PBR on MSFC

Unanswered Question
Jun 27th, 2007
User Badges:


I'm trying to use PBR on a Catalyst 6509 whith MSFC2, with IOS Version 12.1(19)E.

I have defined the following PBR


route-map PBR permit 0

match ip address 102

set ip default next-hop 156.106.131.228


The ACL 102 is as follow:

permit ip 156.106.151.0 0.0.0.255 any log

Which simply states for routing all the source to the next-hop IP instead of the normal gateway.


On the interface, I have defined

interface Vlan114

ip address 156.106.151.1 255.255.255.0

ip ospf authentication-key 7

ip policy route-map PBR



The next hop 156.106.131.228 is directly attached to the router via a Vlan.


When trying to monitor it, I see

"policy rejected, normal forwarding"


Any Ideas ?


Tks,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mahmoodmkl Wed, 06/27/2007 - 05:58
User Badges:
  • Gold, 750 points or more

Hi


I think for this to work u need to have the default next hop in the same subnet as the vlan interface.Can u try this and check.


Thanks

Mahmood

chzair Wed, 06/27/2007 - 06:21
User Badges:

Sorry, don't see it ?

The default route for my vlan114 is 156.106.151.1, which is directly attached to the MSFC, I want instead to be routed to a different VLAN (156.106.131.228). So I don't want my next hop to be in the same Vlan.


I'm trying to follow exactely the same example as in the reference

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00802135d3.shtml#diag


Tks,

sundar.palaniappan Wed, 06/27/2007 - 06:32
User Badges:
  • Green, 3000 points or more

From the route-map.


Remove this:


set ip default next-hop 156.106.131.228


Add this:


set ip next-hop 156.106.131.228


The default keyword in the next-hop will only be used when the router doesn't have a route to that destination. I assume you probably do have a route that destination and that's the reason why the policy is being rejected.


HTH


Sundar

JORGE RODRIGUEZ Wed, 06/27/2007 - 06:57
User Badges:
  • Green, 3000 points or more

access-list 1 permit 156.106.151.X 0.0.0.255 log ( per host )

or

access-list 1 permit 10.168.100.0 0.0.0.255 log ( per subnet )




route map


route-map PRB permit 10

match ip address 1

set ip next-hop 156.106.131.228


interface vlan 114

ip policy route-map PRB




to test I would try with a single host from vlan 114, do a tracert to something outside your network

from the PC and see if it takes the 156.106.131.228 as the next hop.

Also do show access-list # on the MSFC to see any hits on that acl .


could you also post show ip route from the msfc , we would like to see whats your defaul route.


Jorge










chzair Wed, 06/27/2007 - 07:42
User Badges:

Jorge,


I already tried the standard ACL, with the same result as well.

Here are the changes I've made:


route-map PBR permit 10

match ip address 9

set ip next-hop 156.106.131.228


where:

access-list 9 permit 156.106.151.0 0.0.0.255 log


interface vlan 114

ip address 156.106.151.1 255.255.255.0

ip ospf authentication-key 7

ip ospf cost 4

ip policy route-map PBR


------

Then, I'm trying a pathping from a host in this subnet


C:\>pathping con1


Tracing route to con1 [156.106.97.20]

over a maximum of 30 hops:

0 CND43663 [156.106.151.115]

1 156.106.151.1

2 md-int-ext-b [156.106.129.129]

3 156.106.58.168

4 con1 [156.106.97.20]


My PC has the following IP


C:\>ipconfig


Windows IP Configuration



Ethernet adapter Local Area Connection:


IP Address. . . . . . . . . . . . : 156.106.151.115

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 156.106.151.1


---------------

I'm also posting the show ip route 156.106.151.0


BVCMSFC01#sh ip route 156.106.151.0

Routing entry for 156.106.151.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Vlan114

Route metric is 0, traffic share count is 1





JORGE RODRIGUEZ Wed, 06/27/2007 - 09:23
User Badges:
  • Green, 3000 points or more

it is odd, it should have worked.


try this,keeping the same standard acl and we'll including your vlan114 interface ip, also without inversed mask


access-list 9 permit 156.106.151.1

access-list 9 permit 156.106.151.115


try tracert from your pc now





chzair Thu, 06/28/2007 - 04:28
User Badges:

