• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 363
  • Last Modified:

PBR on 861W

I am trying to use PBR on an 861W.  I setup a route map and the next hop to the appropriate IP address.  However, even though the access list getting hits none of the hits match the route and thus I cannot route the traffic.  However, if I put the static route in manually traffic flows without a problem.  

I using virtual VLAN interfaces and I am not sure what I am doing wrong with the route map or if the route maps work with the virtual interfaces.

In the configuration R1 has a default route to the Internet; On router 2 I wanted to control routing using PBR.  When I enter the static route I can get out to the Internet just fine, when I remove it I cannot get out any more.  
PBR-Diagram.pdf
route-map.txt
0
bluejojordan
Asked:
bluejojordan
  • 4
  • 2
1 Solution
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
If you do not have a default route on R2, it won't know where to route anything if the PBR doesn't match anything.
As to your config, contrary to your PDF you PBR anything that is destined to 2.2.2.2 and 3.3.3.3 towards VLAN620 ... is that what you want? Anything not going to those two IPs will not be touched by PBR ...
0
 
bluejojordanAuthor Commented:
Yes, for now I only want to send traffic to those two IP address 3.3.3.3 (VLAN620) and 2.2.2.2(VLAN1). However, access-list is getting hits, but the policy is not being applied.  I trying to figure out what I am missing because I do not know.  I thought it might be some limitation on the 861W
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Can you post the output of the command "show route-map" ?

Without having the config of the router, based on your original description, this is what currently happens:

When you don't have the default route configured, the routing table of the 860 router will look something like this:

10.1.11.0/25 -> connected, ETH0 (?)
172.25.20.0/24 -> connected, VLAN 620
172.18.1.0/23 -> connected, VLAN 1

Additionally, with the syntax used in the .txt file, the route-map matches for both 3.3.3.3 and 2.2.2.2, causing the router to check the routing table. The "set ip default next-hop" syntax checks whether a route for the destination IP (either 3.3.3.3 or 2.2.2.2) is available - which it isn't - and therefor should use the next hop defined ... Again, please note that the current config will forward packets to both IP addresses via VLAN620, not like you listed in the PDF

Can you do a "debug ip policy" then create some traffic to either IP?
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
bluejojordanAuthor Commented:
The traffic below is VPN (L2L) ISAKMP traffic.  I also added the  ip local policy route-map VPN_ROUTING command.  Once I did that I started actually seeing the messages below.


Route-map Config
**************************************************************
route-map VPN_ROUTING permit 10
 match ip address LOWSEC
 set ip default next-hop 172.25.20.1
*************************************************************


Route Table
C       172.18.0.0 is directly connected, FastEthernet4.1
     172.25.0.0/24 is subnetted, 1 subnets
C       172.25.20.0 is directly connected, FastEthernet4.620
C       10.1.11.0 is directly connected, Loopback0


*Mar  1 01:28:06.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:16.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:26.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:36.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:46.039: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
0
 
wingateslCommented:
Remove the set interface from the route-map
0
 
bluejojordanAuthor Commented:
Problem seemed to be that I had my source and destination backward.
0
 
bluejojordanAuthor Commented:
I figured the problem by trying numerous configurations and debugs.  Turned out the problem was the src/dst were backward.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now