PBR on L3 switches

expertirs · ‎03-28-2012

Hi!

I'm doing a little lab with 2 Cisco 6500 chassis and 2 WSC3750.

I'd like to use PBR on SVIs so I created an access-list, a route-map and applied a policy on my SVI.

Here is the configuration :

ip access-list extended PROV_FW1

permit ip 192.168.34.0 0.0.0.255 any log

permit ip 192.168.35.0 0.0.0.255 any log

permit ip 192.168.42.0 0.0.0.255 any log

ip access-list extended VERS_FW1

permit ip any 192.168.34.0 0.0.0.255 log

permit ip any 192.168.35.0 0.0.0.255 log

permit ip any 192.168.42.0 0.0.0.255 log

route-map VERS_FW permit 10

match ip address PROV_FW1 VERS_FW1

set ip next-hop 192.168.32.254

interface Vlan36

description interco_SW_entree

ip address 192.168.36.4 255.255.255.0

ip policy route-map VERS_FW

But, with this configuration, nothing happens. When I do a "debug ip policy" here is nothing.

I found a dirty workaround : apply an access-group on the SVI.

ip access-list extended test_any

permit ip any any log

permit icmp any any log

interface Vlan36

description interco_SW_entree

ip address 192.168.36.4 255.255.255.0

ip policy route-map VERS_FW

With this configuration, the policy works fine and I see the debug correctly. I have the same behaviour on all the devices....

Someone already saw this kind of issue? Is there something with CEF?

Thanks

Richard Burts · ‎03-28-2012

Perhaps some additional information about the topology of your network would help us to figure out what is going on. Your access list is permitting traffic from 192.168.34.0, 192.168.35.0, and 192.168.42.0. Where are these subnets?

If those subnets are located behind VLAN 36 then your configuration of PBR seems ok. But if they are on some other SVIs then this is the main problem. The route map for PBR is configured on the interface where the traffic arrives on the layer 3 switch/router.

HTH

Rick

HTH

Rick

Kyle McKay · ‎03-28-2012

Rick has hit the nail on the head of the problem. Your PBR is applied is applied to VLAN 36 which is utilized only when trafic arives on the SVI. This, combined with the ACL you've created, results in no match because there are no packets entering VLAN 36 with any of those source addresses. (At least according to the information you've provided)

expertirs · ‎03-29-2012

Hi,

Thanks for your reply.

Here is a scheme to better understand the configuration.

Richard Burts · ‎03-29-2012

Thank you for the drawing. It does provide some helpful information and does raise a few questions.

It does show that from the perspective of the 3750 that the 192.168.34 and the 192.168.42 networks might be behind the VLAN 36 interface. But it also shows that those networks might be behind the VLAN 37 interface. So it might also be necessary to configure PBR on the VLAN 37 interface.

And we do not know from the drawing what the 6500 switches are doing with the traffic. Perhaps you can clarify that.

And PBR usually is sending the traffic on a path different from normal routing. But we do not know what is normal routing in this network. Perhaps you can clarify these points?

HTH

Rick

HTH

Rick

expertirs · ‎04-03-2012

Hi Richard,

I drawed the trafic flow on the scheme.

To give you the path:

=> The client is on vlan34

=> It goes on vlan36 on the 6500 thanks to PBR (similar to which on the drawing)

=> Goes on vlan32 on the 3750 with the configuration on the drawing

=> Goes on the firewall

=> Goes out to the firewall on vlan33

=> Goes on vlan37

=> Goes on vlan 42

I know the design is weird but I haven't choose it