Seems to work:

In the debug I can see the following:



BVCMSFC01#

Jun 28 14:22:07 CET: datagramsize=263, IP 45070: s=156.106.151.115 (Vlan114), d=

156.106.151.255, totlen 249, fragment 0, fo 0, policy match

Jun 28 14:22:07 CET: IP: route map PBR, item 10, permit

Jun 28 14:22:07 CET: datagramsize=263, IP 45070: s=156.106.151.115 (Vlan114), d=

156.106.151.255 (Vlan9), totlen 249, fragment 0, fo 0, policy routed

Jun 28 14:22:07 CET: IP: Vlan114 to Vlan9 156.106.131.228

Jun 28 14:22:39 CET: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 156.106.187.102

(1754) -> 0.0.0.0(23), 1 packet

Jun 28 14:23:39 CET: %SEC-6-IPACCESSLOGP: list 2106 denied udp 156.106.209.15(0)

(Vlan106 0010.8377.df87) -> 224.0.1.60(0), 1 packet

Jun 28 14:25:38 CET: datagramsize=92, IP 46160: s=156.106.151.115 (Vlan114), d=1

56.106.151.255, totlen 78, fragment 0, fo 0, policy match

Jun 28 14:25:38 CET: IP: route map PBR, item 10, permit

Jun 28 14:25:38 CET: datagramsize=92, IP 46160: s=156.106.151.115 (Vlan114), d=1

56.106.151.255 (Vlan9), totlen 78, fragment 0, fo 0, policy routed

Jun 28 14:25:38 CET: IP: Vlan114 to Vlan9 156.106.131.228

Jun 28 14:25:38 CET: datagramsize=92, IP 46176: s=156.106.151.115 (Vlan114), d=1

56.106.151.255, totlen 78, fragment 0, fo 0, policy match

Jun 28 14:25:38 CET: IP: route map PBR, item 10, permit

Jun 28 14:25:38 CET: datagramsize=92, IP 46176: s=156.106.151.115 (Vlan114), d=1

56.106.151.255 (Vlan9), totlen 78, fragment 0, fo 0, policy routed

Jun 28 14:25:38 CET: IP: Vlan114 to Vlan9 156.106.131.228


--------------------------------

But in this case, what conclusion do you take ?


Tks,



chzair Wed, 06/27/2007 - 07:23
User Badges:

Sundar,


In fact, I tried it first without default and did not work.


Chems

Edison Ortiz Wed, 06/27/2007 - 07:59
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Can you post a


show ip route 156.106.131.228


from the router running the PBR ?


chzair Wed, 06/27/2007 - 08:16
User Badges:



BVCMSFC01#sh ip route 156.106.131.228

Routing entry for 156.106.128.0/21

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Vlan9

Route metric is 0, traffic share count is 1


BVCMSFC01#

mheusing Wed, 06/27/2007 - 09:43
User Badges:
  • Cisco Employee,

Hi,


can you describe your topology in more detail? Just to avoid hunting a "reporting problem". Intermediate Routers usually do answer with the outgoing interface, which might not be the interface, where the packet was received. If f.e. you have 4 fully meshed routers and are forcing a packet from R1 to R4 to go through R2 and R3, you might end up with a sequence of IP addresses which are on the direct links from R1 to R2 and R3 respectively.

I had this issue once, that packets were actually sent the desired path, but the traceroute looked quite dfferent. Just to be sure this is not the case here.


Regards, Martin

chzair Wed, 06/27/2007 - 23:49
User Badges:

Martin,


We have 6 fully meshed backbone 6509 switches. all with MSFC2, they are connected to 3548XL where we have all our users. Each couple of 6509 is handling a subset of user Vlans, with HSRP. InterVLan routing is handled by OSPF.


For this test, I'm using the PBR in only one 6509, in a test Vlan (156.106.151.0) with no HSRP.

Don't know if this is enough for u , otherwise I can describe more our topology.


This morning I tried removing the match command, and did work:


route-map PBR permit 10

set ip next-hop 156.106.131.228


But, typically, I don't want that !! I would like to have more flexibility.


Actions

This Discussion