[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

PBR on 861W

Posted on 2011-09-14
7
Medium Priority
?
354 Views
Last Modified: 2012-05-12
I am trying to use PBR on an 861W.  I setup a route map and the next hop to the appropriate IP address.  However, even though the access list getting hits none of the hits match the route and thus I cannot route the traffic.  However, if I put the static route in manually traffic flows without a problem.  

I using virtual VLAN interfaces and I am not sure what I am doing wrong with the route map or if the route maps work with the virtual interfaces.

In the configuration R1 has a default route to the Internet; On router 2 I wanted to control routing using PBR.  When I enter the static route I can get out to the Internet just fine, when I remove it I cannot get out any more.  
PBR-Diagram.pdf
route-map.txt
0
Comment
Question by:bluejojordan
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36538737
If you do not have a default route on R2, it won't know where to route anything if the PBR doesn't match anything.
As to your config, contrary to your PDF you PBR anything that is destined to 2.2.2.2 and 3.3.3.3 towards VLAN620 ... is that what you want? Anything not going to those two IPs will not be touched by PBR ...
0
 

Author Comment

by:bluejojordan
ID: 36538846
Yes, for now I only want to send traffic to those two IP address 3.3.3.3 (VLAN620) and 2.2.2.2(VLAN1). However, access-list is getting hits, but the policy is not being applied.  I trying to figure out what I am missing because I do not know.  I thought it might be some limitation on the 861W
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36539000
Can you post the output of the command "show route-map" ?

Without having the config of the router, based on your original description, this is what currently happens:

When you don't have the default route configured, the routing table of the 860 router will look something like this:

10.1.11.0/25 -> connected, ETH0 (?)
172.25.20.0/24 -> connected, VLAN 620
172.18.1.0/23 -> connected, VLAN 1

Additionally, with the syntax used in the .txt file, the route-map matches for both 3.3.3.3 and 2.2.2.2, causing the router to check the routing table. The "set ip default next-hop" syntax checks whether a route for the destination IP (either 3.3.3.3 or 2.2.2.2) is available - which it isn't - and therefor should use the next hop defined ... Again, please note that the current config will forward packets to both IP addresses via VLAN620, not like you listed in the PDF

Can you do a "debug ip policy" then create some traffic to either IP?
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 

Author Comment

by:bluejojordan
ID: 36539152
The traffic below is VPN (L2L) ISAKMP traffic.  I also added the  ip local policy route-map VPN_ROUTING command.  Once I did that I started actually seeing the messages below.


Route-map Config
**************************************************************
route-map VPN_ROUTING permit 10
 match ip address LOWSEC
 set ip default next-hop 172.25.20.1
*************************************************************


Route Table
C       172.18.0.0 is directly connected, FastEthernet4.1
     172.25.0.0/24 is subnetted, 1 subnets
C       172.25.20.0 is directly connected, FastEthernet4.620
C       10.1.11.0 is directly connected, Loopback0


*Mar  1 01:28:06.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:16.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:26.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:36.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:46.039: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 36539647
Remove the set interface from the route-map
0
 

Accepted Solution

by:
bluejojordan earned 0 total points
ID: 36816968
Problem seemed to be that I had my source and destination backward.
0
 

Author Closing Comment

by:bluejojordan
ID: 36908449
I figured the problem by trying numerous configurations and debugs.  Turned out the problem was the src/dst were backward.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question