03-30-2012 12:37 AM - edited 03-01-2019 02:33 PM
Hi
I have some problems getting PBR working on a 7600 with 12.2.33SRD4 and I also tried with 15.0.1.s5.
I have used the following configuration for pbr:
ip access-list standard CGN-CPE-ADDR
permit 10.52.0.0 0.1.255.255
deny ip any any
interface Te3/1.2100
description *** CGN router Inside ***
encapsulation dot1q 2100
ip address x.x.x.x 255.255.255.254
ip ospf message-digest-key 10 md5 7 1310191B181517
ip ospf network point-to-point
interface Te3/1.2200
description *** CGN router Outside ***
encapsulation dot1q 2200
ip address y.y.y.y 255.255.255.254
route-map CGN-MATCH permit
match ip address CGN-CPE-ADDR
set ip next-hop z.z.z.z
interface Port-channel 11
ip policy route-map CGN-MATCH
The problem is that i don't get any hits on the acl.
any idea?
/claus
04-12-2012 06:24 AM
Hi Claus,
this is quite normal and expected. No need to be worried about.
The ACL will show hits only for software-switched traffic (through the CPU) while for hw-switched traffic no hit in the ACEs. On the contrary you should be worried if you would see increasing hits as that would mean that your router is doing process switching for the PBR, and for sure you don't want that.
To see PBR related statistics you need to use another command, fecthing the info from TCAM directly, which is
show tcam interface po11 acl in ip
You would see an output very similar to your ACL linked to the route-map with hit counters too.
something like this
* Global Defaults shared Entries from Bank 0 Entries from Bank 1 permit ip any 224.0.0.0 15.255.255.255 policy-route tcp 10.149.254.96 0.0.0.7 policy-route tcp 10.149.254.96 0.0.0.7 policy-route ip 10.149.254.96 0.0.0.7 any (45173 matches) permit ip any any (21248 matches)
regards,
Riccardo
04-12-2012 06:32 AM
Don't see any hits
I have moved all config to a test enviroment so PBR is not on po11 but te6/3.101 for testing.
prove-core-a-pe-01#show tcam interface te6/3.101 acl in ip
* Global Defaults not shared
Entries from Bank 0
Entries from Bank 1
permit ip any 224.0.0.0 15.255.255.255
policy-route ip 10.52.0.0 0.1.255.255 any
permit ip any any
prove-core-a-pe-01#
/claus
04-12-2012 07:07 AM
Hi Claus,
does your module on slot 3 (the one where the PBR is actually attached to) have a DFC?
I might think so; in this case you need to check the stats on that module.
show tcam interface te6/3.101 acl in ip module 3
Riccardo
04-12-2012 07:10 AM
Yes (it is actully module 6)
/claus
prove-core-a-pe-01#sh module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL xxxxx
6 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE xxxxx
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
5 0013.7f0a.5808 to 0013.7f0a.580b 4.3 8.1(3) 15.0(1)S5 Ok
6 0019.30fe.a148 to 0019.30fe.a14b 2.6 12.2(14r)S5 15.0(1)S5 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
5 Policy Feature Card 3 WS-F6K-PFC3BXL xxxxxxxx 1.6 Ok
5 MSFC3 Daughterboard WS-SUP720 xxxxxxxx 2.3 Ok
6 Distributed Forwarding Card WS-F6700-DFC3BXL xxxxx 5.3 Ok
Mod Online Diag Status
---- -------------------
5 Pass
6 Pass
prove-core-a-pe-01#
04-12-2012 07:22 AM
Hi Claus, I made clearly a typo
the command to check is
show tcam interface te6/3.101 acl in ip module 6
do you get stats?
04-12-2012 07:25 AM
I saw the typo, and made did the command for the correct interface.
/claus
04-12-2012 07:26 AM
I suppose you get increasing hits now, correct?
04-12-2012 07:40 AM
unfortunately not.
The network i a small SP running an MPLS core. The link where i try to PBR on is NOT a part of the mpls cloud, but the next-hop i'm trying to set is.
/claus
04-12-2012 07:45 AM
so the traffic which is supposed to be policy routed will be MPLS labelled after the lookup?
If this is the cse the PBR will not work. PBR is just for IP routing not for MPLS routing.
04-12-2012 08:02 AM
what if trafic comes on a labeled link, but will be forwarded on a non mpls link?
When it comes to the node there is no label course penultimate-hop is kicked in, or am i totatly of here?
I made a small drawing as an eksample, hope it make sense :-)
/claus
04-12-2012 08:15 AM
it depends of the type of mpls you are talking about.
considering that you mentioned the PE role you might be talking of MPLS VPN and not just a MPLS enabled core network.
If it is MPLS VPN the traffic coming from the core, even after the PHP behavior, will have a MPLS label (VPN label).
If this is true the PBR will not work was you cannot have an input IP ACL matching against MPLS traffic.
Is yours a MPLS VPN setup (i.e.: the source is behind some vrf)?
04-12-2012 08:24 AM
The source is in the Global routing table, så no MPLS VPN.
So from that point of view, just plane MPLS :-)
/claus
04-12-2012 08:27 AM
it should work then
04-12-2012 09:30 AM
if it does not let me know as I might have a look at it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide