PBR on MSFC

chzair · ‎06-27-2007

I'm trying to use PBR on a Catalyst 6509 whith MSFC2, with IOS Version 12.1(19)E.

I have defined the following PBR

route-map PBR permit 0

match ip address 102

set ip default next-hop 156.106.131.228

The ACL 102 is as follow:

permit ip 156.106.151.0 0.0.0.255 any log

Which simply states for routing all the source to the next-hop IP instead of the normal gateway.

On the interface, I have defined

interface Vlan114

ip address 156.106.151.1 255.255.255.0

ip ospf authentication-key 7

ip policy route-map PBR

The next hop 156.106.131.228 is directly attached to the router via a Vlan.

When trying to monitor it, I see

"policy rejected, normal forwarding"

Any Ideas ?

Tks,

mahmoodmkl · ‎06-27-2007

Hi

I think for this to work u need to have the default next hop in the same subnet as the vlan interface.Can u try this and check.

Thanks

Mahmood

chzair · ‎06-27-2007

Sorry, don't see it ?

The default route for my vlan114 is 156.106.151.1, which is directly attached to the MSFC, I want instead to be routed to a different VLAN (156.106.131.228). So I don't want my next hop to be in the same Vlan.

I'm trying to follow exactely the same example as in the reference

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00802135d3.shtml#diag

Tks,

sundar.palaniappan · ‎06-27-2007

From the route-map.

Remove this:

set ip default next-hop 156.106.131.228

Add this:

set ip next-hop 156.106.131.228

The default keyword in the next-hop will only be used when the router doesn't have a route to that destination. I assume you probably do have a route that destination and that's the reason why the policy is being rejected.

HTH

Sundar

JORGE RODRIGUEZ · ‎06-27-2007

access-list 1 permit 156.106.151.X 0.0.0.255 log ( per host )

or

access-list 1 permit 10.168.100.0 0.0.0.255 log ( per subnet )

route map

route-map PRB permit 10

match ip address 1

set ip next-hop 156.106.131.228

interface vlan 114

ip policy route-map PRB

to test I would try with a single host from vlan 114, do a tracert to something outside your network

from the PC and see if it takes the 156.106.131.228 as the next hop.

Also do show access-list # on the MSFC to see any hits on that acl .

could you also post show ip route from the msfc , we would like to see whats your defaul route.

Jorge

Jorge Rodriguez

chzair · ‎06-27-2007

Jorge,

I already tried the standard ACL, with the same result as well.

Here are the changes I've made:

route-map PBR permit 10

match ip address 9

set ip next-hop 156.106.131.228

where:

access-list 9 permit 156.106.151.0 0.0.0.255 log

interface vlan 114

ip address 156.106.151.1 255.255.255.0

ip ospf authentication-key 7

ip ospf cost 4

ip policy route-map PBR

------

Then, I'm trying a pathping from a host in this subnet

C:\>pathping con1

Tracing route to con1 [156.106.97.20]

over a maximum of 30 hops:

0 CND43663 [156.106.151.115]

1 156.106.151.1

2 md-int-ext-b [156.106.129.129]

3 156.106.58.168

4 con1 [156.106.97.20]

My PC has the following IP

C:\>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

IP Address. . . . . . . . . . . . : 156.106.151.115

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 156.106.151.1

---------------

I'm also posting the show ip route 156.106.151.0

BVCMSFC01#sh ip route 156.106.151.0

Routing entry for 156.106.151.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Vlan114

Route metric is 0, traffic share count is 1

JORGE RODRIGUEZ · ‎06-27-2007

it is odd, it should have worked.

try this,keeping the same standard acl and we'll including your vlan114 interface ip, also without inversed mask

access-list 9 permit 156.106.151.1

access-list 9 permit 156.106.151.115

try tracert from your pc now

Jorge Rodriguez

chzair · ‎06-28-2007

Seems to work:

In the debug I can see the following:

BVCMSFC01#

Jun 28 14:22:07 CET: datagramsize=263, IP 45070: s=156.106.151.115 (Vlan114), d=

156.106.151.255, totlen 249, fragment 0, fo 0, policy match

Jun 28 14:22:07 CET: IP: route map PBR, item 10, permit

Jun 28 14:22:07 CET: datagramsize=263, IP 45070: s=156.106.151.115 (Vlan114), d=

156.106.151.255 (Vlan9), totlen 249, fragment 0, fo 0, policy routed

Jun 28 14:22:07 CET: IP: Vlan114 to Vlan9 156.106.131.228

Jun 28 14:22:39 CET: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 156.106.187.102

(1754) -> 0.0.0.0(23), 1 packet

Jun 28 14:23:39 CET: %SEC-6-IPACCESSLOGP: list 2106 denied udp 156.106.209.15(0)

(Vlan106 0010.8377.df87) -> 224.0.1.60(0), 1 packet

Jun 28 14:25:38 CET: datagramsize=92, IP 46160: s=156.106.151.115 (Vlan114), d=1

56.106.151.255, totlen 78, fragment 0, fo 0, policy match

Jun 28 14:25:38 CET: IP: route map PBR, item 10, permit

Jun 28 14:25:38 CET: datagramsize=92, IP 46160: s=156.106.151.115 (Vlan114), d=1

56.106.151.255 (Vlan9), totlen 78, fragment 0, fo 0, policy routed

Jun 28 14:25:38 CET: IP: Vlan114 to Vlan9 156.106.131.228

Jun 28 14:25:38 CET: datagramsize=92, IP 46176: s=156.106.151.115 (Vlan114), d=1

56.106.151.255, totlen 78, fragment 0, fo 0, policy match

Jun 28 14:25:38 CET: IP: route map PBR, item 10, permit

Jun 28 14:25:38 CET: datagramsize=92, IP 46176: s=156.106.151.115 (Vlan114), d=1

56.106.151.255 (Vlan9), totlen 78, fragment 0, fo 0, policy routed

Jun 28 14:25:38 CET: IP: Vlan114 to Vlan9 156.106.131.228

--------------------------------

But in this case, what conclusion do you take ?

Tks,

chzair · ‎06-27-2007

Sundar,

In fact, I tried it first without default and did not work.

Chems

Edison Ortiz · ‎06-27-2007

Can you post a

show ip route 156.106.131.228

from the router running the PBR ?

chzair · ‎06-27-2007

BVCMSFC01#sh ip route 156.106.131.228

Routing entry for 156.106.128.0/21

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Vlan9

Route metric is 0, traffic share count is 1

BVCMSFC01#

mheusing · ‎06-27-2007

Hi,

can you describe your topology in more detail? Just to avoid hunting a "reporting problem". Intermediate Routers usually do answer with the outgoing interface, which might not be the interface, where the packet was received. If f.e. you have 4 fully meshed routers and are forcing a packet from R1 to R4 to go through R2 and R3, you might end up with a sequence of IP addresses which are on the direct links from R1 to R2 and R3 respectively.

I had this issue once, that packets were actually sent the desired path, but the traceroute looked quite dfferent. Just to be sure this is not the case here.

Regards, Martin

chzair · ‎06-27-2007

Martin,

We have 6 fully meshed backbone 6509 switches. all with MSFC2, they are connected to 3548XL where we have all our users. Each couple of 6509 is handling a subset of user Vlans, with HSRP. InterVLan routing is handled by OSPF.

For this test, I'm using the PBR in only one 6509, in a test Vlan (156.106.151.0) with no HSRP.

Don't know if this is enough for u , otherwise I can describe more our topology.

This morning I tried removing the match command, and did work:

route-map PBR permit 10

set ip next-hop 156.106.131.228

But, typically, I don't want that !! I would like to have more flexibility.