cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
667
Views
0
Helpful
6
Replies

Policy Based Routing Cat 6503

gsidhu
Level 3
Level 3

Hi,

I have configured Catalyst 6503 switch with PBR based on following requirements

If the source address is 10.91.x.x and the destination address is 10.152.x.x or 10.153.x.x route the packet to 10.91.208.5 (ie make 10.91.208.5 the next hop address)

If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245

The 6503 is a core distribution with all the traffic coming in from Catalyst 3750 access switches connected to the 6503 over uplink connection. I have attached the main parts of the configuration. Hence I have applied the policy to the uplink ports. I think the problem may be with the static routes.

Please could somebody have a look through the configuration and tell me why it is not working.

Thanks

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

gsidhu wrote:

Hi,

I have configured Catalyst 6503 switch with PBR based on following requirements

If the source address is 10.91.x.x and the destination address is 10.152.x.x or 10.153.x.x route the packet to 10.91.208.5 (ie make 10.91.208.5 the next hop address)

If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245

The 6503 is a core distribution with all the traffic coming in from Catalyst 3750 access switches connected to the 6503 over uplink connection. I have attached the main parts of the configuration. Hence I have applied the policy to the uplink ports. I think the problem may be with the static routes.

Please could somebody have a look through the configuration and tell me why it is not working.

Thanks

What exactly is not working ?

Also when you say this -

If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245

do you mean any other source with the destination as 10.152.x.x or 10.153.x.x ? If you mean any source to any destination if the destination is not 10.152.x.x or 10.153.x.x then it will use the default-route on your 6500 which is 10.91.208.5.

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

gsidhu wrote:

Hi,

I have configured Catalyst 6503 switch with PBR based on following requirements

If the source address is 10.91.x.x and the destination address is 10.152.x.x or 10.153.x.x route the packet to 10.91.208.5 (ie make 10.91.208.5 the next hop address)

If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245

The 6503 is a core distribution with all the traffic coming in from Catalyst 3750 access switches connected to the 6503 over uplink connection. I have attached the main parts of the configuration. Hence I have applied the policy to the uplink ports. I think the problem may be with the static routes.

Please could somebody have a look through the configuration and tell me why it is not working.

Thanks

What exactly is not working ?

Also when you say this -

If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245

do you mean any other source with the destination as 10.152.x.x or 10.153.x.x ? If you mean any source to any destination if the destination is not 10.152.x.x or 10.153.x.x then it will use the default-route on your 6500 which is 10.91.208.5.

Jon

gsidhu
Level 3
Level 3

Thank you for your quick reply

Yes I mean any other source with destination as 10.152.x.x or 10.153.x.x should be routed via the static route.

I have set up loopback addresses on a Catalyst 3750 switch which is connected to port 2/5 on the 6503 (the loopback addresses are for testing PBR)

int loopback 512

ip address 10.91.215.129 255.255.255.128

int loopback 522

ip address 10.153.45.129 255.255.255.128

when I do an extended ping to 10.152.19.8 using 10.153.45.129 as the source address I get a reply - which is what I expect as there is a static route for 10.152.0.0 network via 10.153.47.245.

when I do an extended ping to 10.152.19.8 using 10.91.215.129 as the source address I don't get a reply.

I have 'debug ip policy' running on the 6503 and nothing shows up in the logs.

gsidhu wrote:

Thank you for your quick reply

Yes I mean any other source with destination as 10.152.x.x or 10.153.x.x should be routed via the static route.

I have set up loopback addresses on a Catalyst 3750 switch which is connected to port 2/5 on the 6503 (the loopback addresses are for testing PBR)

int loopback 512

ip address 10.91.215.129 255.255.255.128

int loopback 522

ip address 10.153.45.129 255.255.255.128

when I do an extended ping to 10.152.19.8 using 10.153.45.129 as the source address I get a reply - which is what I expect as there is a static route for 10.152.0.0 network via 10.153.47.245.

when I do an extended ping to 10.152.19.8 using 10.91.215.129 as the source address I don't get a reply.

I have 'debug ip policy' running on the 6503 and nothing shows up in the logs.

Okay, so what device is 10.91.208.5 because that is where you should be looking. Assuming the PBR is working on the 6500 the packet will be sent to 10.91.208.5.

Could you try using a traceroute from the 3750 to see how far it gets ?

Jon

jon

During the day a user connected to the switch with a 10.91.x.x IP address was able to get to all servers, internet...etc (via the default route through 10.91.208.5) User was unable to get to 10.152.x.x addresses and 10.153.x.x addresses. I'm wondering if the issue is with the Firewall rules at the remote site?

The user was only able to get to 10.152.x.x and 10.153.x.x networks when he changed his IP address to a 10.153.45.x address.

When I trace route from the 3750 switch - (hence my source Ip address 10.91.209.110)  the packet goes as far as 10.91.208.109 which is the gi 2/5 interface of the 6503 then it times out.

I'm going to remove the 10.152.x.x and 10.153.x.x static routes so that all traffic gets routed via 10.91.208.5

Hi Jon,

I removed

ip route 10.152.0.0 255.255.0.0 10.153.47.245
ip route 10.153.0.0 255.255.0.0 10.153.47.245

leaving one static (default) route:

ip route 0.0.0.0 0.0.0.0 10.91.208.5

I also removed policy from gi 2/5 on the 6503.

Extended ping from both loopback interfaces to 10.152.19.8 (which is the addresses on the remote site) failed.

It looks like the packets get to the remote site but on the return path they get dropped.

.

gsidhu wrote:

Hi Jon,

I removed

ip route 10.152.0.0 255.255.0.0 10.153.47.245
ip route 10.153.0.0 255.255.0.0 10.153.47.245

leaving one static (default) route:

ip route 0.0.0.0 0.0.0.0 10.91.208.5

I also removed policy from gi 2/5 on the 6503.

Extended ping from both loopback interfaces to 10.152.19.8 (which is the addresses on the remote site) failed.

It looks like the packets get to the remote site but on the return path they get dropped.

.

Thanks for letting me know. It's not an issue with your PBR config then but a routing issue further down the line.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco