Pbr on 2811 not working.... access-list issue

Unanswered Question
May 2nd, 2012

Thought this would be pretty simple but am failing here with the basics.  Trying to policy route internet traffic from a particular host (10.3.201.1) via a dedicated internet link rather than via the corporate wan.  The access-list I am using for the route map just doesn't get any matches.  Other access-lists I have placed on the 2811 do not accumulate matches either so I am guessing this is the cause.  A show ip int g0/1.3 tells me pbr is enabled on the interface using my route-map.  Any clues most welcome.

router#sh access-l

Extended IP access list 151

    10 deny ip host 10.3.201.1 172.16.1.0 0.0.0.255

    20 deny ip host 10.3.201.1 10.0.0.0 0.255.255.255

    30 permit ip host 10.3.201.1 any

NO MATCHES!!!!

Some snippets from the config bewlow:

interface GigabitEthernet0/1.3
description **** Services vLAN ****
encapsulation dot1Q 4
ip address 10.3.201.254 255.255.255.0
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map reroute-dc-internet-traffic

access-list 151 deny   ip host 10.3.201.1 172.16.1.0 0.0.0.255

access-list 151 deny   ip host 10.3.201.1 10.0.0.0 0.255.255.255

access-list 151 permit ip host 10.3.201.1 any

route-map reroute-dc-internet-traffic permit 10

match ip address 151

set ip next-hop 10.6.201.253route-map reroute-dc-internet-traffic permit 10

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
andymanc120 Wed, 05/02/2012 - 23:24

What is the output from show route-map reroute-dc-internet-traffic?

If you traceroute to an internet host, what path does it show? Can you get out? You are testing from the 10.3.201.1 device, correct? You can check which way you are going out by using a website like ipchicken.com.

Here is a good video on the subject:

http://www.youtube.com/watch?v=XYhsUfQDqt8

Good luck!

Andy

DjDamo Wed, 05/02/2012 - 23:34

Andy....

show routemap output:

route-map reroute-dc-internet-traffic, permit, sequence 10

  Match clauses:

    ip address (access-lists): 151

  Set clauses:

    ip next-hop 10.6.201.253

  Policy routing matches: 0 packets, 0 bytes

Trace from the 10.3.201.1 host, shows the PBR not being applied:

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.3.201.254
  2    <1 ms     1 ms    <1 ms  172.25.88.98
  3   136 ms     7 ms    <1 ms  172.25.88.113
  4     1 ms     1 ms     1 ms  172.25.88.114
  5     2 ms     2 ms     2 ms  172.16.1.253
  6     3 ms    22 ms     3 ms  165.228.176.57
  7     3 ms     4 ms     2 ms  203.50.51.129
  8    19 ms    24 ms    23 ms  203.50.11.70
  9    17 ms    21 ms    25 ms  203.50.6.154
10    14 ms    14 ms    14 ms  74.125.50.1
11    17 ms    17 ms    16 ms  66.249.95.226
12    17 ms    17 ms    16 ms  66.249.95.235
13    17 ms    17 ms    17 ms  72.14.237.21
14    14 ms    14 ms    14 ms  8.8.8.8

Trace complete.

so gets back to my ACLs not being applied??

I will go take a look at the video.

andymanc120 Wed, 05/02/2012 - 23:49

My next suggestion would be to make the access-list 151 permit ip host 10.3.201.1 any and get rid of the deny lines, just to see if that helps.

If it doesn't help, my guess would be because it's a sub interface. Maybe try applying it to the base interface and not the sub interface? So just gig0/1? Maybe it's not catching it because of that...

I'm curious to know the answer, if it wasn't so late I'd fire up a router here at home to try it myself!

Andy

DjDamo Wed, 05/02/2012 - 23:57

Yeah this should be so simple it's really winding me up! I think I might be up late as well.....  Have just started tinkering more with the ACls.  This one for example isn't applied to anything but I shoulod still see matches right?  I have a persistent ping happening to 8.8.8.8 from the 10.3.201.1 host.  Still no matches.  It seems that no acl on this router gets a match!

cisco1921_FV#sh access-l 152

Extended IP access list 152

    10 permit icmp host 10.3.201.1 host 8.8.8.8

John Blakley Thu, 05/03/2012 - 03:48

Damian,

I'm going to go out on a limb here, but is the host that you're pinging from addressed as 10.3.201.1 on the WAN side? If not, you'll need to source your ping in order for your PBR to work. For example:

WAN side:

192.168.3.1/24

LAN side:

10.3.201.1

If you're pinging from the above with just standard pings, the wan address will be used as the source and will never match your policy. If that's the case, try "ping 8.8.8.8 source 10.3.201.1"

HTH,

John

DjDamo Thu, 05/03/2012 - 04:48

John..... the ping is coming from the 10.3.201.1 host.  It is on the LAN side.  The g0/1 interface has 6 sub interfaces servicing the 6 vlans on this site.  The next hop for the route map is on one of the vlans.  Other traffic exits via g0/0 into the corp wan.

I have created a few other test Acls and none of them get matches regardless of the host, vlan or traffic type.  Confused!

Cheers

Damien.

John Blakley Thu, 05/03/2012 - 07:09

I labbed this up and it works fine. Have you checked the IOS version to see if there are any bugs related?

DjDamo Wed, 05/09/2012 - 07:06

John.... Cheers.

Couldn't find any bug info but just upgraded from c1900-universalk9-mz.SPA.152-2.T to c1900-universalk9-mz.SPA.152-3.T (it was a 1921 BTW!) and everything dropped into place.  The image i replaced is still available for download!

Many thanks.

Damien.

Actions

Login or Register to take actions

This Discussion

Posted May 2, 2012 at 8:33 PM
Stats:
Replies:12 Avg. Rating:5
Views:1258 Votes:0
Shares:0
Tags: pbr, access-list, 2811
+

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,725
4 7,083
5 6,742
Rank Username Points
165
82
69
65
55