cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2617
Views
0
Helpful
32
Replies

PBR 3560 12.2(53) ipservice

CT_Dude
Level 1
Level 1

Hope someone can spread some light here please..

Trying to setup PBR for traffic from one server to another to go over a direct link between site A and B.

But it looks like PBR is not going over the P2P but over the VPN tunnel.

Is there any way I can check activ connections maybe?

Is the config incorrect?

Config as follow :

Site A

Site B

Riverbeds DG pointing to Switch (Site A and B)

Connected via a VPN tunnel on Cisco ASA 5510.

Also have a P2P connection between 2 sites connected on a 3560 8 Port Poe with ver 12.2(53) ipservice image loaded.

ip routing (enable on both switches)

Switch (Site A)

Interface Fa0/1

descripotion (Connected ASA 5510)

speed 100

duplex full

Interface Fa0/8

description (direct connection to site B)

no switchport

ip address 10.0.0.1 255.255.255.252

speed 100

duplex full

Interface Gi0/1

description (Connected to riverbed)

Interface Vlan1

ip address 192.168.100.1 255.255.255.0

ip route-cache policy

ip policy route-map P2P

ip local policy route-map P2P

ip default-gatway 192.168.100.254 (ASA inside)

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.254

ip access-list extended P2P-ACL

permit ip host 192.168.0.25 host 192.168.1.12

ip sla enable reaction-alerts (not sure where from?)

route-map P2P permit 10

match ip address P2P-ACL

set ip next-hop 10.0.0.2 10.0.0.1

2 Accepted Solutions

Accepted Solutions

Cillie,

Thanks for the additional information.

I see some problems in the current configuration. What I will post now is a complete sequence of commands you can directly paste into the respective switch configuration to get them into the form I would configure them. Understandably, back up your configuration before making these changes.

Switch at the Site A:

no ip local policy route-map P2P

no ip default-gateway 192.168.0.254

ip route 0.0.0.0 0.0.0.0 192.168.0.254

ip access-list extended P2P

no permit ip host 192.168.0.25 11.0.0.1 0.0.0.252

permit ip host 192.168.0.25 11.0.0.0 0.0.0.255

interface Vlan1

no ip policy route-map VPN

ip policy route-map P2P

interface Vlan101

no ip policy route-map P2P

Switch at the Site B:

no ip local policy route-map P2P

no ip default-gateway 192.168.1.254

ip route 0.0.0.0 0.0.0.0 192.168.1.254

interface Vlan100

no ip policy route-map P2P

Please make the indicated changes to the switch configuration and test the results. If that does not work, please post again the resulting configurations of both switches on Site A and B, and also include the output of the command show route-map

Best regards,

Peter

View solution in original post

Hello Cillie,

Yes, you can try to remove that default route and let's see what happens. Just pay attention to be in a network that is known to that switch, otherwise you could lock yourself out.

Best regards,

Peter

View solution in original post

32 Replies 32

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

1) Do you have sdm prefer routing configured on both your Cat3560 switches? If not or if you are not sure if you have configured this then enter this command in the global configuration mode, save the configuration and reload the switch. For PBR to work, the TCAM (the switching hardware) must be partitioned in such a way that there is a space allocated for PBR entries. If you have the default SDM setting which is the "default" (use the show sdm prefer command to see the current SDM template) then there is no space for PBR entries in the TCAM which may be the cause why your PBR is not working.

2) If the ip routing command is entered then the ip default-gateway command is superfluous in your configuration and can be removed.

3) The set ip next-hop in your route-map contains two IP addresses, one of them being your own IP address, I believe. That is incorrect in itself - you cannot forward a packet back to yourself. The set ip next-hop command should, in your case, contain a single IP address 10.0.0.2.

4) When you enter the show route-map command does it display any non-zero counter in the line "Policy routing matches"?

Best regards,

Peter

1) The current template is "desktop routing" template.

    The selected template optimizes the resources in
    the switch to support this level of features for
   8 routed interfaces and 1024 VLANs.

   number of unicast mac addresses:                  3K
   number of IPv4 IGMP groups + multicast routes:    1K
   number of IPv4 unicast routes:                    11K
   number of directly-connected IPv4 hosts:        3K
   number of indirect IPv4 routes:                 8K
   number of IPv4 policy based routing aces:         0.5K
   number of IPv4/MAC qos aces:                      0.5K
   number of IPv4/MAC security aces:                 1K

2)removed the ip default-gateway now.

3)removed the local ip out of the set-ip next hop.

