08-26-2009 01:09 AM - edited 03-04-2019 05:51 AM
Hello, I configured PBR on 3750 (12.2(37)SE1) to route packet from specific source (10.44.39.26) using a different GW. This work ! what is not working is since this config is in place the source 10.44.39.26 is not more able to telnet to the loopback Switch interface but the ping work. Why ?
Since PBR doesn't affect the local traffic it shouldn't be the cause !#@:-(
Any idea how to debug it ?
!
here the config for PBR ..
!
!
access-list 100 permit ip host 10.44.39.26 any
!
route-map PBR_New_LB permit 10
match ip address 100
set ip next-hop 10.47.99.240
!
!
interface Vlan498
ip policy route-map PBR_New_LB
!
interface Vlan499
ip policy route-map PBR_New_LB
!
Solved! Go to Solution.
08-26-2009 04:21 AM
Helenio,
Thank you for the confirmation. I'm glad you got it running.
Peter
08-26-2009 01:13 AM
Use "ip local policy" to PBR packets sourced by the router.
08-26-2009 01:25 AM
Paolo,
I think that the issue the OP describes is somewhat different here than just PBRing the locally originated packets.
Helenio, you are saying that the machine 10.44.39.26 is not able to telnet into the 3750 anymore. That could be caused by the fact that no matter what is the destination, you are redirecting that machine to a different next hop. Is it possible to change your ACL 100 so that it first denies the packets going from 10.44.39.26 to the Loopback IP of your switch (so they will be routed according to the usual routing table) and only then permit any other destination?
Please give it a try and let me know if it worked.
Best regards,
Peter
08-26-2009 01:43 AM
Du you mean to add a PBR for this particular traffic ? I tried to to apply ip local policy route-map PBR_New_LB but didn't work.
Anyway my opinion is that local traffic hasn't to be policed cause has to come back from normal route. why ping work ?
08-26-2009 01:49 AM
Hello Helenio,
No, remove the "ip local policy" from your configuration. I did not have that in mind.
I was thinking about making an exception to your PBR so that packets going to your loopback IP are not policy routed. Assuming that your loopback address is, say, 192.0.2.1, then the ACL 100 should say:
access-list 100 deny ip host 10.44.39.26 host 192.0.2.1
access-list 100 permit ip host 10.44.39.26 any
I am not sure why the ping works right now. You are right about the fact that local traffic - that is the traffic originated by the router itself - is not subject to PBR on interfaces. But my concern here is that you effectively divert all packets from the IP 10.44.39.26 to a different gateway even if they should be received locally.
Can you give this a try?
Best regards,
Peter
08-26-2009 01:54 AM
Yes i tried but is not working. I think that deny is not allowed on PBR for 3750 (3750 config guide) only permit statemt can be issued..
08-26-2009 01:58 AM
Hello Helenio,
Does that limitation about "deny" go only for ACLs or also for route-maps? If it does not apply to route-map, can you try this reformulation?
access-list 100 permit ip host 10.44.39.26 host 192.0.2.1
access-list 101 permit ip host 10.44.39.26 any
route-map PBR_New_LB deny 10
match ip address 100
route-map PBR_New_LB permit 20
match ip address 101
set ip next-hop 10.47.99.240
Best regards,
Peter
08-26-2009 02:03 AM
It seams that also on route-map deny is not allowed .. note from 3750 config guide ---
Note The route-map deny statement is not supported in
PBR route maps to be applied to an interface.
....
08-26-2009 02:00 AM
I did anoter test and i added a route-map for this traffic with a next hop not available (this mean that will take normal routing table) and now is working :-! ..
here the config:
access-list 101 permit ip host 10.44.39.26 host 10.47.3.100
!
route-map PBR_New_LB permit 9
match ip address 101
set ip next-hop 10.47.99.238
!
!
access-list 100 permit ip host 10.44.39.26 any
access-list 100 permit ip host 10.44.38.72 any
!
route-map PBR_New_LB permit 10
match ip address 100
set ip next-hop 10.47.99.240
!
!
interface Vlan498
ip policy route-map PBR_New_LB
!
interface Vlan499
ip policy route-map PBR_New_LB
!
..
Now is working but I don'like it .. why in the previus config the routibng table wasn't used for the no PBR maching traffic ?
08-26-2009 02:05 AM
It seams that also on route-map deny is not allowed .. note from 3750 config guide ---
Note The route-map deny statement is not supported in
PBR route maps to be applied to an interface.
....
08-26-2009 02:15 AM
Helenio,
I have had a look in the 3750 documentation and I stand corrected - the PBR on 3750 does not support the "route-map deny" clauses. However, it should support the deny entries in ACLs - however, according to the documentation, if a packet is matched by a "deny" ACL entry, it will go to CPU which may cause high utilization. So we should avoid using both deny ACEs and deny route-map blocks.
The configuration guide to 3750 is quite clear here:
Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping.
I suggest reformulating your configuration once more as follows:
access-list 101 permit ip host 10.44.39.26 host 10.47.3.100
access-list 100 permit ip host 10.44.39.26 any
access-list 100 permit ip host 10.44.38.72 any
!
route-map PBR_New_LB permit 9
match ip address 101
set ip default next-hop
!
route-map PBR_New_LB permit 10
match ip address 100
set ip next-hop 10.47.99.240
This way, your PC will be routed according to the routing table whenever its sends a packet to the loopback address of the switch. Alternatively, you could try modifying the block 9 of your route-map to omit the "set" command completely. If not "set" is present, the packet should again be routed according to the routing table.
Can you please give this one more try?
Best regards,
Peter
08-26-2009 04:05 AM
Yea ... I omitted the set command and is working (you can't set ip next-hop without arguments). So now I see the initial wrong assumption, "ip local policy" is only for traffic generated from Switch and not received tha's why I wasn't able to telnet to it. (Is still strange why the ping was working .. anyway now ok for me. Thank's ...
08-26-2009 04:13 AM
Helenio,
Your switch does not accept the "set ip default next-hop" without an IP? I just want to make sure because some routers accept it.
You are correct, the "ip local policy" is only for traffic generated by your switch and sent out. It is not for received traffic. For traffic coming into your switch, normal PBR route-maps on the incoming interfaces apply.
The ping was working probably because it was rerouted back after you sent it to a different gateway (a nice detour :). The telnet traffic was perhaps filtered somewhere on that detour.
Best regards,
Peter
08-26-2009 04:19 AM
Yes the switch does not accept the "set ip default next-hop" without an IP ...
08-26-2009 04:21 AM
Helenio,
Thank you for the confirmation. I'm glad you got it running.
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: