Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PBR doesn't work

Hi all,
I configured PBR at C4507R-E.  When user goes to internet, it match with access-list 181, and traffic should be go to "set ip next hop". But traffic doesn't go to set ip next hop, it send to default route. I configured access-list, route map and apply route map at intervace vlan. From show route-map, I can see that policy routing matches the packets.

Please see attached for show int vlan, sh access-list, sh route-map route-map configuration and debug ip packet 181.

Any help?

Thanks..

12 REPLIES
New Member

Re: PBR doesn't work

Hi,

I am not getting why u mention the line   10 deny ip any 10.0.0.0 0.0.0.255.

And you have set your next hop to the same range.

If i am not wrong this ACL is blocking the packet before reaching to the Next hop..

Kindly let me know if i m  wrong..

New Member

Re: PBR doesn't work

It's used for deny network 10.0.0.x/24. My next hop address is 10.137.221.1 (network 10.137.221.0/24).

From sh access-lists, it doesn't show that line "10 deny ip any 10.0.0.0 0.0.0.255" match with any packet

Hall of Fame Super Blue

Re: PBR doesn't work

Your debug does not show any packets being sent from a 10.137.221.x client to the internet (as far as i can see) so it's not possible to say whether it is working or not.

Also you have the next-hop in your PBR reachable back out of the same interface that the PBR is applied to. This is unusual but should work anyway, at least it does on a router with 12.4.

Quickest test is to do a traceroute from a 10.137.221.x client to an internet address and see what the next-hop is from the 4500. Have you done this ? If not could you and see what it says.

Jon

New Member

Re: PBR doesn't work

Here is the traceroute result:

C:\Documents and Settings\9368>tracert 209.85.175.106

Tracing route to 209.85.175.106 over a maximum of 30 hops

  1    38 ms    19 ms    24 ms  10.137.221.9

  2    35 ms    22 ms    30 ms  167.96.140.1

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5  ^C

C:\Documents and Settings\9368>

167.96.140.1 is default route for 10.137.221.9. Packet goes to default route, should be goes to ip next hop (10.137.221.1).

Thanks..

Hall of Fame Super Blue

Re: PBR doesn't work

What is the source IP you are tracerouting from ?

Jon

New Member

Re: PBR doesn't work

You can't use Deny statements in PBR. Either it policy routes or it doesn't.

Matches the ACL or doesn't

Hall of Fame Super Blue

Re: PBR doesn't work

letsgomets wrote:

You can't use Deny statements in PBR. Either it policy routes or it doesn't.

Matches the ACL or doesn't

Just to clarify, you can indeed use deny statements in PBR and in fact that is exactly what you need to do in the above situation. Because the internet can be any address you need to exclude the IP addresses you don't want to PBR ie. the other internal networks. So the above acl has all the denies first, which means don't PBR and then the permit ip any any at the end for the internet traffic.

If you only used permit ip any any that would also PBR internal networks which the OP doesn't want by the looks of it.

Jon

New Member

Re: PBR doesn't work

The source IP is :10.137.221.5

Hall of Fame Super Blue

Re: PBR doesn't work

Well, there doesn't seem to be any issue with your config.

Is 10.137.221.1 up and reachable from the 4500 ?

Couple of things -

1) can you do a debug as before when you try the traceroute

2) if possible could you simply replace acl 181 with

access-list 101 permit ip any any

and then see if all traffic is being policy routed to 10.137.221. I appreciate this may not be possible.

Nothing else springs to mind unless -

1) it is a bug in the IOS

2) it is because you are sending it back out the same interface. I know this works fine on 12.4 but maybe not on a catalyst switch although i think that unlikely.

Jon

New Member

Re: PBR doesn't work

Yes, 10.137.221.1 up and reachable from the 4500.

For debug results, I will send it later.

My IOS version is (cat4500e-ENTSERVICESK9-M), Version 12.2(40)SG, RELEASE SOFTWARE (fc2).

"it is because you are sending it back out the same interface."

Please see my topology (attached)

New Member

Re: PBR doesn't work

1) For debug result ( debug ip packet 181 - result of traceroute ACL 181) please see attached

2. "access-list 101 permit ip any any"  brought some congestion on the core. So I didn't captured.

How about topology, is possible PBR configured with that topology?

Thanks...

Hall of Fame Super Gold

Re: PBR doesn't work

Can you try

set ip default next-hop 10.137.221.1

703
Views
0
Helpful
12
Replies
CreatePlease login to create content