Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Policy Based Rouing problem over dual frame-relay circuits

I have a site that has two frame-relay DS1's built as point-point circuits. Both provide Internet access. I want to use PBR to send some user traffic over one T1 and some traffic over the other. I believe I've built the PBR correctly but it doesn't appear to be working. When I query the route-map I see policy routing matches. Both the packets and bytes counters are incrementing. However I am unable to resolve DNS or surf. When I put a default static route pointing out one of the interfaces I am able to surf. I have included a config. Any help would be appreciated.

17 REPLIES
Blue

Re: Policy Based Rouing problem over dual frame-relay circuits

Hi:

The access lists on both serial interfaces -- ACL 101 and 102 -- are denying all traffic coming in from the firewall, except icmp.

HTH

Victor

New Member

Re: Policy Based Rouing problem over dual frame-relay circuits

This config was generated by the SDM software and it currently works using a default static route with those ACL's in place. I believe that it allows return traffic that it matches to an outbound connection. It is only denying unsolicited inbound traffic.

Blue

Re: Policy Based Rouing problem over dual frame-relay circuits

Cerp:

Not to be repetitive, but this is your interface configuration:

interface Serial0/3/0:0.1 point-to-point

description FW_OUTSIDE#1

ip address 211.111.85.82 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 500 IETF

And here is the access list...

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip 211.111.85.84 0.0.0.3 any

access-list 101 deny ip 10.100.2.0 0.0.0.31 any

access-list 101 permit icmp any host 211.111.85.82 echo-reply

access-list 101 permit icmp any host 211.111.85.82 time-exceeded

access-list 101 permit icmp any host 211.111.85.82 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

This access list denies everything but ICMP traffic coming in from the firewall. What am I missing?

Which interface did you point that static route to? ip route 0.0.0.0 0.0.0.0 ?.?.?.?

Victor

!

New Member

Re: Policy Based Rouing problem over dual frame-relay circuits

The default route points to s0/3/0:0.1. I am currently surfing over that link right now.

Blue

Re: Policy Based Rouing problem over dual frame-relay circuits

Oh, wait a minute...Im sorry! I just noticed the ip inspect commands in your configuration...

You're running an IOS with a firewall feature set, which means that it is stateful. So, all your internally-generated traffic is automatically allowed back in....

That explains the access list question, but that leaves your initial problem still unresolved....

Super Bronze

Re: Policy Based Rouing problem over dual frame-relay circuits

Within route-map path-select, try setting "set default interface Serial0/3/0:0.1" and "set default interface Serial0/3/1:0.1" to "set ip next-hop x.x.x.x" where x.x.x.x is the appropriate external next hop address.

New Member

Re: Policy Based Rouing problem over dual frame-relay circuits

I changed the "set default interface" statement to a "set ip next-hop" statement still no change. I see the route-map matching packets, but am unable to route. As soon as I put in a static route pointing to either serial link routing starts working.

Super Bronze

Re: Policy Based Rouing problem over dual frame-relay circuits

I had suspected PBR with "interface" wasn't NATing. Hopefully the "next-hop" would otherwise NAT. At this point, would need to activate debug and see what's going on.

PS;

What next hop addresses did you use?

Re: Policy Based Rouing problem over dual frame-relay circuits

Hi,

The (set default interface) has different concept than (set ip next-hop).

the first would perform PBR if it has exact matche in the routing table, and would therfore need (extended access-list).

therfore, the set ip next-hop would resolve

your issue , and you dont need a default route for this.

Make sure the next hop is reachable.

HTH

Mohamed

New Member

Re: Policy Based Rouing problem over dual frame-relay circuits

Ok, I've got it working. I changed my ACL's to extended ACL's (no change), set the route-map to set ip next-hop (no change) and then I put a default static route pointing to each of my T1's. The route-map would then send the packets out the correct interface. Does the router have to do a route lookup even if you have a route map pointing to the next hop address?

Hall of Fame Super Bronze

Re: Policy Based Rouing problem over dual frame-relay circuits

Does the router have to do a route lookup even if you have a route map pointing to the next hop address?

It depends on the set statement within the route-map.

If you use set ip next-hop address, the router will use PBR first and if it fails, it will use the routing table.

If you use set ip default next-hop address, the router will use the routing table first and then the next-hop specified in the route-map.

Please see:

http://www.cisco.com/en/US/docs/ios/12_4/ip_route/configuration/guide/piconfig.html#wp1001398

for further understand on PBR features.

HTH,

__

Edison.

New Member

Re: Policy Based Rouing problem over dual frame-relay circuits

Ok, but if I dont have any static routes configured I am unable to route. I could ping the next-hop IP. With the static routes configured the route-map (set ip next-hop address) is sending my user traffic out the correct interfaces. No matter what method I used I would always show my ACL's matching interesting traffic and the route-map matching packets. Very odd behaviour!

Hall of Fame Super Bronze

Re: Policy Based Rouing problem over dual frame-relay circuits

Packets generated by the router are not normally policy routed unless you configure a local PBR.

http://www.cisco.com/en/US/docs/ios/12_4/ip_route/configuration/guide/piconfig.html#wp1001559

That's the reason that a lack of 'static route' produces the result you are seeing.

HTH,

__

Edison.

Super Bronze

Re: Policy Based Rouing problem over dual frame-relay circuits

If might help if you clarified what the next hop address your using with PBR and the specific statics which fixed the problem.

Since your original default route was using an interface, not a next hop, perhaps PBR doesn't "know" where the next hop is without a connected route or a static. I.e. your NAT pool is using 60.x.x.x but your physical link are 211.x.x.x. Or perhaps the issue is, without the statics, NAT doesn't see an inside to outside need for address translation.

Re: Policy Based Rouing problem over dual frame-relay circuits

Hi,

with PBR, Routing lookup is not perform, because u are forcing the router to match specific criteria.

The router would consult its arp table for the next hop configured in a route-map.

HTH

Mohamed

Re: Policy Based Rouing problem over dual frame-relay circuits

Edison,

We were taking about (set ip next-hop), if you refer to my previous post, you will see that I have explained what you typed already.

HTH

Mohamed

Blue

Re: Policy Based Rouing problem over dual frame-relay circuits

Edison, MO:

Here is what I was thinking about this:

His PBR seems to be failing, which is why he can only route traffic if he has a static default configured.

I say this because we are dealing with 2 NAT interfaces, inside and outside. For both interfaces, the order of operations is such that policy routing comes first, then normal routing.

So, his PBR must be failing, otherwise it would not have to resort to a route table lookup. Thats what I couldnt figure out: what is wrong with his route map config? he says he is using the set ip next hop address command but it didnt work...

Tennis anyone? :-)

Victor

158
Views
0
Helpful
17
Replies