Route-map in PBR not working

Unanswered Question
Apr 9th, 2010
User Badges:

I am trying to route all traffic from a PC to an alternative

firewall for all internet traffic but the policy does not appear to be working


The PC sits in VLAN 100 and has an IP address of 1.1.1.1

Both internet firewalls sit in VLAN 200, the primary is 2.2.2.1 and the secondary is 2.2.2.2.


The GLR on the switch points to 2.2.2.1 but all internet traffic from the PC (traffic entering VLAN 100) should be sent to the secondary device (2.2.2.2)


I have created an access list to define the traffic, created the route map and applied it


access-list 30 permit 1.1.1.1



ip route-map REROUTE permit 10

#match ip address 30

#set ip next-hop  2.2.2.2


interface vlan 1000

(config-if)# ip policy route-map REROUTE



What am I missing>???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 04/09/2010 - 12:59
User Badges:
  • Green, 3000 points or more

Hi,


Is the machine being routed to 2.2.2.1?


It wasa typo that you enter the policy route-map on interface vlan 1000?


Can you get to 2.2.2.2 from VLAN 100? Does the Firewall on 2.2.2.2 has a route knowing how to return your traffic?


Federico.

networker99 Fri, 04/09/2010 - 13:07
User Badges:

1. The machine is being routed to the GLR (2.2.2.1) but the route-map should redirect to 2.2.2.2

2. Yes, 1000 was a typo

3. Yes, traffic can route between VLANs

Federico Coto F... Fri, 04/09/2010 - 13:14
User Badges:
  • Green, 3000 points or more

When you have the configuration in place for the route-map and you send traffic from 1.1.1.1 to the secondary Firewall,

you said is being routed to the primary Firewall. The route-map is not taking effect.


There are no access-lists denying the communcation between the PC and the secondary Firewall?


Federico.

networker99 Fri, 04/09/2010 - 13:21
User Badges:

there are no access-lists denying access.. the traffic is being sent to the GLR with all the other traffic instead of being re-routed.

Federico Coto F... Fri, 04/09/2010 - 13:35
User Badges:
  • Green, 3000 points or more

Just for testing purposes, if you create a static route to the second firewall does it work?

For example,

ip route network_behind_second_firewall mask 2.2.2.2


This will route all traffic to 2.2.2.2 (not only from 1.1.1.1) that's why I say that is a test just to see if the problem is only the route-map.


If it works,

does the route-map shows as active?

sh route-map all


Federico.

Actions

This Discussion