08-13-2010 07:38 AM - edited 03-06-2019 12:28 PM
Hope someone can spread some light here please..
Trying to setup PBR for traffic from one server to another to go over a direct link between site A and B.
But it looks like PBR is not going over the P2P but over the VPN tunnel.
Is there any way I can check activ connections maybe?
Is the config incorrect?
Config as follow :
Site A
Site B
Riverbeds DG pointing to Switch (Site A and B)
Connected via a VPN tunnel on Cisco ASA 5510.
Also have a P2P connection between 2 sites connected on a 3560 8 Port Poe with ver 12.2(53) ipservice image loaded.
ip routing (enable on both switches)
Switch (Site A)
Interface Fa0/1
descripotion (Connected ASA 5510)
speed 100
duplex full
Interface Fa0/8
description (direct connection to site B)
no switchport
ip address 10.0.0.1 255.255.255.252
speed 100
duplex full
Interface Gi0/1
description (Connected to riverbed)
Interface Vlan1
ip address 192.168.100.1 255.255.255.0
ip route-cache policy
ip policy route-map P2P
ip local policy route-map P2P
ip default-gatway 192.168.100.254 (ASA inside)
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip access-list extended P2P-ACL
permit ip host 192.168.0.25 host 192.168.1.12
ip sla enable reaction-alerts (not sure where from?)
route-map P2P permit 10
match ip address P2P-ACL
set ip next-hop 10.0.0.2 10.0.0.1
Solved! Go to Solution.
08-16-2010 09:07 AM
Cillie,
Thanks for the additional information.
I see some problems in the current configuration. What I will post now is a complete sequence of commands you can directly paste into the respective switch configuration to get them into the form I would configure them. Understandably, back up your configuration before making these changes.
Switch at the Site A:
no ip local policy route-map P2P
no ip default-gateway 192.168.0.254
ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip access-list extended P2P
no permit ip host 192.168.0.25 11.0.0.1 0.0.0.252
permit ip host 192.168.0.25 11.0.0.0 0.0.0.255
interface Vlan1
no ip policy route-map VPN
ip policy route-map P2P
interface Vlan101
no ip policy route-map P2P
Switch at the Site B:
no ip local policy route-map P2P
no ip default-gateway 192.168.1.254
ip route 0.0.0.0 0.0.0.0 192.168.1.254
interface Vlan100
no ip policy route-map P2P
Please make the indicated changes to the switch configuration and test the results. If that does not work, please post again the resulting configurations of both switches on Site A and B, and also include the output of the command show route-map
Best regards,
Peter
08-16-2010 09:35 AM
Hello Cillie,
Yes, you can try to remove that default route and let's see what happens. Just pay attention to be in a network that is known to that switch, otherwise you could lock yourself out.
Best regards,
Peter
08-13-2010 09:29 AM
Hello,
1) Do you have sdm prefer routing configured on both your Cat3560 switches? If not or if you are not sure if you have configured this then enter this command in the global configuration mode, save the configuration and reload the switch. For PBR to work, the TCAM (the switching hardware) must be partitioned in such a way that there is a space allocated for PBR entries. If you have the default SDM setting which is the "default" (use the show sdm prefer command to see the current SDM template) then there is no space for PBR entries in the TCAM which may be the cause why your PBR is not working.
2) If the ip routing command is entered then the ip default-gateway command is superfluous in your configuration and can be removed.
3) The set ip next-hop in your route-map contains two IP addresses, one of them being your own IP address, I believe. That is incorrect in itself - you cannot forward a packet back to yourself. The set ip next-hop command should, in your case, contain a single IP address 10.0.0.2.
4) When you enter the show route-map command does it display any non-zero counter in the line "Policy routing matches"?
Best regards,
Peter
08-16-2010 01:21 AM
1) The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
2)removed the ip default-gateway now.
3)removed the local ip out of the set-ip next hop.
4)not sure what you mean by non-zero's?
route-map P2P-LONDON, permit, sequence 10
Match clauses:
ip address (access-lists): P2P-ACL
Set clauses:
ip next-hop 11.0.0.2
Policy routing matches: 1488 packets, 155712 bytes
08-16-2010 01:26 AM
How I know its not working.
On the Terminal monitor its displaying a message :
redirect sent to 192.168.100.25 for dest (external ip of SiteB), use gw 192.168.100.254
08-16-2010 01:45 AM
Hello Cillie,
According to your first post, your P2P-ACL used in the route-map is as follows:
ip access-list extended P2P-ACL
permit ip host 192.168.0.25 host 192.168.1.12
Note that you have just now indicated a different IP address: 192.168.100.25, and you have hidden the external IP address of the site B - is it 192.168.1.12 or a different address? In any case, it seems as if the IP addresses in the ACL did not align with your real traffic you want to perform policy routing upon.
Can you please double check the addressing used in your network and perhaps correct the information you have posted here? It is difficult to help you if the information posted here is not accurate.
Best regards,
Peter
08-16-2010 01:58 AM
Hi Peter
Just checked. The IP address ranges are the same.
I was probably just thinking of another range.
The External IP address I hidden is a different ip address. The exteranl Internet address of SiteB.
08-16-2010 02:12 AM
Cillie,
Okay but shouldn't the P2P-ACL in this case contain the correct external IP address of the site B?
Is the debugging message about the "redirect" relevant to our case? Is it not just a different message, unrelated to the PBR? In any case, the output of the show route-map indicates that there are packets being policy routed - there are counters containing both the number of packets and the amount of data, and both are greater than zero (and hopefully increasing).
To verify that the PBR is working, use the traceroute from the source IP address towards the destination. Using debugging on the switch may produce several messages unrelated to the issue we are trying to solve here.
Best regards,
Peter
08-16-2010 02:23 AM
Everytime I make a connection from the 2 servers that is in the access list.
The above redirect comes up.
Looks like only icmp traffic is going over the P2P.
Here is a tracert from the win 2008 server :
Tracing route to machinename [192.168.1.12]
over a maximum of 30 hops:
1 4 ms 1 ms 1 ms 192.168.0.240
2 * * * Request timed out.
3 70 ms 70 ms 70 ms machinename [192.168.1.12]
08-16-2010 02:36 AM
Cillie,
Is it by any means possible that the Win2008 server is using a different address for either the source or destination IP address than the addresses indicated in the P2P-ACL when you make a connection from one to another?
Obviously, the Win2008 server is using the Cat3560 as its default gateway. The reason that the Cat3560 sends a redirect to the Win2008 server is that it needs to send the packet out the same IP interface through which the packet came in. That in turn means that the PBR was not applied to the packet. The only reason I can see right now is that the traffic does not match the P2P-ACL.
Best regards,
Peter
08-16-2010 02:59 AM
Getting the same feeling.
But what else must be in the access-list.
Just disabled IPv6, but still not working I think.
08-16-2010 03:09 AM
Cillie,
Are you able to install the Wireshark software on at least one of those Win2008 servers and have a close look on the packets leaving one Win2008 server and heading towards the other? The Wireshark - I'm sure you know it - is a packet sniffer. Give it a try!
Also, is it absolutely certain that there is no device that could be overwriting IP addresses, placed between your Win2008 server and the 3560?
Best regards,
Peter
08-16-2010 03:51 AM
How do you route traffice from one subnet 192.168.0.0/24 to subnet
192.168.1.0/24 over 2 cisco 3560's that is connected with a network cabl
e on port Fa0/8?
08-16-2010 04:34 AM
Cillie,
I am sorry but I do not understand this question.
In case you are replying to my question about "devices between the Win2008 server and the 3560 switch", I had a different issue on my mind: is it possible that some device between the WIn2008 server and the first 3560 is translating the IP addresses in such a way that the fail to match the P2P-ACL?
Please take into account that my knowledge of your network is limited, and is based only on the information you have provided yourself. I had to guess and assume some details.
Best regards,
Peter
08-16-2010 05:57 AM
Hi Peter
I know the information is limited. Sorry.
How it is suppose to work is that there is a direct line From SiteA to SiteB.
This is connected on port Fa0/8 on both the switches. (So you could say this is connected as direct Cat 5 cable.)
Site A is subnet 192.168.0.0/24
Site B is subnet 192.168.1.0/24
What I want to accomplish is to send some traffic over the VPN but through the dedicated P2P network.
08-16-2010 06:14 AM
Cillie,
I have just noticed: in one of the previous outputs, your route-map contained a different next hop than the one in your first post. It seems that currently, your route-map uses the command set ip next-hop 11.0.0.2. Is that so? Shouldn't it be 10.0.0.2?
I understand what you want to achieve, and I believe we are very close to solving this. Just please bear with me a little more.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: