07-08-2013 09:47 PM - edited 03-04-2019 08:24 PM
! Last configuration change at 23:48:37 EDT Mon Jul 8 2013 by admin
! NVRAM config last updated at 23:48:38 EDT Mon Jul 8 2013 by admin
!
ip dhcp pool office-pool
import all
network 172.25.11.0 255.255.255.0
default-router 172.25.11.1
dns-server 209.18.47.61 209.18.47.62
lease 0 2
!
!
interface FastEthernet8
description ASA Connection
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
!
interface GigabitEthernet0
description Defualt WLAN
ip address dhcp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan4
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 4
switchport mode trunk
!
!
!
interface Vlan4
description Default Office VLAN
ip address 172.25.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map RMAP-TO-VPN
!
!
ip local policy route-map RMAP-TO-VPN
!
!
ip nat inside source list ACL-NAT-ROUTING interface GigabitEthernet0 overload
!
ip access-list extended ACL-NAT-ROUTING
deny ip 172.25.11.0 0.0.0.255 172.25.11.0 0.0.0.255
permit ip 172.25.11.0 0.0.0.255 any
ip access-list extended ACL-ROUTE-TO-VPN
permit tcp 172.25.11.0 0.0.0.255 host 173.194.37.40
permit icmp 172.25.11.0 0.0.0.255 host 173.194.37.40
!
!
route-map RMAP-TO-VPN permit 10
match ip address ACL-ROUTE-TO-VPN
set ip next-hop 10.116.40.113
set ip next-hop verify-availability
!
end
Hi,
I'm trying to setup a basic route-map. For testing I just have a couple test permits in the route map (google's IP). If IP maches address in ACL-ROUTE-TO-VPN, I want it to route through 10.116.40.113 (Fast8). I'm able to ping 10.116.40.113 from a machine attached to the router. When I use "set ip next-hop verify-availability" the ping to 173.194.37.40 succeeds. (falls back to normal route)
Jul 9 04:25:04.600: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, FIB policy match
Jul 9 04:25:04.600: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, PBR Counted
Jul 9 04:25:04.600: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, FIB policy rejected - normal forwarding
If I turn off verify-availability, I see it trying to route to 10.116.40.113, and then fails.
Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, FIB policy match
Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, PBR Counted
Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, g=10.116.40.113, len 60, FIB policy routed
If I shut down int Gig0 and set default route for all traffic to 10.116.40.113, I'm able to access via int Fast8. I'm only through the route-map it's failing.
What am I missing?
Thanks!
07-09-2013 02:08 AM
Hi,
reason why PRB is working after you delete "verify-availability" is:
set ip next-hop verify-availability needs CDP, more information can refer here:
http://www.cisco.com/en/US/docs/ios/iproute_pi/command/reference/iri_pi2.html#wp1012541
Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, FIB policy match
Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, len 60, PBR Counted
Jul 9 04:27:15.555: IP: s=172.25.11.3 (Vlan4), d=173.194.37.40, g=10.55.40.50, len 60, FIB policy routed
this should already indicate packet is policy routed per my understanding.
Regards
07-09-2013 03:14 PM
Hi,
I enabled CDP and no luck. Just to clarify, PBR is not working when I delete verify-availability. The routing is going through Gig0 when I enable verify-availability because it rejects the policy...It thinks 10.116.40.113 is unreachable. At this point any traffic it tries to route via PBR appears to be dropped.
This is what i can't figure out. I'm able to ping 10.116.40.113.
C:\>ping 10.116.40.113
Pinging 10.116.40.113 with 32 bytes of data:
Reply from 10.116.40.113: bytes=32 time=82ms TTL=110
Reply from 10.116.40.113: bytes=32 time=79ms TTL=110
Reply from 10.116.40.113: bytes=32 time=81ms TTL=110
Reply from 10.116.40.113: bytes=32 time=84ms TTL=110
07-10-2013 08:58 AM
Hi,
Seems interface FastEthernet8 is connecting to ASA, which disable cdp by default, when you show cdp nei on this router, are u able to see the asa?
Could you post "show ip route" and "show ip int b" ?
07-10-2013 02:57 PM
Hi,
Yes, when I show cdp neighbors, I'm able to see the route hanging off the Fast8 interface. Here is my routing and int details below.
Thanks!
router-891#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP....
...removed....
Gateway of last resort is 172.20.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 172.20.1.1
[254/0] via 10.116.40.113
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.116.40.112/28 is directly connected, FastEthernet8
L 10.116.40.119/32 is directly connected, FastEthernet8
172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.20.1.0/24 is directly connected, GigabitEthernet0
L 172.20.1.123/32 is directly connected, GigabitEthernet0
172.25.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.25.11.0/24 is directly connected, Vlan4
L 172.25.11.1/32 is directly connected, Vlan4
router-891#show ip int b
Interface IP-Address OK? Method Status Protocol
Async1 unassigned YES NVRAM down down
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 unassigned YES unset down down
FastEthernet5 unassigned YES unset down down
FastEthernet6 unassigned YES unset down down
FastEthernet7 unassigned YES unset down down
FastEthernet8 10.116.40.119 YES DHCP up up
GigabitEthernet0 172.20.1.123 YES DHCP up up
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES NVRAM up up
Vlan4 172.25.11.1 YES NVRAM up up
Wlan-GigabitEthernet0 unassigned YES unset up up
wlan-ap0 172.25.11.1 YES TFTP up up
07-14-2013 01:20 AM
Hi Chris,
Sorry for the late reply.
Today, I have tested this in lab, and I can achieve the policy routing, here is the details.
The topology is very simple, R1 will acts as your Cisco891, and R2 is client, R3 and R4 act as two different next hop, R3 has ip 10.116.40.113 and 173.194.37.40 as a loopback (to simluate google) and R4 has ip 172.20.1.1
To start with, I removed "ip local policy route-map RMAP-TO-VPN" as this configuration is only for local traffic, it's not necessary.
S* 0.0.0.0/0 [254/0] via 172.20.1.1
[254/0] via 10.116.40.113
And I notice you have configured two equal-cost default route to both 172.20.1.1 and 10.116.40.113, this is actually contradicting to the purposing of PBR, we can use PBR to select traffic and forward to desired next hop, so I used 172.20.1.1 as the only default route.
I copied most your configuration to R1, and when R2 ping to 173.194.37.40, the debug is as follow, which means the PBR is working.
*Mar 1 00:30:21.815: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, g=10.116.40.113, len 100, FIB policy routed
*Mar 1 00:30:22.055: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, len 100, FIB policy match
Then the next thing I tested is "set ip next-hop verify-availability"
If I disable the CDP on R3, then traffic won't forward to R3, this is in line with the above document.
R3(config-if)#int f0/0
R3(config-if)#no cdp enable
R1#sh cdp n
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
R2.lab.local Fas 0/1 146 R S I 3640 Fas 0/0
R4.lab.local Fas 2/0 137 R S I 3640 Fas 0/0
*Mar 1 00:29:30.523: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, len 100, FIB policy match
*Mar 1 00:29:30.523: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, len 100, FIB policy rejected - normal forwarding
If turn it on, traffic will send to R3 again.
R1#sh cdp n
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
R2.lab.local Fas 0/1 138 R S I 3640 Fas 0/0
R3.lab.local Fas 1/0 176 R S I 3640 Fas 0/0
R4.lab.local Fas 2/0 128 R S I 3640 Fas 0/0
*Mar 1 00:29:57.083: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, len 100, FIB policy match
*Mar 1 00:29:57.083: IP: s=172.25.11.2 (Vlan4), d=173.194.37.40, g=10.116.40.113, len 100, FIB policy routed
Hope this clears your doubt.
Regards
07-14-2013 10:24 AM
Hi,
Thank you for taking the time to set this up. Would you mind posting the config you have setup on R1 and R3 if you still have it. I wanted to see how you have the IP routing configured.
Cheers,
Chris
07-15-2013 04:33 AM
R1(config-if)#do sh run
Building configuration...
Current configuration : 2288 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
ip dhcp pool office-pool
import all
network 172.25.11.0 255.255.255.0
default-router 172.25.11.1
dns-server 209.18.47.61 209.18.47.62
lease 0 2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface FastEthernet0/0
switchport access vlan 4
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet1/0
ip address 10.116.40.119 255.255.255.240
duplex auto
speed auto
!
interface FastEthernet2/0
ip address 172.20.1.123 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan4
description Default Office VLAN
ip address 172.25.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map RMAP-TO-VPN
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.1.1
!
!
ip nat inside source list ACL-NAT-ROUTING interface FastEthernet2/0 overload
!
!
ip access-list extended ACL-NAT-ROUTING
deny ip 172.25.11.0 0.0.0.255 172.25.11.0 0.0.0.255
permit ip 172.25.11.0 0.0.0.255 any
ip access-list extended ACL-ROUTE-TO-VPN
permit tcp 172.25.11.0 0.0.0.255 host 173.194.37.40
permit icmp 172.25.11.0 0.0.0.255 host 173.194.37.40
!
route-map RMAP-TO-VPN permit 10
match ip address ACL-ROUTE-TO-VPN
set ip next-hop 10.116.40.113
set ip next-hop verify-availability
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R2(config-if)#do sh run
Building configuration...
Current configuration : 740 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface FastEthernet0/0
ip address dhcp
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R3#sh run
Building configuration...
Current configuration : 868 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface Loopback0
ip address 173.194.37.40 255.255.255.255
!
interface FastEthernet0/0
ip address 10.116.40.113 255.255.255.240
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.116.40.119
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R4(config)#do sh run
Building configuration...
Current configuration : 760 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface FastEthernet0/0
ip address 172.20.1.1 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide