cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1480
Views
0
Helpful
14
Replies

PBR on source address telnet doesn't work

helenio
Level 1
Level 1

Hello, I configured PBR on 3750 (12.2(37)SE1) to route packet from specific source (10.44.39.26) using a different GW. This work ! what is not working is since this config is in place the source 10.44.39.26 is not more able to telnet to the loopback Switch interface but the ping work. Why ?

Since PBR doesn't affect the local traffic it shouldn't be the cause !#@:-(

Any idea how to debug it ?

!

here the config for PBR ..

!

!

access-list 100 permit ip host 10.44.39.26 any

!

route-map PBR_New_LB permit 10

match ip address 100

set ip next-hop 10.47.99.240

!

!

interface Vlan498

ip policy route-map PBR_New_LB

!

interface Vlan499

ip policy route-map PBR_New_LB

!

1 Accepted Solution

Accepted Solutions

Helenio,

Thank you for the confirmation. I'm glad you got it running.

Peter

View solution in original post

14 Replies 14

paolo bevilacqua
Hall of Fame
Hall of Fame

Use "ip local policy" to PBR packets sourced by the router.

Paolo,

I think that the issue the OP describes is somewhat different here than just PBRing the locally originated packets.

Helenio, you are saying that the machine 10.44.39.26 is not able to telnet into the 3750 anymore. That could be caused by the fact that no matter what is the destination, you are redirecting that machine to a different next hop. Is it possible to change your ACL 100 so that it first denies the packets going from 10.44.39.26 to the Loopback IP of your switch (so they will be routed according to the usual routing table) and only then permit any other destination?

Please give it a try and let me know if it worked.

Best regards,

Peter

Du you mean to add a PBR for this particular traffic ? I tried to to apply ip local policy route-map PBR_New_LB but didn't work.

Anyway my opinion is that local traffic hasn't to be policed cause has to come back from normal route. why ping work ?

Hello Helenio,

No, remove the "ip local policy" from your configuration. I did not have that in mind.

I was thinking about making an exception to your PBR so that packets going to your loopback IP are not policy routed. Assuming that your loopback address is, say, 192.0.2.1, then the ACL 100 should say:

access-list 100 deny ip host 10.44.39.26 host 192.0.2.1

access-list 100 permit ip host 10.44.39.26 any

I am not sure why the ping works right now. You are right about the fact that local traffic - that is the traffic originated by the router itself - is not subject to PBR on interfaces. But my concern here is that you effectively divert all packets from the IP 10.44.39.26 to a different gateway even if they should be received locally.

Can you give this a try?

Best regards,

Peter

Yes i tried but is not working. I think that deny is not allowed on PBR for 3750 (3750 config guide) only permit statemt can be issued..

Hello Helenio,

Does that limitation about "deny" go only for ACLs or also for route-maps? If it does not apply to route-map, can you try this reformulation?

access-list 100 permit ip host 10.44.39.26 host 192.0.2.1

access-list 101 permit ip host 10.44.39.26 any

route-map PBR_New_LB deny 10

match ip address 100

route-map PBR_New_LB permit 20

match ip address 101

set ip next-hop 10.47.99.240

Best regards,

Peter

It seams that also on route-map deny is not allowed .. note from 3750 config guide ---

Note The route-map deny statement is not supported in

PBR route maps to be applied to an interface.

....

I did anoter test and i added a route-map for this traffic with a next hop not available (this mean that will take normal routing table) and now is working :-! ..

here the config:

access-list 101 permit ip host 10.44.39.26 host 10.47.3.100

!

route-map PBR_New_LB permit 9

match ip address 101

set ip next-hop 10.47.99.238

!

!

access-list 100 permit ip host 10.44.39.26 any

access-list 100 permit ip host 10.44.38.72 any

!

route-map PBR_New_LB permit 10

match ip address 100

set ip next-hop 10.47.99.240

!

!

interface Vlan498

ip policy route-map PBR_New_LB

!

interface Vlan499

ip policy route-map PBR_New_LB

!

..

Now is working but I don'like it .. why in the previus config the routibng table wasn't used for the no PBR maching traffic ?

It seams that also on route-map deny is not allowed .. note from 3750 config guide ---

Note The route-map deny statement is not supported in

PBR route maps to be applied to an interface.

....

Helenio,

I have had a look in the 3750 documentation and I stand corrected - the PBR on 3750 does not support the "route-map deny" clauses. However, it should support the deny entries in ACLs - however, according to the documentation, if a packet is matched by a "deny" ACL entry, it will go to CPU which may cause high utilization. So we should avoid using both deny ACEs and deny route-map blocks.

The configuration guide to 3750 is quite clear here:

Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping.

I suggest reformulating your configuration once more as follows:

access-list 101 permit ip host 10.44.39.26 host 10.47.3.100

access-list 100 permit ip host 10.44.39.26 any

access-list 100 permit ip host 10.44.38.72 any

!

route-map PBR_New_LB permit 9

match ip address 101

set ip default next-hop

!

route-map PBR_New_LB permit 10

match ip address 100

set ip next-hop 10.47.99.240

This way, your PC will be routed according to the routing table whenever its sends a packet to the loopback address of the switch. Alternatively, you could try modifying the block 9 of your route-map to omit the "set" command completely. If not "set" is present, the packet should again be routed according to the routing table.

Can you please give this one more try?

Best regards,

Peter

Yea ... I omitted the set command and is working (you can't set ip next-hop without arguments). So now I see the initial wrong assumption, "ip local policy" is only for traffic generated from Switch and not received tha's why I wasn't able to telnet to it. (Is still strange why the ping was working .. anyway now ok for me. Thank's ...

Helenio,

Your switch does not accept the "set ip default next-hop" without an IP? I just want to make sure because some routers accept it.

You are correct, the "ip local policy" is only for traffic generated by your switch and sent out. It is not for received traffic. For traffic coming into your switch, normal PBR route-maps on the incoming interfaces apply.

The ping was working probably because it was rerouted back after you sent it to a different gateway (a nice detour :). The telnet traffic was perhaps filtered somewhere on that detour.

Best regards,

Peter

Yes the switch does not accept the "set ip default next-hop" without an IP ...

Helenio,

Thank you for the confirmation. I'm glad you got it running.

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: