06-27-2007 05:50 AM - edited 03-05-2019 04:59 PM
I'm trying to use PBR on a Catalyst 6509 whith MSFC2, with IOS Version 12.1(19)E.
I have defined the following PBR
route-map PBR permit 0
match ip address 102
set ip default next-hop 156.106.131.228
The ACL 102 is as follow:
permit ip 156.106.151.0 0.0.0.255 any log
Which simply states for routing all the source to the next-hop IP instead of the normal gateway.
On the interface, I have defined
interface Vlan114
ip address 156.106.151.1 255.255.255.0
ip ospf authentication-key 7
ip policy route-map PBR
The next hop 156.106.131.228 is directly attached to the router via a Vlan.
When trying to monitor it, I see
"policy rejected, normal forwarding"
Any Ideas ?
Tks,
06-27-2007 05:58 AM
Hi
I think for this to work u need to have the default next hop in the same subnet as the vlan interface.Can u try this and check.
Thanks
Mahmood
06-27-2007 06:21 AM
Sorry, don't see it ?
The default route for my vlan114 is 156.106.151.1, which is directly attached to the MSFC, I want instead to be routed to a different VLAN (156.106.131.228). So I don't want my next hop to be in the same Vlan.
I'm trying to follow exactely the same example as in the reference
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00802135d3.shtml#diag
Tks,
06-27-2007 06:32 AM
From the route-map.
Remove this:
set ip default next-hop 156.106.131.228
Add this:
set ip next-hop 156.106.131.228
The default keyword in the next-hop will only be used when the router doesn't have a route to that destination. I assume you probably do have a route that destination and that's the reason why the policy is being rejected.
HTH
Sundar
06-27-2007 06:57 AM
access-list 1 permit 156.106.151.X 0.0.0.255 log ( per host )
or
access-list 1 permit 10.168.100.0 0.0.0.255 log ( per subnet )
route map
route-map PRB permit 10
match ip address 1
set ip next-hop 156.106.131.228
interface vlan 114
ip policy route-map PRB
to test I would try with a single host from vlan 114, do a tracert to something outside your network
from the PC and see if it takes the 156.106.131.228 as the next hop.
Also do show access-list # on the MSFC to see any hits on that acl .
could you also post show ip route from the msfc , we would like to see whats your defaul route.
Jorge
06-27-2007 07:42 AM
Jorge,
I already tried the standard ACL, with the same result as well.
Here are the changes I've made:
route-map PBR permit 10
match ip address 9
set ip next-hop 156.106.131.228
where:
access-list 9 permit 156.106.151.0 0.0.0.255 log
interface vlan 114
ip address 156.106.151.1 255.255.255.0
ip ospf authentication-key 7
ip ospf cost 4
ip policy route-map PBR
------
Then, I'm trying a pathping from a host in this subnet
C:\>pathping con1
Tracing route to con1 [156.106.97.20]
over a maximum of 30 hops:
0 CND43663 [156.106.151.115]
1 156.106.151.1
2 md-int-ext-b [156.106.129.129]
3 156.106.58.168
4 con1 [156.106.97.20]
My PC has the following IP
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
IP Address. . . . . . . . . . . . : 156.106.151.115
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 156.106.151.1
---------------
I'm also posting the show ip route 156.106.151.0
BVCMSFC01#sh ip route 156.106.151.0
Routing entry for 156.106.151.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan114
Route metric is 0, traffic share count is 1
06-27-2007 09:23 AM
it is odd, it should have worked.
try this,keeping the same standard acl and we'll including your vlan114 interface ip, also without inversed mask
access-list 9 permit 156.106.151.1
access-list 9 permit 156.106.151.115
try tracert from your pc now
06-28-2007 04:28 AM
Seems to work:
In the debug I can see the following:
BVCMSFC01#
Jun 28 14:22:07 CET: datagramsize=263, IP 45070: s=156.106.151.115 (Vlan114), d=
156.106.151.255, totlen 249, fragment 0, fo 0, policy match
Jun 28 14:22:07 CET: IP: route map PBR, item 10, permit
Jun 28 14:22:07 CET: datagramsize=263, IP 45070: s=156.106.151.115 (Vlan114), d=
156.106.151.255 (Vlan9), totlen 249, fragment 0, fo 0, policy routed
Jun 28 14:22:07 CET: IP: Vlan114 to Vlan9 156.106.131.228
Jun 28 14:22:39 CET: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 156.106.187.102
(1754) -> 0.0.0.0(23), 1 packet
Jun 28 14:23:39 CET: %SEC-6-IPACCESSLOGP: list 2106 denied udp 156.106.209.15(0)
(Vlan106 0010.8377.df87) -> 224.0.1.60(0), 1 packet
Jun 28 14:25:38 CET: datagramsize=92, IP 46160: s=156.106.151.115 (Vlan114), d=1
56.106.151.255, totlen 78, fragment 0, fo 0, policy match
Jun 28 14:25:38 CET: IP: route map PBR, item 10, permit
Jun 28 14:25:38 CET: datagramsize=92, IP 46160: s=156.106.151.115 (Vlan114), d=1
56.106.151.255 (Vlan9), totlen 78, fragment 0, fo 0, policy routed
Jun 28 14:25:38 CET: IP: Vlan114 to Vlan9 156.106.131.228
Jun 28 14:25:38 CET: datagramsize=92, IP 46176: s=156.106.151.115 (Vlan114), d=1
56.106.151.255, totlen 78, fragment 0, fo 0, policy match
Jun 28 14:25:38 CET: IP: route map PBR, item 10, permit
Jun 28 14:25:38 CET: datagramsize=92, IP 46176: s=156.106.151.115 (Vlan114), d=1
56.106.151.255 (Vlan9), totlen 78, fragment 0, fo 0, policy routed
Jun 28 14:25:38 CET: IP: Vlan114 to Vlan9 156.106.131.228
--------------------------------
But in this case, what conclusion do you take ?
Tks,
06-27-2007 07:23 AM
Sundar,
In fact, I tried it first without default and did not work.
Chems
06-27-2007 07:59 AM
Can you post a
show ip route 156.106.131.228
from the router running the PBR ?
06-27-2007 08:16 AM
BVCMSFC01#sh ip route 156.106.131.228
Routing entry for 156.106.128.0/21
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan9
Route metric is 0, traffic share count is 1
BVCMSFC01#
06-27-2007 09:43 AM
Hi,
can you describe your topology in more detail? Just to avoid hunting a "reporting problem". Intermediate Routers usually do answer with the outgoing interface, which might not be the interface, where the packet was received. If f.e. you have 4 fully meshed routers and are forcing a packet from R1 to R4 to go through R2 and R3, you might end up with a sequence of IP addresses which are on the direct links from R1 to R2 and R3 respectively.
I had this issue once, that packets were actually sent the desired path, but the traceroute looked quite dfferent. Just to be sure this is not the case here.
Regards, Martin
06-27-2007 11:49 PM
Martin,
We have 6 fully meshed backbone 6509 switches. all with MSFC2, they are connected to 3548XL where we have all our users. Each couple of 6509 is handling a subset of user Vlans, with HSRP. InterVLan routing is handled by OSPF.
For this test, I'm using the PBR in only one 6509, in a test Vlan (156.106.151.0) with no HSRP.
Don't know if this is enough for u , otherwise I can describe more our topology.
This morning I tried removing the match command, and did work:
route-map PBR permit 10
set ip next-hop 156.106.131.228
But, typically, I don't want that !! I would like to have more flexibility.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide