03-05-2012 08:17 PM - edited 03-07-2019 05:22 AM
Hello,
i'm performing configuration PBR on catalyst 4503, but it doesn't work. Here is the configuration and basic diagram:
--> Router 3845 (10.4.30.20)
Server(10.4.28.60)--> ASA5520--> Catalyst 4503
--> Router 3945 (10.4.30.21)
Catalyst 4503:
access-list 110 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255
!
route-map Corebank_policy permit 20
match ip address 110
set ip next-hop 10.4.30.20
!
Route-map is applied on interface vlan 10 (using connect from ASA to Catalyst 4503)
interface Vlan10
ip address 10.4.30.11 255.255.255.248
ip policy route-map Corebank_policy
standby 10 ip 10.4.30.9
standby 10 priority 200
standby 10 preempt
end
Show route-map command on 4503:
route-map Corebank_policy, permit, sequence 20
Match clauses:
ip address (access-lists): 110
Set clauses:
ip next-hop 10.4.30.20
Policy routing matches: 30 packets, 1800 bytes
Sometime, Traffic still pass through Router 3945 (10.4.30.21).
If there is any one there have an idea what it is then pls tell
Thanks
Solved! Go to Solution.
03-05-2012 11:56 PM
Just to add, is it possible for you to run a debug - debug ip policy ?
As you are running OSPF between 4500 & Router. Being that the next hop is not seen as a directly connected network, you may need to change your configs to have it look something like this
access-list 110 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255
!
route-map Corebank_policy permit 20
match ip address 110
set ip next-hop recursive 10.4.30.20
!
interface Vlan10
ip address 10.4.30.11 255.255.255.248
ip policy route-map Corebank_policy
standby 10 ip 10.4.30.9
standby 10 priority 200
standby 10 preempt
Please post the results.
03-06-2012 01:21 AM
ok.what i think is Reason you have /32 route is because your ospf network type is point to multipoint.So even though you have the network as directly connected ,it is seeing the interface as /32 host route.and your debug shows that it is not able to reach the next hop
26179: 2w2d: IP: Vlan10 to Vlan11 10.4.30.20Policy NextHop Inquiry: Corebank_policy seq: 20, type: INVALID SW_OBJ_TYPE: 0, SW_HANDLE: 0
The moment you make ospf network point to multipoint it wil inject host route /32 for interface.Now to get around this problem
1.changing the network type of ospf(I am not sure how feasible it would be in your production)
2.IOS which supports the recursive command
I will look for the command support for this platform side by side could you please let me know if you have got chance to test it with connected interface.
03-05-2012 10:16 PM
Hello,
Your topology seems to be unclear.
--> Router 3845 (10.4.30.20)
Server(10.4.28.60)--> ASA5520--> Catalyst 4503
--> Router 3945 (10.4.30.21)
Could you please provide me a diagramatic representation of your topology to further help?
Thanks
Vivek
03-05-2012 10:54 PM
Dear Vivek Ganapathi,
Here is the network diagram.
Thanks,
03-05-2012 11:02 PM
Hello,
how are you verifying that sometimes traffic is passing through Router 3945 (10.4.30.21)?
Can we check which traffic it is.?
I see very less hits in PBR,i would like to see hits in ACL
Policy routing matches: 30 packets, 1800 bytes
is it a testing enviorment or production?Do you see anything is logs that PBR is failing?
is the next-hop a connected interface or we have to perform RIB lookup to reach 10.4.30.20 or 21?
can you paste output of sh ip route 10.4.30.20
sh access-list 110
03-05-2012 11:13 PM
Dear Mukti Chandwani,
it's our production environment, i perform tracert 10.5.1.1 on Server (10.4.28.60) and see traffic pass through Router 3945.
here is the output of sh ip route 10.4.30.20 and sh access-list 110:
sh ip route 10.4.30.20
Routing entry for 10.4.30.20/32
Known via "ospf 1", distance 110, metric 1, type intra area
Last update from 10.4.30.20 on Vlan11, 00:06:12 ago
Routing Descriptor Blocks:
* 10.4.30.20, from 10.4.30.20, 00:06:12 ago, via Vlan11
Route metric is 1, traffic share count is 1
sh access-lists 110
Extended IP access list 110
10 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255
20 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255
30 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255 (30 matches)
40 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255
Thanks,
03-05-2012 11:19 PM
Hi,
Few things which might not be 100% correct but wanted to share here..
Scenario#1.
How would you expect the PBR to work where the Server is in Different VLAN than the PBR applied VLAN#10.
VLAN#10 is = 10.4.30.8/29 but Server(10.4.28.60) is in Different VLAN. Should the Server traffic come to VLAN#10 and Route based on PBR ?. No.
