Re: PBR on a vlan interface

miwitte · ‎09-29-2006

I want to force users on a guest vlan so their next hop is our BBSM. I am pretty sure its supposed to go on the guest vlan interface but I am getting some errors policy routing. Or should it go on the Gi uplink to the rest of the network? I have tried using a static route to the 192.168.48.0 network and it does not work with or without it. The debug ip policy shows it not policy routing but forwarding normally. With or without static to that network. This is a 4507

int vlan 848

description Guest_VLAN

ip address x.x.48.2 255.255.255.0

ip helper-address x.x.160.242

no ip redirects

no ip unreachables

no ip proxy-arp

ip policy route-map guest

standby 48 ip x.x.48.1

standby 48 timers 2 6

standby 48 priority 255

standby 48 preempt

standby 48 authentication ou812u2

end

ip access-list extended BBSM

permit ip x.x.48.0 0.0.0.255 any

route-map guest permit 10

match ip address BBSM

set ip default next-hop 192.168.48.5

tdrais · ‎09-29-2006

Are you sure you want to use DEFAULT next-hop.

This is generally used to cause packets to policy route when a specific route is not in the routing table.

From your description I think you want to always policy route the traffic and the only time you would not is if the next hop address was unreachable.

sundar.palaniappan · ‎09-29-2006

Hi,

Tim is correct. When you use the 'set ip default next-hop' command the router would first try to route to the destination using the routing table and if it doesn't find a route then it would use the default next-hop you specified in the route-map.

Since you want all traffic from the guest VLAN to be forwarded to your next-hop then you don't even need an ACL, a configuration like the one below should forward all traffic to the next-hop.

Try it and let us know if it works.

route-map guest permit 10

set ip next-hop 192.168.48.5

HTH

Sundar

miwitte · ‎09-29-2006

Yeah I tried "set ip next hop" also. I know that you cannot use this command if there is no route in the table. The set ip default next hop is if there is no route in the table. Tried a static route also to the next-hop vlan I never tried without a ACL. This does go on the guest VLAN interface right? Also since I am using a helper address to our DHCP server which is NOT on the subnet do I need to exclude this? Thanks for the input I was getting a little frustrated but thats what makes it fun!

miwitte · ‎10-03-2006

Ok well here is the problem. Since the BBSM is not locally connected you cannot use the next hop command. Since the "set ip next-hop" command requires the use of a connected network and the route to be in the network table to forward traffic to that won't work. The "set ip default next-hop" command doesn't need to be connected or require the next-hop to be in the table. "Sets next hop to which to route the packet if there is no explicit route for this destination. Before forwarding the packet to the next hop, the switch looks up the packet's destination address in the unicast routing table. If a match is found, the packet is forwarded by way of the routing table. If no match is found, the packet is forwarded to the specified next hop".

However, since the internet destination address is in the routing table (our default route 0.0.0.0)it uses the routing table and not policy routing. I am in a pickle here. Also I was going under the documentation here;

"This document provides a sample configuration for policy-based routing (PBR) using the set ip default next-hop and set ip next-hop commands.

The set ip default next-hop command verifies the existence of the destination IP address in the routing table, and?

if the destination IP address exists, the command does not policy route the packet, but forwards the packet based on the routing table.

if the destination IP address does not exist, the command policy routes the packet by sending it to the specified next hop.

The set ip next-hop command verifies the existence of the next hop specified, and?

if the next hop exists in the routing table, then the command policy routes the packet to the next hop.

if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet."