.10/32 is directly connected: vlan1
C        10.102.43.0/24 is directly connected: vlan102
C        10.102.43.1/32 is directly connected: vlan102
C        192.168.43.0/24 is directly connected: vlan150
C        192.168.43.2/32 is directly connected: vlan150

show interface-config vlan 102

vlan "102"
----------
Parameter                   Value
---------                   -----
Interface OSPF profile      N/A
Interface PIM profile       N/A
Interface IGMP profile      N/A
Interface VRRP profile      N/A
Directed Broadcast Enabled  Disabled
Interface shutdown          Disabled
Session-processing          Disabled
mtu                         1500
IP Address                  10.102.43.1/255.255.255.0
IP NAT Inside               Disabled
IPv6 Address                N/A
IPv6 link local Address     N/A
DHCP client                 Disabled
DHCP relay profile          N/A
Ingress ACL                 102routing
Interface description       N/A



show interface-config vlan 150

vlan "150"
----------
Parameter                   Value
---------                   -----
Interface OSPF profile      N/A
Interface PIM profile       N/A
Interface IGMP profile      N/A
Interface VRRP profile      N/A
Directed Broadcast Enabled  Disabled
Interface shutdown          Disabled
Session-processing          Disabled
mtu                         1500
IP Address                  192.168.43.2/255.255.255.0
IP NAT Inside               Disabled
IPv6 Address                N/A
IPv6 link local Address     N/A
DHCP client                 Disabled
DHCP relay profile          N/A
Ingress ACL                 N/A
Interface description       N/A


Here is the PBR statements:

ip access-list stateless 102routing
  network 10.102.43.0 255.255.255.0 network 10.0.0.0 255.0.0.0 any  permit nexthop 10.100.43.10
  network 10.102.43.0 255.255.255.0 any any  permit nexthop 192.168.43.1

The  VLAN 102 Config:

interface vlan "102"
   ip access-group in "102routing"
   ip address 10.102.43.1 255.255.255.0

Sh ip int brief:

Flags: S - Secondary IP address
Interface                   IP Address / IP Netmask        Admin   Protocol   Flags
vlan 1                    10.100.43.10 / 255.255.255.0     Up      Up          
vlan 102                   10.102.43.1 / 255.255.255.0     Up      Up          
vlan 150                  192.168.43.2 / 255.255.255.0     Up      Up 

Wittwem,

The ACE to send the traffic to the DSL modem looks correct but the ACE to the DC doesn't. Not sure if that is causing a hiccup.

ip access-list stateless 102routing
  network 10.102.43.0 255.255.255.0 network 10.0.0.0 255.0.0.0 any  permit nexthop 10.100.43.10
  network 10.102.43.0 255.255.255.0 any any  permit nexthop 192.168.43.1

You are sending that traffic to the switch itself instead of the next hop. I believe that should be a 10.100.43.1 per your configuration.

When you resolve that, lets see if you getting the right hits to the ACLs. First have a client try to ping something on the internet, like 8.8.8.8 (Google DNS) or 4.2.2.2 (old GTE DNS). Next find out what ACL number these apply to:

Hi Madjali,

I made the change you suggested. Below are the results of the commands you suggested running. Note I did connect a client to VLAN 102 and tried to ping 8.8.8.8

(008-RI-SW1) #show acl acl-table | include 102routing
22   stateless       265        2           3          102routing               1

(008-RI-SW1) #show datapath dpe acl hits 22

Datapath Element ACL Hits
-------------------------
Index         Source              Destination              Proto            Pkts      Bytes
-----   -------------------   --------------------   ------------------   --------   --------
 265:  10.102.43.0 255.255.255.0    10.0.0.0 255.0.0.0                   any          0         0
 266:  10.102.43.0 255.255.255.0       0.0.0.0 0.0.0.0                   any          0         0
 267:                  ::/0                  ::/0                   any          0         0

(008-RI-SW1) #

Wittwem,

I'm on the road through tomorrow so I can't set this up in my lab. I would recommend that you open up a TAC case to get quicker support. Something is obviously wrong I just don't see it from the outputs.

Best regards,

Madani

Hi Madjali,

Thanks for your help thus far. I did open a case with TAC.

Regards,

Mark

Hi Mark,

first-of-all,

Question: Have you ensured that you have "Reverse routes" (either static / dynamically-learnt) on your other end-points?

                    If not, either add static reverse routes, or learn dynamically (via OSPF etc...).

I tried - it works.

Since, I don't have MPLS etc.. So to keep it simple, I used  three MAS devices to simulate your requirement.

Below is the setup details, I tried on, where PBR works.

Switch on far left denotes the box where PBR is configued. Switch on top-right denotes your data-centre (10.0.0.0 / 8 network)

And Switch on right-bottom indicates your DSL modem, which connects to internet/other networks.

(MAS) #show acl acl-table | include 102
31   stateless       438        2           3          102routing               1

When sending traffic to 10.0.0.0/8 network

(MAS) #show datapath dpe acl hits 31

Datapath Element ACL Hits
-------------------------
Index         Source              Destination              Proto            Pkts      Bytes
-----   -------------------   --------------------   ------------------   --------   --------
 438:  10.102.43.0 255.255.255.0    10.0.0.0 255.0.0.0              any      31129     26176
 439:  10.102.43.0 255.255.255.0       0.0.0.0 0.0.0.0              any          0         0
 440:                  ::/0                  ::/0                   any          0         0

When sending traffic to non-10 network (internet)
(MAS) #show datapath dpe acl hits 31

Datapath Element ACL Hits
-------------------------
Index         Source              Destination              Proto            Pkts      Bytes
-----   -------------------   --------------------   ------------------   --------   --------
 438:  10.102.43.0 255.255.255.0    10.0.0.0 255.0.0.0              any          0         0
 439:  10.102.43.0 255.255.255.0       0.0.0.0 0.0.0.0              any      41553     37952
 440:                  ::/0                  ::/0                   any          0         0

Thanks,

-Vinay

Hi Vinay,

Thanks you very much for your detailed approach in trying to solve my problem. I do have to admit I forgot about the return route on the DSL modem. I stopped in at the location this morning and added a static route to the 10.102.43.0 network and things now work as anticipated. THANK YOU!

I do have a follow up question though. After verifying the route with  a traceroute I can see the internet traffic being directed to the DSL modem. Now to the question. When I run sh datapate dpe acl hits 22 I do not see the counters increase at all. Below are the results:

(008-RI-SW1) #show datapath  dpe acl hits 22

Datapath Element ACL Hits
-------------------------
Index         Source              Destination              Proto            Pkts                                                                                                       Bytes
-----   -------------------   --------------------   ------------------   ------                                                                                                 --   --------
 265:  10.102.43.0 255.255.255.0    10.0.0.0 255.0.0.0                   any                                                                                                           0         0
 266:  10.102.43.0 255.255.255.0       0.0.0.0 0.0.0.0                   any                                                                                                           0         0
 267:                  ::/0                  ::/0                   any                                                                                                           0         0

 Hi Mark,

Question-1:  Are clients able to reach internet ?

  (i) If  answer is "Yes"

       - Then, the reason why you might have seen all 0 stats is because of below:

 'show datapath  dpe acl hits'   is a "Clear on Read" command.

 Meaning, Whne you execute for the first time, it dumps the details for whatever hits seen so far. (Read)

  And it also resets all the stats (Clear), since "Read" was done.

  Hence when you execute same command again, now it will show ONLY those hits which are seen between the last execution of this command & till now.

  And this-cycle (Clear on Read) repeats everytime command executed.

So, If clients are sending traffic, then wait for few seconds, before executing this command repeatedly to see non-zero stats.

(ii) If anser is "No":

        - Then, again something is missing (routing/nating)  - which needs to be fixed.

Question-2:  From where you ran the traceroute, from MAS box where PBR is enabled or from the actual client under VLAN-102?

Thanks,

-Vinay

HI Vinay,

Question (1)

Yes the clients can reach the internet via the DSL circut. I went ahead at started a continous ping to 8.8.8.8 from a client on VLAN 102. While that ping was running I ran the 'show datapathe dpe acl hits 22' command a couple of times. The stats did not increase:

Datapath Element ACL Hits
-------------------------
Index         Source              Destination              Proto            Pkts      Bytes
-----   -------------------   --------------------   -----   --------   --------
 265:  10.102.43.0 255.255.255.0    10.0.0.0 255.0.0.0    any          0         0
 266:  10.102.43.0 255.255.255.0       0.0.0.0 0.0.0.0    any          0         0
 267:                  ::/0                  ::/0         any          0         0

(008-RI-SW1) #show datapath dpe acl hits 22

Datapath Element ACL Hits
-------------------------
Index         Source              Destination              Proto            Pkts      Bytes
-----   -------------------   --------------------   ------   --------   --------
 265:  10.102.43.0 255.255.255.0    10.0.0.0 255.0.0.0    any          0         0
 266:  10.102.43.0 255.255.255.0       0.0.0.0 0.0.0.0    any          0         0
 267:                  ::/0                  ::/0         any          0         0

(008-RI-SW1) #show datapath dpe acl hits 22

Datapath Element ACL Hits
-------------------------
Index         Source              Destination              Proto            Pkts      Bytes
-----   -------------------   --------------------   ------   --------   --------
 265:  10.102.43.0 255.255.255.0    10.0.0.0 255.0.0.0    any          0         0
 266:  10.102.43.0 255.255.255.0       0.0.0.0 0.0.0.0    any          0         0
 267:                  ::/0                  ::/0         any          0         0

(008-RI-SW1) #show datapath dpe acl hits 22

Datapath Element ACL Hits
-------------------------
Index         Source              Destination              Proto            Pkts      Bytes
-----   -------------------   --------------------   -------   --------   --------
 265:  10.102.43.0 255.255.255.0    10.0.0.0 255.0.0.0    any          0         0
 266:  10.102.43.0 255.255.255.0       0.0.0.0 0.0.0.0    any          0         0
 267:                  ::/0                  ::/0         any          0         0

Question (2)

The traceroute was ran from a pc on VLAN 102.

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1     9 ms     1 ms     1 ms  10.102.43.1
  2    <1 ms    <1 ms    <1 ms  192.168.43.1
  3    28 ms    22 ms    21 ms  mpls-dsl-gw57.mpls.qwest.net [207.225.140.57]
  4    50 ms    34 ms    20 ms  mpls-agw1.inet.qwest.net [75.168.229.193]
  5    31 ms    80 ms    31 ms  chp-edge-02.inet.qwest.net [67.14.38.98]
  6    31 ms    31 ms    31 ms  208.47.121.146
  7    32 ms    31 ms    31 ms  209.85.255.26
  8    32 ms    31 ms    31 ms  209.85.254.238
  9    49 ms    48 ms    48 ms  209.85.248.214
 10    49 ms    55 ms    49 ms  216.239.43.217
 11     *        *        *     Request timed out.
 12    49 ms    49 ms    49 ms  google-public-dns-a.google.com [8.8.8.8]

Trace complete.

Hi Mark,

 Can you dump the AOS MAS version you are using?

Thanks,

-Vinay

Hi Vinay,

Aruba Operating System Software.
ArubaOS (MODEL: ArubaS1500-24P-US), Version 7.3.0.1
Website: http://www.arubanetworks.com
Copyright (c) 2002-2013, Aruba Networks, Inc.
Compiled on 2013-12-19 at 15:46:24 PST (build 41381) by p4build
ROM: System Bootstrap, Version CPBoot 1.0.41.0 (build 39637)
Built: 2013-08-29 00:00:41
Built by: p4build@re_client_39637
Switch uptime is 2 days 6 hours 48 minutes 58 seconds
Reboot Cause: User reboot.
Processor XLS 208 (revision A1) with 1023M bytes of memory.
955M bytes of System flash

-Mark

Mark,

I'm back in the office and see that Vinay got you up and running. I have verified that it looks like we have a bug in the S1500s with the hits command. I ran the same configuration on a S1500-12P and an S2500-48P and the counters worked on the S2500 but not the S1500. I'll open a bug on this.

Best regards,

Madani

Madani,

Thank you very much for your help!

Regards,

Mark