Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Policy Based Routing

I have attached diagram.  I want to route traffic from certain host to host using policy based routing. Basically traffic from host 10.87.6.151 should route through next-hop 10.87.6.3.  Traffic from host 10.87.1.151 should route through next-hop 10.87.1.3.  Here is the config I have on Core switch for 10.87.6.1:

route-map Plymouth permit 10

match ip address 112

set ip next-hop 10.87.6.3

 

access-list 112 permit ip host 10.87.6.151 host 10.87.1.151

interface vlan 10

ip policy route-map Plymouth

 

Policy for Core Switch 10.87.1.1:

 

route-map Lebanon permit 10

match ip address 112

set ip next-hop 10.87.1.3

 

access-list 112 permit ip host 10.87.1.151 host 10.87.6.151

interface vlan 10

ip policy route-map Lebanon

 

I want to know if this is possible.  My Headquarters in Site B, when I apply to both Sites I lose connection to Site A.

11 REPLIES
Silver

You can only have one PBR per

You can only have one PBR per interface, you can't have two :)
Just simply combine your route-map statements with additional IP-SLA. Why?I am assuming you have redundant routes for your traffic, just in case their main tunnel goes down, they will failover :))


I am assuming that 10.87.6.3 is in tun0 and 10.87.1.3 in in tun1

conf t

ip sla 1

  icmp-echo 10.87.6.3 source-interface tun0

  timeout 1500

  frequency 5

ip sla 1 schedule life forever start-time now

 

ip sla 2

  icmp-echo 10.87.1.3 source-interface tun1

  timeout 1500

  frequency 5

ip sla 2 schedule life forever start-time now

track 1 rtr 1 reachability

track 2 rtr 2 reachability

 

access-list 112 permit ip host 10.87.6.151 host 10.87.1.151

access-list 113 permit ip host 10.87.1.151 host 10.87.6.151


route-map POLICY_1 permit 10

  match ip address 112

  set ip next-hop verify-availability  10.87.6.3 track 1

 

route-map POLICY_1 permit 11

  match ip address 113

  set ip next-hop verify-availability 10.87.1.3 track 2

 

 

interface vlan 10

  ip policy route-map POLICY_1

 

Considering you have PBR I would assume you have redundant paths to these destination networks. Anyway here is how it works:

1. In case any of the links to the desired destination goes down PBR will not become a hindrance that traffic is not forwarded even if PBR statement exist.

2. If the nex-hop is not verified, then it makes the packets "skip" the route-map statement. and as we know, if nothing matches, then it forwards traffic normally using the routing table :)


 

 

New Member

I was told that I had to

I was told that I had to apply the policy to different interfaces, meaning it can't be applied to interface vlan 10 on both sides (exit of of different interface).  So without the SLA in place what would happen to the traffic if the next hop is down?

Silver

Without the SLA the router

Without the SLA the router will still forward traffic to the next-hop even if its not alive :)



Don't forget to rate or mark as correct helpful answers :)

Silver

Well that choice depends on

------------

 

Don't forget to rate or mark as correct helpful answers :)

New Member

I was under the assumption

I was under the assumption that the PBR had to be placed on both sides in order to work correctly.  You are correct traffic is between 2 servers at each site.

Silver

Ooops correction on that, we

Ooops correction on that, we need to apply PBR to both ends of the devices. You are correct

New Member

Ok good to know.  lsgabrillo,

Ok good to know.  lsgabrillo,  can I apply the policy map to VLAN 10 on both site A and B?  when I applied last week I lost connection to Site A core switch.

Hall of Fame Super Gold

You should be able to apply

You should be able to apply Policy Based Routing to VLAN 10 on both sites. If you applied PBR on both sites and lost connection to one then there was some error in how you set it up. We do not have enough information here to know what the cause was. If you supply more detail about what you configured perhaps we might be able to find the issue.

 

HTH

 

Rick

Silver

Yeap just as Burts saidAnd

Yeap just as Burts said

And also, though the configuration "pattern" (a.k.a commands/syntax used) is the same, the configuration itself is different from Site A and Site B

You can't simply copy the config above, and paste it on both sites

New Member

Ok call me crazy; I applied

Ok call me crazy; I applied this policy first to both side and traffic was routing properly between 10.87.6.101 and 10.87.1.101:

*****Lebanon Site B*****
route-map OHIO permit 20
 match ip address 111
 set ip next-hop 10.87.1.3
access-list 111 permit ip host 10.87.1.101 host 10.87.6.101
interface vlan10
ip policy route-map OHIO


!****Plymouth Site A****
route-map PLYMOUTH permit 10
 match ip address 111
 set ip next-hop 10.87.6.3
access-list 111 permit ip host 10.87.6.101 host 10.87.1.101

 

Now when I apply this policy below I lose connection to my Core switch (10.87.1.1) and access to Core switch (10.87.6.1)


****testing Lebanon Site B****
route-map OHIO permit 30
 match ip address 112
 set ip next-hop 10.87.1.3
access-list 112 permit ip host 10.87.1.151 host 10.87.6.151

interface vlan10
ip policy route-map PLYMOUTH
!
***testing Plymouth Site A***
route-map PLYMOUTH permit 20
 match ip address 112
 set ip next-hop 10.87.6.3
access-list 112 permit ip host 10.87.6.151 host 10.87.1.151

 

 

 

Hall of Fame Super Gold

Thanks for the additional

Thanks for the additional information. There are several things that I do not understand and I hope that you can clarify.

- looking at the diagram that was with the original post 10.87.1.3 and 10.87.6.3 appear to be the addresses of the MPLS routers that connect the sites. If you are using these as the set next hop then it implies that this is not the normal path for traffic between the sites. So can you clarify what the normal path between the sites is? I am wondering if the normal path does work but that there is something broken with the MPLS?

- Did the Policy Routing for hosts 10.87.1.101 and 10.87.6.101 really work? Were those hosts able to successfully communicate with each other?

- It appears that the difference between the Policy Routing that did not cause a problem and the Policy Routing that did cause a problem was that one dealt with hosts 101 and the other dealt with hosts 151. So what are hosts 151? And is there something that if they do not communicate would impact access to core switches?

 

HTH

 

Rick

289
Views
0
Helpful
11
Replies
CreatePlease to create content