Scenario#2. PBR will work, If you met the following,
If you have Users in VLAN#10 and the users are tyring to communicate to and fro the Server.
Along with the first line you should have "access-list 110 permit ip host 10.4.28.60 VLAN#10"
Thanks,
ThiyaguVG.
03-05-2012 11:29 PM
Dear ThiyaguVG,
Thank for your advice, but i want all important traffic (Server: 10.4.28.60) come to branches pass through leased-line connection (on Router 3845) and all other traffic (other server) pass through MPLS connection (On Router 3945). Vlan#10 doesn't have user, it's using to connect from 4503 to ASA.
Thanks
03-05-2012 11:55 PM
ok.reason i was wondering is because if you notice matches in ACL and matches in PBR ,its exact same.Means whatever traffic matching the ACL is getting PBR.
please paste tracert from the server to 10.5.1.1
I hope there is no nat for source /destination addresses when crossing the ASA
Also could you please make a slight change in your configuration as instead of setting
set ip next-hop 10.4.30.20 ,please change it to set ip next-hop recursive 10.4.30.20
its not considering it as connected route.
Routing entry for 10.4.30.20/32
Known via "ospf 1", distance 110, metric 1, type intra area
03-05-2012 11:41 PM
Hello,
Looks to me like one of your ACL is being matched.
30 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255 (30 matches)
Have tried attempting to hit those other destinations like 10.1.0.0 etc as defined in ACL?
Or Do you mean, PBR is intermittently not kicking in?
Thanks
Vivek
03-05-2012 11:56 PM
Dear Vivek
yes, I've tried to tracert other IP but it seem that PBR doesn't work. 30 packet is very small because we have many people in the branches using application on server 10.4.28.60
Thanks
03-05-2012 11:56 PM
Just to add, is it possible for you to run a debug - debug ip policy ?
As you are running OSPF between 4500 & Router. Being that the next hop is not seen as a directly connected network, you may need to change your configs to have it look something like this
access-list 110 permit ip host 10.4.28.60 10.1.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.3.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.5.0.0 0.0.255.255
access-list 110 permit ip host 10.4.28.60 10.6.0.0 0.0.255.255
!
route-map Corebank_policy permit 20
match ip address 110
set ip next-hop recursive 10.4.30.20
!
interface Vlan10
ip address 10.4.30.11 255.255.255.248
ip policy route-map Corebank_policy
standby 10 ip 10.4.30.9
standby 10 priority 200
standby 10 preempt
Please post the results.
03-06-2012 12:17 AM
Dear Vivek, Mukti Chandwani,
i add ip addres 10.4.28.2 to access-list, and this is the output of tracert 10.5.1.1:
traceroute 10.5.1.1
Type escape sequence to abort.
Tracing the route to 10.5.1.1
1 10.4.30.11 9 msec 0 msec 0 msec
2 10.4.30.21 8 msec 0 msec 0 msec
3 10.0.253.30 17 msec * 9 msec
In the route-map config, it doesn't have set ip next-hop recursive command. (IOS version: Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 15.0(2)SG3, RELEASE SOFTWARE (fc2))
(config-route-map)#set ip next-hop ?
A.B.C.D IP address of next hop
dynamic application dynamically sets next hop
peer-address Use peer address (for BGP only)
Thanks
03-06-2012 12:35 AM
Thanks for the outpu.
Can you tell me why do you have hostroute /32 via ospf .Please paste output of
sh run int vlan 11
.
I want to see the subnet.Reason it is failing is because by defult PBR considers next hop as directly connected ,however in our case router has to go through routing table to reach 10.4.30.20
This issue is recursive lookup related.You might need to upgarde the IOS.
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html
if you want to verify that this is the case ,you can check via adding a test set ip next-hop with next hop which is directly connected to 4500 and that will work.
Regards,
Mukti
03-06-2012 12:45 AM
Thanks Mukti Chandwani,
Here is the output of sh int vlan 11 and sh int bvi 1 on router
interface Vlan11
description ****Vlan ket noi toi Router 3845****
ip address 10.4.30.19 255.255.255.248
ip ospf network point-to-multipoint
standby 11 ip 10.4.30.17
standby 11 priority 200
standby 11 preempt
end
interface BVI1
description ***Connect to CoreSwitch 4503***
ip address 10.4.30.21 255.255.255.248
ip ospf network point-to-multipoint
ip ospf cost 10
end
Does the "ip ospf network point-to-multipoint" command is the Problem?
03-06-2012 01:02 AM
Yes, ip ospf network point-to-multipoint advertises a /32. You may need to change them to a point-to-point.
Also, why do you require to have a BVI interface between your 4500 & Router?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide