Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

PBR on 861W

Posted on 2011-09-14
7
Medium Priority
?
348 Views
Last Modified: 2012-05-12
I am trying to use PBR on an 861W.  I setup a route map and the next hop to the appropriate IP address.  However, even though the access list getting hits none of the hits match the route and thus I cannot route the traffic.  However, if I put the static route in manually traffic flows without a problem.  

I using virtual VLAN interfaces and I am not sure what I am doing wrong with the route map or if the route maps work with the virtual interfaces.

In the configuration R1 has a default route to the Internet; On router 2 I wanted to control routing using PBR.  When I enter the static route I can get out to the Internet just fine, when I remove it I cannot get out any more.  
PBR-Diagram.pdf
route-map.txt
0
Comment
Question by:bluejojordan
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36538737
If you do not have a default route on R2, it won't know where to route anything if the PBR doesn't match anything.
As to your config, contrary to your PDF you PBR anything that is destined to 2.2.2.2 and 3.3.3.3 towards VLAN620 ... is that what you want? Anything not going to those two IPs will not be touched by PBR ...
0
 

Author Comment

by:bluejojordan
ID: 36538846
Yes, for now I only want to send traffic to those two IP address 3.3.3.3 (VLAN620) and 2.2.2.2(VLAN1). However, access-list is getting hits, but the policy is not being applied.  I trying to figure out what I am missing because I do not know.  I thought it might be some limitation on the 861W
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36539000
Can you post the output of the command "show route-map" ?

Without having the config of the router, based on your original description, this is what currently happens:

When you don't have the default route configured, the routing table of the 860 router will look something like this:

10.1.11.0/25 -> connected, ETH0 (?)
172.25.20.0/24 -> connected, VLAN 620
172.18.1.0/23 -> connected, VLAN 1

Additionally, with the syntax used in the .txt file, the route-map matches for both 3.3.3.3 and 2.2.2.2, causing the router to check the routing table. The "set ip default next-hop" syntax checks whether a route for the destination IP (either 3.3.3.3 or 2.2.2.2) is available - which it isn't - and therefor should use the next hop defined ... Again, please note that the current config will forward packets to both IP addresses via VLAN620, not like you listed in the PDF

Can you do a "debug ip policy" then create some traffic to either IP?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:bluejojordan
ID: 36539152
The traffic below is VPN (L2L) ISAKMP traffic.  I also added the  ip local policy route-map VPN_ROUTING command.  Once I did that I started actually seeing the messages below.


Route-map Config
**************************************************************
route-map VPN_ROUTING permit 10
 match ip address LOWSEC
 set ip default next-hop 172.25.20.1
*************************************************************


Route Table
C       172.18.0.0 is directly connected, FastEthernet4.1
     172.25.0.0/24 is subnetted, 1 subnets
C       172.25.20.0 is directly connected, FastEthernet4.620
C       10.1.11.0 is directly connected, Loopback0


*Mar  1 01:28:06.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:16.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:26.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:36.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:46.039: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 36539647
Remove the set interface from the route-map
0
 

Accepted Solution

by:
bluejojordan earned 0 total points
ID: 36816968
Problem seemed to be that I had my source and destination backward.
0
 

Author Closing Comment

by:bluejojordan
ID: 36908449
I figured the problem by trying numerous configurations and debugs.  Turned out the problem was the src/dst were backward.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question