I have a site that has two frame-relay DS1's built as point-point circuits. Both provide Internet access. I want to use PBR to send some user traffic over one T1 and some traffic over the other. I believe I've built the PBR correctly but it doesn't appear to be working. When I query the route-map I see policy routing matches. Both the packets and bytes counters are incrementing. However I am unable to resolve DNS or surf. When I put a default static route pointing out one of the interfaces I am able to surf. I have included a config. Any help would be appreciated.
The access lists on both serial interfaces -- ACL 101 and 102 -- are denying all traffic coming in from the firewall, except icmp.
This config was generated by the SDM software and it currently works using a default static route with those ACL's in place. I believe that it allows return traffic that it matches to an outbound connection. It is only denying unsolicited inbound traffic.
Not to be repetitive, but this is your interface configuration:
interface Serial0/3/0:0.1 point-to-point
ip address 188.8.131.52 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
frame-relay interface-dlci 500 IETF
And here is the access list...
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 184.108.40.206 0.0.0.3 any
access-list 101 deny ip 10.100.2.0 0.0.0.31 any
access-list 101 permit icmp any host 220.127.116.11 echo-reply
access-list 101 permit icmp any host 18.104.22.168 time-exceeded
access-list 101 permit icmp any host 22.214.171.124 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
This access list denies everything but ICMP traffic coming in from the firewall. What am I missing?
Which interface did you point that static route to? ip route 0.0.0.0 0.0.0.0 ?.?.?.?
Oh, wait a minute...Im sorry! I just noticed the ip inspect commands in your configuration...
You're running an IOS with a firewall feature set, which means that it is stateful. So, all your internally-generated traffic is automatically allowed back in....
That explains the access list question, but that leaves your initial problem still unresolved....
Within route-map path-select, try setting "set default interface Serial0/3/0:0.1" and "set default interface Serial0/3/1:0.1" to "set ip next-hop x.x.x.x" where x.x.x.x is the appropriate external next hop address.
I changed the "set default interface" statement to a "set ip next-hop" statement still no change. I see the route-map matching packets, but am unable to route. As soon as I put in a static route pointing to either serial link routing starts working.
I had suspected PBR with "interface" wasn't NATing. Hopefully the "next-hop" would otherwise NAT. At this point, would need to activate debug and see what's going on.
What next hop addresses did you use?
The (set default interface) has different concept than (set ip next-hop).
the first would perform PBR if it has exact matche in the routing table, and would therfore need (extended access-list).
therfore, the set ip next-hop would resolve
your issue , and you dont need a default route for this.
Make sure the next hop is reachable.
Ok, I've got it working. I changed my ACL's to extended ACL's (no change), set the route-map to set ip next-hop (no change) and then I put a default static route pointing to each of my T1's. The route-map would then send the packets out the correct interface. Does the router have to do a route lookup even if you have a route map pointing to the next hop address?
Does the router have to do a route lookup even if you have a route map pointing to the next hop address?
It depends on the set statement within the route-map.
If you use set ip next-hop address, the router will use PBR first and if it fails, it will use the routing table.
If you use set ip default next-hop address, the router will use the routing table first and then the next-hop specified in the route-map.
for further understand on PBR features.
Ok, but if I dont have any static routes configured I am unable to route. I could ping the next-hop IP. With the static routes configured the route-map (set ip next-hop address) is sending my user traffic out the correct interfaces. No matter what method I used I would always show my ACL's matching interesting traffic and the route-map matching packets. Very odd behaviour!
Packets generated by the router are not normally policy routed unless you configure a local PBR.
That's the reason that a lack of 'static route' produces the result you are seeing.
If might help if you clarified what the next hop address your using with PBR and the specific statics which fixed the problem.
Since your original default route was using an interface, not a next hop, perhaps PBR doesn't "know" where the next hop is without a connected route or a static. I.e. your NAT pool is using 60.x.x.x but your physical link are 211.x.x.x. Or perhaps the issue is, without the statics, NAT doesn't see an inside to outside need for address translation.
with PBR, Routing lookup is not perform, because u are forcing the router to match specific criteria.
The router would consult its arp table for the next hop configured in a route-map.
We were taking about (set ip next-hop), if you refer to my previous post, you will see that I have explained what you typed already.
Here is what I was thinking about this:
His PBR seems to be failing, which is why he can only route traffic if he has a static default configured.
I say this because we are dealing with 2 NAT interfaces, inside and outside. For both interfaces, the order of operations is such that policy routing comes first, then normal routing.
So, his PBR must be failing, otherwise it would not have to resort to a route table lookup. Thats what I couldnt figure out: what is wrong with his route map config? he says he is using the set ip next hop address command but it didnt work...
Tennis anyone? :-)