• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1011
  • Last Modified:

PBR problem

problem with policy based routing- urgent please !Bookmark:Question:
Dear Experts

i need your advise andexperties on tyhefollwiong issue
as showon on the figure ,
- the network addresses 10.232.100.0/22 10.232.104.0/22 are configured as primay and secondary  address on the lan

network of BAZ router
- on the other hand , the networks 10.232.0.0/22 and 10.232.4.0/22 has been configured as primary and secondary

network on the TAS router
- i have configure an extended access list to allow onlythe primary  network addresses of 10.232.0.0/22 and

10.232.100.0/22 to see each other and deny them from accessing the secondary address networks of 10.232.4.0/22 and

10.232.104.0/22 and vice versa as per  below :

ON BAZ router
-=-=-=-=-=
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 10.232.104.1 255.255.252.0 secondary
 ip address 10.232.100.1 255.255.252.0
 ip access-group block_lan in
 duplex auto
 speed auto


ip access-list extended block_lan
 deny   ip 10.232.104.0 0.0.3.255 10.232.100.0 0.0.3.255
 deny   ip 10.232.100.0 0.0.3.255 10.232.104.0 0.0.3.255
 permit ip any any


interface Serial0/3/0:0
 ip address 10.254.1.130 255.255.255.252
 ip access-group block out
 encapsulation ppp


ip classless
ip route 0.0.0.0 0.0.0.0 10.254.1.129
ip route 10.232.0.0 255.255.252.0 10.254.1.129
ip route 10.232.4.0 255.255.252.0 10.254.1.129
ip route 192.168.1.0 255.255.255.0 10.254.1.129

p access-list extended block
 deny   ip 10.232.100.0 0.0.3.255 10.232.4.0 0.0.3.255
 deny   ip 10.232.104.0 0.0.3.255 10.232.0.0 0.0.3.255
 permit ip 10.232.104.0 0.0.3.255 10.232.4.0 0.0.3.255
 permit ip any any


ip access-list extended block_lan
 deny   ip 10.232.104.0 0.0.3.255 10.232.100.0 0.0.3.255
 deny   ip 10.232.100.0 0.0.3.255 10.232.104.0 0.0.3.255
 permit ip any any
-============

on   TAS router :
-=======
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 10.232.4.1 255.255.252.0 secondary
 ip address 10.232.0.1 255.255.252.0
 ip access-group block_lan in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.232.8.1 255.255.252.0
 duplex auto
 speed auto
!
interface Serial0/3/0:0
 ip address 10.254.1.129 255.255.255.252
 ip access-group block out
 encapsulation ppp
 
 
!
ip access-list extended block
 deny   ip 10.232.0.0 0.0.3.255 10.232.104.0 0.0.3.255
 deny   ip 10.232.4.0 0.0.3.255 10.232.100.0 0.0.3.255
 permit ip any any
ip access-list extended block_lan
 deny   ip 10.232.0.0 0.0.3.255 10.232.4.0 0.0.3.255
 deny   ip 10.232.4.0 0.0.3.255 10.232.0.0 0.0.3.255
 permit ip any any
-=====================
the above has been tested on lab and confirmed ok


however, i need to separate them as well from accessing internet meaning i want to route the primary networks

through an internet router from TAS router and route the secondary networks through a diffrent internet router

from TAS router as well, the first internet gateway should be an ISA server while the second one is a pix firewall

but lets consider them as if they are routers

- the primary network addresses should be routed to the internet through the LAN 10.232.0.15 of the internet

router while the secondary network addresses should be routed to a different gatway through the lan interface

10.232.4.10 of the internet gateway

- i configured a policy based routing on the TAS router and applied the policy on the gig0/0 interface as per

below

on TAS

access-list 10 permit   10.232.0.0 0.0.3.255
access-list 10 permit   10.232.100.0 0.0.3.255
access-list 20 permit   10.232.4.0 0.0.3.255
access-list 20 permit   10.232.104.0 0.0.3.255

route-map internet permit 10
match ip address 10
set ip next-hop 10.232.0.15
route-map internet permit 20
match ip address 20
set ip next-hop 10.232.4.10


interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 10.232.4.1 255.255.252.0 secondary
 ip address 10.232.0.1 255.255.252.0
 ip access-group block_lan in
 ip policy route-map internet <<<<<<<<<<<<<<<<<<<<<<<<<<<< 
 duplex auto
 speed auto
-=======================
i disconnected the isp router 2 and started to test on ISP router1
the result is that when i tried to ping from TAS router to the wan interface 192.168.1.100 using extendended ping

, once soecifying source address as primary 10.232.0.1 and once speciying source address as secondary 10.232.4.0.

i was able to ping the WAN interface from both sources, although i was not able to ping the LAN 10.232.0.15 using

10.232.4.1 ( secondary address)

- i recognized that the PBR is either not applied correctly or is wrongly done,i also tested the connectivity

between the primary addresses between both routers ( TAS and BAZ) and they no more see each other after i have

applied the PBR !!!!

- i did the same thing ( disconnecting ISP 1 and connectong ISP2 router) and both primary and secondary networks

cannot ping the WAN interface this time  nor the LAN interface
- kindly advise what would possibly be worng and kindly correct my configuration i f any
regards


lab.jpg
0
oelolemy
Asked:
oelolemy
  • 2
1 Solution
 
donmanrobbCommented:
I'll test this out in my lab and get back to you tonight
0
 
donmanrobbCommented:
Try using ip local policy route-map instead, otherwise the router will ignore the policy routing for traffic it generates.
0
 
oelolemyAuthor Commented:
adding the PBR on bothe serial and gigaethernet and setting the default next hop to 4 and 104 networks fixed the issue , thanks  for your efforts
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now