Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Policy Based Routing

Hello Friends,

First let me explain you about my topology, 5 vpc connecting to a switch and switch is connecting to LAN router and the router is connected to ISP router. In ISP router there are 4 loopback addresses and two connected ethernet interface using EIGRP.

I'm doing PBR based on source. I have created two access-list with the numbers 10 and 30

R1(config)#access-list 10 permit host 10.1.1.2
R1(config)#access-list 10 permit host 10.1.1.3
R1(config)#access-list 30 permit host 10.1.1.4
R1(config)#access-list 30 permit host 10.1.1.5
R1(config)#exit

Below is my route-map configs:

R1#sh route-map
route-map AJAZ, permit, sequence 10
  Match clauses:
    ip address (access-lists): 10
  Set clauses:
    ip next-hop 1.1.1.2
  Policy routing matches: 15 packets, 1470 bytes


route-map AJAZ, permit, sequence 20
  Match clauses:
    ip address (access-lists): 30
  Set clauses:
    interface Ethernet1/0
  Policy routing matches: 5 packets, 490 bytes


route-map AJAZ, permit, sequence 30
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

I have mentioned the policy in LAN interface f0/0

R1#sh running-config interface f0/0
Building configuration...

Current configuration : 115 bytes
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.0.0.0
 ip policy route-map AJAZ
 duplex auto
 speed auto
end

Turned on debug ip policy

When i am trying to ping from VPC 10.1.1.2, 10.1.1.3 to loopback 12.0.0.1. Its working fine according to Policy based routing. Below is the output.

R1#
*Mar  1 01:30:05.371: IP: s=10.1.1.2 (FastEthernet0/0), d=12.0.0.1, len 84, FIB policy match
*Mar  1 01:30:05.371: IP: s=10.1.1.2 (FastEthernet0/0), d=12.0.0.1, g=1.1.1.2, len 84, FIB policy routed

R1#
*Mar  1 01:30:53.915: IP: s=10.1.1.3 (FastEthernet0/0), d=12.0.0.1, len 84, FIB policy match
*Mar  1 01:30:53.915: IP: s=10.1.1.3 (FastEthernet0/0), d=12.0.0.1, g=1.1.1.2, len 84, FIB policy routed

Now here comes the real problem : when i am ping from other hosts ( i.e. 10.1.1.4 and 10.1.1.5 ) my packet is getting dropped for 10.1.1.4 but the policy is working fine. Here's is the output.

PC4> ping 12.0.0.1 --> from 10.1.1.4
12.0.0.1 icmp_seq=1 timeout
12.0.0.1 icmp_seq=2 timeout
12.0.0.1 icmp_seq=3 timeout

*Mar  1 01:32:44.107: IP: s=10.1.1.5 (FastEthernet0/0), d=12.0.0.1, len 84, FIB policy match
*Mar  1 01:32:44.107: IP: s=10.1.1.5 (FastEthernet0/0), d=12.0.0.1, len 84, policy match
*Mar  1 01:32:44.111: IP: route map AJAZ, item 20, permit

PC5> ping 12.0.0.1  --> from 10.1.1.5 ( It's pinging fine but the policy is getting rejected )
84 bytes from 12.0.0.1 icmp_seq=1 ttl=254 time=21.002 ms
84 bytes from 12.0.0.1 icmp_seq=2 ttl=254 time=21.002 ms

*Mar  1 01:33:41.215: IP: s=10.1.1.6 (FastEthernet0/0), d=12.0.0.1, len 84, FIB policy match
*Mar  1 01:33:41.219: IP: s=10.1.1.6 (FastEthernet0/0), d=12.0.0.1, len 84, FIB policy rejected - normal forwarding

Can someone please help me on this ? Did I misconfigured anything route-filtering method ( ACL or Route-map) ? Do i need to use any extra statement in ACL or Route-Map ?

I have attached my topology. Please have a look for better understanding.

Thanks,

Ajaz Ahmed

Everyone's tags (1)
5 REPLIES
VIP Gold

Sorry, but what equipment

Sorry, but what equipment (model/firmware version) you are speaking of ?

Community Member

Oh! I'm sorry I forgot to

Oh! I'm sorry I forgot to mention that. Its Cisco 3600 Software (C3640-JK9O3S-M), Version 12.4(16a).

VIP Gold

OK. You has been off-topic in

OK. You has been off-topic in Additional communities. I moved your question to the better place.

Community Member

Thank You.

Thank You.

Community Member

Finally i got the solution

Finally i got the solution for my problem.

set interface

Sets output interface for the packet. This action specifies that the packet is forwarded out of the local interface. The interface must be a Layer 3 interface (no switchports), and the destination address in the packet must lie within the IP network assigned to that interface. If the destination address for the packet does not lie within that network, the packet is dropped.

I was trying to access the different network rather than the network assigned on the interface. I used next-hop address and it was working fine.

78
Views
0
Helpful
5
Replies
CreatePlease to create content