PBR - Direct to interface

Unanswered Question

I have setup pbr to direct traffice to a particualr interface but it's not working.

I have the following config:

interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$
ip address 172.24.201.190 255.255.0.0
ip nat inside
ip virtual-reassembly
ip policy route-map DLM_SUBNET_TRAFFIC
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
ip address 172.25.0.100 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
ip address dhcp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
description $ES_WAN$
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
....

access-list 110 permit ip 172.24.110.0 0.0.0.255 any
access-list 120 permit ip 172.24.120.0 0.0.0.255 any
!
!
!
!
route-map DLM_SUBNET permit 10
set ip next-hop 198.0.0.0
!
route-map DLM_SUBNET_TRAFFIC permit 10
match ip address 110
set interface GigabitEthernet0/2
!
route-map DLM_SUBNET_TRAFFIC permit 20
match ip address 120
set interface FastEthernet0/0/0
!

Should I not use the SET INTERFACE on the route-map?  How can I direct traffic to an interface that gets a dhcp address from the DSL modem?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
DialerString_2 Mon, 04/12/2010 - 12:26

Hello,

Sequence 20 is pointed to an interface that's shut 'f0/0/0' you'll need to change it. You can use the set interface command to send traffic on a DHCP enabled interface. Verify the natting is correct and where is your nat statement in the config?

Hi,

For my tests I wanted to make sure traffice was going out correctly.  I have a laptop using the router as a gateway and the ip set to 172.24.110.10.  If I change the ip of the laptop to 172.24.120.10, I would expect the the web to not display.

If the other interface is not up, will that affect the traffic going out the interface gigabitethernet0/2 from working.  On the router I can ping 4.2.2.2 no problem.

If I change the laptop to use a 172.24.201.xx ip I get a webpage.  As soon as I give it a 172.24.110.xx it stops working.

THanks.

Sorry.. my original config at a set interface going to gigabitethernet0/2.  I changed it to ip 198.0.0.0 for a test.

When I change it to interface I get:

wfsrtr1(config-route-map)#no set ip next-hop 192.0.0.0
wfsrtr1(config-route-map)#set interface gig0/2
%Warning:Use P2P interface for routemap set
               interface clause

net setting looks like this:

route-map DLM_SUBNET_TRAFFIC permit 10
match ip address 110
set interface GigabitEthernet0/2
!
route-map DLM_SUBNET_TRAFFIC permit 20
match ip address 120
set interface FastEthernet0/0/0

DialerString_2 Mon, 04/12/2010 - 12:40

Hello,

Change your route-map 20 to 'set interface Null 0' this will black hole the traffic also. The interface being down will not affect the other traffic.

"If I change the laptop to use a 172.24.201.xx ip I get a webpage.  As soon as I give it a 172.24.110.xx it stops working." _Where is your nat statement? Don't see it in the config.

Can you past your nat statement also? Also what subnet are you setting on the laptop? If you running windows open a command prompt and do a 'route print'. Verify the routing on the laptop.

DialerString_2 Mon, 04/12/2010 - 12:47

wfsrtr1(config-route-map)#no set ip next-hop 192.0.0.0
wfsrtr1(config-route-map)#set interface gig0/2
%Warning:Use P2P interface for routemap set
               interface clause

try 'set default interface g0/2' or 'set ip next-hop x.x.x.x' This would be the lan side of your internet.

Thanks.

My laptop is set to use gateway 172.24.201.190 (the router).

The ip is 172.24.201.110.10 /255.255.255.0

My router config is as follows:

!

! Last configuration change at 19:41:39 UTC Mon Apr 12 2010 by admin

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname wfsrtr1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

no ip domain lookup

ip domain name w3k.wfsltd.com

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1058945512

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1058945512

revocation-check none

rsakeypair TP-self-signed-1058945512

!

!

crypto pki certificate chain TP-self-signed-1058945512

certificate self-signed 01

3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303538 39343535 3132301E 170D3130 30343039 31343433

33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353839

34353531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100DCE2 45A4C549 019CB875 EEFDB498 48D22C8B E87D0B92 2C84E367 80E43E6E

6287BFAC 5A216BDF 978E6C65 F3B8887E 8D30B5A8 43091F62 F09F198C 57FC3640

33D4C8DF A0921246 3D06FAB3 14F9C65F 1B752154 1DC84878 7191B087 F7CF2179

434FEF56 F9F052D9 D97FBC4C 62547FB9 537287C5 D4E61A3F EF4DCFF0 EDE12175

2E150203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

301F0603 551D2304 18301680 14E8E96E B1D0936B B8875DED F145FF41 482EF22A

72301D06 03551D0E 04160414 E8E96EB1 D0936BB8 875DEDF1 45FF4148 2EF22A72

300D0609 2A864886 F70D0101 04050003 81810046 3C04E9BB 25821EE1 C6CBCFED

D9AA9D9A 24516C71 81E6D53D 814D1107 FC764B5B 8DE0551E D7CDCB1F FF0E6D50

BF018059 173BAC27 00C3EE4B DB2A1188 3459DC27 9DAF86CB EDC341B4 4F975308

2E7B1D94 FB3A3439 7F77015E B3B5DF04 B61B8421 5DA16B21 15B6CC33 6E74BFAD

5CFE614B AFE8CA18 7712DE98 3072958C C0D58B

quit

license udi pid CISCO2921/K9 sn FTX1350AHE7

!

!

username admin privilege 15 secret 5 $1$O6Kf$I6p/t1uGFxFANC9y7YfiU/

!

redundancy

!

!

!

!

!

!

!

!

!

interface Loopback0

no ip address

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$

ip address 172.24.201.190 255.255.0.0

ip nat inside

ip virtual-reassembly

ip policy route-map DLM_SUBNET_TRAFFIC

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

ip address 172.25.0.100 255.255.0.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface GigabitEthernet0/2

ip address dhcp

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

!

!

interface FastEthernet0/0/0

description $ES_WAN$

no ip address

shutdown

duplex auto

speed auto

!

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 100 interface GigabitEthernet0/2 overload

!

access-list 23 permit 172.24.0.0 0.0.255.255

access-list 100 permit ip 172.24.0.0 0.0.255.255 any

access-list 110 permit ip 172.24.110.0 0.0.0.255 any

access-list 120 permit ip 172.24.120.0 0.0.0.255 any

!

!

!

!

route-map DLM_SUBNET_TRAFFIC permit 10

match ip address 110

set interface GigabitEthernet0/2

!

route-map DLM_SUBNET_TRAFFIC permit 20

match ip address 120

set interface FastEthernet0/0/0

set interface Null 0

!

!

!

control-plane

!

!

banner exec 

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

banner login 

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Jon Marshall Mon, 04/12/2010 - 12:50

The problem you have is that "set interface .." expects a P2P link and ethernet isn't a P2P link.

Try this instead under your route-map config -

set ip next-hop dynamic dhcp

Jon

Let me just say once again.  I appreciate all the help from all of you.  Your are awesome.

I'm pretty green and i'm struggling through it so your help is very appreciated.

To sumarizse what worked.

- Added the set interface Null 0 to both interfaces so traffic won't hit, the what will be the default rote (t1).  Currently it's the dsl.

- Changed the next hop on the g0/2 interface.  The ip will change, but the gt on the modem will not.

Here is a complete config.

!

! Last configuration change at 20:36:56 UTC Mon Apr 12 2010 by admin

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname wfsrtr1

!

boot-start-marker

boot-end-marker

!

logging buffered 10000

!

no aaa new-model

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

no ip domain lookup

ip domain name w3k.wfsltd.com

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1058945512

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1058945512

revocation-check none

rsakeypair TP-self-signed-1058945512

!

!

crypto pki certificate chain TP-self-signed-1058945512

certificate self-signed 01

3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303538 39343535 3132301E 170D3130 30343039 31343433

33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353839

34353531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100DCE2 45A4C549 019CB875 EEFDB498 48D22C8B E87D0B92 2C84E367 80E43E6E

6287BFAC 5A216BDF 978E6C65 F3B8887E 8D30B5A8 43091F62 F09F198C 57FC3640

33D4C8DF A0921246 3D06FAB3 14F9C65F 1B752154 1DC84878 7191B087 F7CF2179

434FEF56 F9F052D9 D97FBC4C 62547FB9 537287C5 D4E61A3F EF4DCFF0 EDE12175

2E150203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

301F0603 551D2304 18301680 14E8E96E B1D0936B B8875DED F145FF41 482EF22A

72301D06 03551D0E 04160414 E8E96EB1 D0936BB8 875DEDF1 45FF4148 2EF22A72

300D0609 2A864886 F70D0101 04050003 81810046 3C04E9BB 25821EE1 C6CBCFED

D9AA9D9A 24516C71 81E6D53D 814D1107 FC764B5B 8DE0551E D7CDCB1F FF0E6D50

BF018059 173BAC27 00C3EE4B DB2A1188 3459DC27 9DAF86CB EDC341B4 4F975308

2E7B1D94 FB3A3439 7F77015E B3B5DF04 B61B8421 5DA16B21 15B6CC33 6E74BFAD

5CFE614B AFE8CA18 7712DE98 3072958C C0D58B

quit

license udi pid CISCO2921/K9 sn FTX1350AHE7

!

!

username admin privilege 15 secret 5 $1$O6Kf$I6p/t1uGFxFANC9y7YfiU/

!

redundancy

!

!

!

!

!

!

!

!

!

interface Loopback0

no ip address

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$

ip address 172.24.201.190 255.255.0.0

ip nat inside

ip virtual-reassembly

ip policy route-map DLM_SUBNET_TRAFFIC

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

ip address 172.25.0.100 255.255.0.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface GigabitEthernet0/2

ip address dhcp

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

!

!

interface FastEthernet0/0/0

description $ES_WAN$

no ip address

shutdown

duplex auto

speed auto

!

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 100 interface GigabitEthernet0/2 overload

!

access-list 23 permit 172.24.0.0 0.0.255.255

access-list 100 permit ip 172.24.0.0 0.0.255.255 any

access-list 110 permit ip 172.24.110.0 0.0.0.255 any

access-list 120 permit ip 172.24.120.0 0.0.0.255 any

!

!

!

!

route-map DLM_SUBNET_TRAFFIC permit 10

match ip address 110

set ip next-hop 192.168.254.254

set interface Null0

!

route-map DLM_SUBNET_TRAFFIC permit 20

match ip address 120

set interface FastEthernet0/0/0 Null0

!

!

!

control-plane

!

!

banner exec 

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

banner login 

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Actions

This Discussion