4)not sure what you mean by non-zero's?

route-map P2P-LONDON, permit, sequence 10
  Match clauses:
    ip address (access-lists): P2P-ACL
  Set clauses:
    ip next-hop 11.0.0.2
  Policy routing matches: 1488 packets, 155712 bytes

CT_Dude
Level 1
Level 1

How I know its not working.

On the Terminal monitor its displaying a message :

redirect sent to 192.168.100.25 for dest (external ip of SiteB), use gw 192.168.100.254

Hello Cillie,

According to your first post, your P2P-ACL used in the route-map is as follows:

ip access-list extended P2P-ACL

permit ip host 192.168.0.25 host 192.168.1.12

Note that you have just now indicated a different IP address: 192.168.100.25, and you have hidden the external IP address of the site B - is it 192.168.1.12 or a different address? In any case, it seems as if the IP addresses in the ACL did not align with your real traffic you want to perform policy routing upon.

Can you please double check the addressing used in your network and perhaps correct the information you have posted here? It is difficult to help you if the information posted here is not accurate.

Best regards,

Peter

Hi Peter

Just checked. The IP address ranges are the same.

I was probably just thinking of another range.

The External IP address I hidden is a different ip address. The exteranl Internet address of SiteB.

Cillie,

Okay but shouldn't the P2P-ACL in this case contain the correct external IP address of the site B?

Is the debugging message about the "redirect" relevant to our case? Is it not just a different message, unrelated to the PBR? In any case, the output of the show route-map indicates that there are packets being policy routed - there are counters containing both the number of packets and the amount of data, and both are greater than zero (and hopefully increasing).

To verify that the PBR is working, use the traceroute from the source IP address towards the destination. Using debugging on the switch may produce several messages unrelated to the issue we are trying to solve here.

Best regards,

Peter

Everytime I make a connection from the 2 servers that is in the access list.

The above redirect comes up.

Looks like only icmp traffic is going over the P2P.

Here is a tracert from the win 2008 server :

Tracing route to machinename [192.168.1.12]
over a maximum of 30 hops:

  1     4 ms     1 ms     1 ms  192.168.0.240
  2     *        *        *     Request timed out.
  3    70 ms    70 ms    70 ms machinename [192.168.1.12]

Cillie,

Is it by any means possible that the Win2008 server is using a different address for either the source or destination IP address than the addresses indicated in the P2P-ACL when you make a connection from one to another?

Obviously, the Win2008 server is using the Cat3560 as its default gateway. The reason that the Cat3560 sends a redirect to the Win2008 server is that it needs to send the packet out the same IP interface through which the packet came in. That in turn means that the PBR was not applied to the packet. The only reason I can see right now is that the traffic does not match the P2P-ACL.

Best regards,

Peter

Getting the same feeling.

But what else must be in the access-list.

Just disabled IPv6, but still not working I think.

Cillie,

Are you able to install the Wireshark software on at least one of those Win2008 servers and have a close look on the packets leaving one Win2008 server and heading towards the other? The Wireshark - I'm sure you know it - is a packet sniffer. Give it a try!

Also, is it absolutely certain that there is no device that could be overwriting IP addresses, placed between your Win2008 server and the 3560?

Best regards,

Peter

How do you route traffice from one subnet 192.168.0.0/24 to subnet

192.168.1.0/24 over 2 cisco 3560's that is connected with a network cabl

e on port Fa0/8?

Cillie,

I am sorry but I do not understand this question.

In case you are replying to my question about "devices between the Win2008 server and the 3560 switch", I had a different issue on my mind: is it possible that some device between the WIn2008 server and the first 3560 is translating the IP addresses in such a way that the fail to match the P2P-ACL?

Please take into account that my knowledge of your network is limited, and is based only on the information you have provided yourself. I had to guess and assume some details.

Best regards,

Peter

Hi Peter

I know the information is limited. Sorry.

How it is suppose to work is that there is a direct line From SiteA to SiteB.

This is connected on port Fa0/8 on both the switches. (So you could say this is connected as direct Cat 5 cable.)

Site A is subnet 192.168.0.0/24

Site B is subnet 192.168.1.0/24

What I want to accomplish is to send some traffic over the VPN but through the dedicated P2P network.

Cillie,

I have just noticed: in one of the previous outputs, your route-map contained a different next hop than the one in your first post. It seems that currently, your route-map uses the command set ip next-hop 11.0.0.2. Is that so? Shouldn't it be 10.0.0.2?

I understand what you want to achieve, and I believe we are very close to solving this. Just please bear with me a little more.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco