Routing Question

Darshannaidoo · ‎07-18-2008

I need help on setting up routing for a single subnet.

At the moment all traffic is routed via the etherchannel(po1) to the R2 Router via ospf. What i would like to do is route a single SVI on the 4506 to R1 instead of R2.

Can i apply a route map on the subnet (10.90.18.0) SVI VLAN18 interface and set the next hop via r1 interface(10.90.252.7)

should i apply the policy on the trunk port or on the SVI?

http://i341.photobucket.com/albums/o389/tidenz1/test.gif

Jerry Ye · ‎07-18-2008

Hi,

You should apply the route-map on the SVI, where the packet is enter into the router.

"Policy routing is specified on the interface that receives the packets, not on the interface from which the packets are sent."

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml#wp14035

HTH,

jerry

Darshannaidoo · ‎08-04-2008

Thanks Jerry,

I have applied the route-map on the 4506 SVI.

route-map Traffic_to_ISP2 permit 10

match ip address 20

set ip next-hop 10.90.252.38

#sh ip access-lists 20

Standard IP access list 20

10 permit 10.90.17.0, wildcard bits 0.0.0.255

interface Vlan17

description Layer3 gateway

ip address 10.90.17.2 255.255.255.0

ip policy route-map Traffic_to_ISP2

#sh ip policy

Interface Route map

Vlan17 Traffic_to_ISP2

#sh route-map

route-map Traffic_to_ISP2, permit, sequence 10

Match clauses:

ip address (access-lists): 20

Set clauses:

ip next-hop 10.90.252.38

Nexthop tracking current: 10.90.252.38

10.90.252.38, fib_nh:18836098,oce:189008EC,status:1

Policy routing matches: 0 packets, 0 bytes

However i am not getting any matches when debugging or any matches on the acl.

A traceroute shows traffic hitting the SVI but the PBR is not working

Protocol [ip]:

Target IP address: 10.64.11.204

Source address: 10.90.17.18

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Type escape sequence to abort.

Tracing the route to

1 10.90.17.2 0 msec 0 msec 9 msec

2 10.90.252.9 0 msec 0 msec 9 msec

7 10.64.11.204 16 msec 17 msec 25 msec

Any ideas?

Jerry Ye · ‎08-04-2008

Hi,

Just a question, where do you initiate the ping? On the router where PBR is configured on the SVI? If this is the case, you have to use the command "ip local policy route-map map-tag" to test the PBR.

If you are testing from a PC on VLAN 17, the trace route should hit the ACL and use the PBR.

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ip_prot_indep_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056885

HTH,

jerry

Darshannaidoo · ‎08-04-2008

Good question

Traffic is not orginating on the switch which is a 4506 not a router. I am tracerouting from another switch on vlan17.

I am not getting any matches which would suggest the switch has issues with PBR should i be running a different IOS?

at the moment i am running "cat4000-i5s-mz.122-25.EWA13.bin"

Jerry Ye · ‎08-05-2008

Hi, Can you post the output of the following command:

show ip route 10.90.252.38

I am wondering is the next hop 10.90.252.38 on the routing table of the 4506.

Regards,

jerry

Darshannaidoo · ‎08-05-2008

Yes it is directly connected, it is a ptp connection from the 4506 to the router for ISP2.

#sh ip route 10.90.252.38

Routing entry for 10.90.252.36/30

Known via "connected", distance 0, metric 0 (connected, via interface)

Jerry Ye · ‎08-05-2008

Hi, I don't see any issue with your configuration.

Like I said before, if you are testing the PBR from any device on VLAN17, the route-map and ACL should catch it. However, if the traceroute/ping is initiate from the 4506 sourced from VLAN17, "ip local policy" should be use to perform the test.

Regards,

jerry