Route-map in PBR not working

Unanswered Question
Apr 9th, 2010

I am trying to route all traffic from a PC to an alternative

firewall for all internet traffic but the policy does not appear to be working

The PC sits in VLAN 100 and has an IP address of 1.1.1.1

Both internet firewalls sit in VLAN 200, the primary is 2.2.2.1 and the secondary is 2.2.2.2.

The GLR on the switch points to 2.2.2.1 but all internet traffic from the PC (traffic entering VLAN 100) should be sent to the secondary device (2.2.2.2)

I have created an access list to define the traffic, created the route map and applied it

access-list 30 permit 1.1.1.1

ip route-map REROUTE permit 10

#match ip address 30

#set ip next-hop  2.2.2.2

interface vlan 1000

(config-if)# ip policy route-map REROUTE

What am I missing>???

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 04/09/2010 - 12:59

Hi,

Is the machine being routed to 2.2.2.1?

It wasa typo that you enter the policy route-map on interface vlan 1000?

Can you get to 2.2.2.2 from VLAN 100? Does the Firewall on 2.2.2.2 has a route knowing how to return your traffic?

Federico.

networker99 Fri, 04/09/2010 - 13:07

1. The machine is being routed to the GLR (2.2.2.1) but the route-map should redirect to 2.2.2.2

2. Yes, 1000 was a typo

3. Yes, traffic can route between VLANs

Federico Coto F... Fri, 04/09/2010 - 13:14

When you have the configuration in place for the route-map and you send traffic from 1.1.1.1 to the secondary Firewall,

you said is being routed to the primary Firewall. The route-map is not taking effect.

There are no access-lists denying the communcation between the PC and the secondary Firewall?

Federico.

networker99 Fri, 04/09/2010 - 13:21

there are no access-lists denying access.. the traffic is being sent to the GLR with all the other traffic instead of being re-routed.

Federico Coto F... Fri, 04/09/2010 - 13:35

Just for testing purposes, if you create a static route to the second firewall does it work?

For example,

ip route network_behind_second_firewall mask 2.2.2.2

This will route all traffic to 2.2.2.2 (not only from 1.1.1.1) that's why I say that is a test just to see if the problem is only the route-map.

If it works,

does the route-map shows as active?

sh route-map all

Federico.

Actions

This Discussion