Solved

PBR on 861W

Posted on 2011-09-14
7
313 Views
Last Modified: 2012-05-12
I am trying to use PBR on an 861W.  I setup a route map and the next hop to the appropriate IP address.  However, even though the access list getting hits none of the hits match the route and thus I cannot route the traffic.  However, if I put the static route in manually traffic flows without a problem.  

I using virtual VLAN interfaces and I am not sure what I am doing wrong with the route map or if the route maps work with the virtual interfaces.

In the configuration R1 has a default route to the Internet; On router 2 I wanted to control routing using PBR.  When I enter the static route I can get out to the Internet just fine, when I remove it I cannot get out any more.  
PBR-Diagram.pdf
route-map.txt
0
Comment
Question by:bluejojordan
  • 4
  • 2
7 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 36538737
If you do not have a default route on R2, it won't know where to route anything if the PBR doesn't match anything.
As to your config, contrary to your PDF you PBR anything that is destined to 2.2.2.2 and 3.3.3.3 towards VLAN620 ... is that what you want? Anything not going to those two IPs will not be touched by PBR ...
0
 

Author Comment

by:bluejojordan
ID: 36538846
Yes, for now I only want to send traffic to those two IP address 3.3.3.3 (VLAN620) and 2.2.2.2(VLAN1). However, access-list is getting hits, but the policy is not being applied.  I trying to figure out what I am missing because I do not know.  I thought it might be some limitation on the 861W
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36539000
Can you post the output of the command "show route-map" ?

Without having the config of the router, based on your original description, this is what currently happens:

When you don't have the default route configured, the routing table of the 860 router will look something like this:

10.1.11.0/25 -> connected, ETH0 (?)
172.25.20.0/24 -> connected, VLAN 620
172.18.1.0/23 -> connected, VLAN 1

Additionally, with the syntax used in the .txt file, the route-map matches for both 3.3.3.3 and 2.2.2.2, causing the router to check the routing table. The "set ip default next-hop" syntax checks whether a route for the destination IP (either 3.3.3.3 or 2.2.2.2) is available - which it isn't - and therefor should use the next hop defined ... Again, please note that the current config will forward packets to both IP addresses via VLAN620, not like you listed in the PDF

Can you do a "debug ip policy" then create some traffic to either IP?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:bluejojordan
ID: 36539152
The traffic below is VPN (L2L) ISAKMP traffic.  I also added the  ip local policy route-map VPN_ROUTING command.  Once I did that I started actually seeing the messages below.


Route-map Config
**************************************************************
route-map VPN_ROUTING permit 10
 match ip address LOWSEC
 set ip default next-hop 172.25.20.1
*************************************************************


Route Table
C       172.18.0.0 is directly connected, FastEthernet4.1
     172.25.0.0/24 is subnetted, 1 subnets
C       172.25.20.0 is directly connected, FastEthernet4.620
C       10.1.11.0 is directly connected, Loopback0


*Mar  1 01:28:06.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:16.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:26.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:36.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:46.039: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 36539647
Remove the set interface from the route-map
0
 

Accepted Solution

by:
bluejojordan earned 0 total points
ID: 36816968
Problem seemed to be that I had my source and destination backward.
0
 

Author Closing Comment

by:bluejojordan
ID: 36908449
I figured the problem by trying numerous configurations and debugs.  Turned out the problem was the src/dst were backward.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now