2911 PBR issue

a.brazendale · ‎03-16-2012

Afternoon,

I have been playing around in a lab with PBR and I can't seem to get it to work the way I *think* I have configured it to.

Basic background;

2 routers, 'SITE' and 'CARRIER' (both 2911s).

SITE has two ethernet interfaces, 1.1.1.2 (DATA) and 2.2.2.2 (VOICE). Both these interfaces are P2P to CARRIER (1.1.1.1 & 2.2.2.1 respectively).

There is a switch off of SITE that has two vlans, one with 10.9.167.0/21 (vlan10) and one with 10.9.127.0/24 (vlan20).

There is a web server hanging off of the CARRIER router on the subnet 192.168.0.0/24 with the IP address of 192.168.0.50.

On the client side, i'd like all traffic from the 10.9.167.0/21 subnet to go across the DATA connection and all traffic from 10.9.127.0/24 across the VOICE connection.

Here's what I have so far on SITE:

access list:

ip access-list extended DATA

permit ip 10.9.160.0 0.0.7.255 any log

deny ip any any

!

ip access-list extended VOICE

permit ip 10.9.127.0 0.0.0.255 any log

deny ip any any

!

then the route maps:

route-map PBR_DATA permit 10

match ip address DATA

set ip default next-hop 1.1.1.1

!

route-map PBR_VOICE permit 10

match ip address VOICE

set ip default next-hop 2.2.2.1

!

and then finally applied to the sub-interfaces:

interface GigabitEthernet0/2.10

description DATA VLAN

encapsulation dot1Q 10 native

ip address 10.9.167.1 255.255.248.0

ip policy route-map PBR_DATA

!

interface GigabitEthernet0/2.20

description VOICE VLAN

encapsulation dot1Q 20

ip address 10.9.127.1 255.255.255.0

ip policy route-map PBR_VOICE

When I do a 'show route-map' I dont see any increments in the counters for the PBR_VOICE route map but I can sucessfully access the web server off of the CARRIER router from both PCs on the different VLANS. also, when I do a 'debug ip policy' on the SITE router I get:

Mar 16 16:44:00.447: IP: s=10.9.127.50 (GigabitEthernet0/2.20), d=192.168.0.50, len 60, FIB policy rejected(no match) - normal forwarding

Mar 16 16:44:00.451: IP: s=10.9.127.50 (GigabitEthernet0/2.20), d=192.168.0.50, len 52, FIB policy rejected(no match) - normal forwarding

Mar 16 16:44:00.451: IP: s=10.9.127.50 (GigabitEthernet0/2.20), d=192.168.0.50, len 457, FIB policy rejected(no match) - normal forwarding

Mar 16 16:44:00.451: IP: s=10.9.127.50 (GigabitEthernet0/2.20), d=192.168.0.50, len 52, FIB policy rejected(no match) - normal forwarding

In the routing table I just have a default route to 1.1.1.1

I used the 'default next-hop' command in the route-maps as according to a cisco document if the route is NOT present in the routing table, then it routes to the next hop..

I have tried using the standard 'set ip next-hop' variant and still get the same outcome.

it may be something obvious that i'm missing but i've been looking at this for so long it's kind of all mush now.

If anyone has any comments, or a better way to do this then i'm all ears.

thanks,

Alan

Edison Ortiz · ‎03-16-2012

Did you check the counters on both ethernet interfaces to see if traffic is passing via the VOICE interface?

Can you use 'ip next-hop' instead?

Did you verify the VOICE interface is up/up?

Keep in mind, you may have to do PBR from the CARRIER router too - if you want the return traffic to use the VOICE interface.

Regards,

Edison

Richard Burts · ‎03-16-2012

Alan

Like Edison I would like to see what happens if you set ip next-hop instead of default next-hop. I would also like to see what happens if you remove the log parameter from the access lists.

HTH

Rick

HTH

Rick