Solved

PBR on 861W

Posted on 2011-09-14
7
327 Views
Last Modified: 2012-05-12
I am trying to use PBR on an 861W.  I setup a route map and the next hop to the appropriate IP address.  However, even though the access list getting hits none of the hits match the route and thus I cannot route the traffic.  However, if I put the static route in manually traffic flows without a problem.  

I using virtual VLAN interfaces and I am not sure what I am doing wrong with the route map or if the route maps work with the virtual interfaces.

In the configuration R1 has a default route to the Internet; On router 2 I wanted to control routing using PBR.  When I enter the static route I can get out to the Internet just fine, when I remove it I cannot get out any more.  
PBR-Diagram.pdf
route-map.txt
0
Comment
Question by:bluejojordan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36538737
If you do not have a default route on R2, it won't know where to route anything if the PBR doesn't match anything.
As to your config, contrary to your PDF you PBR anything that is destined to 2.2.2.2 and 3.3.3.3 towards VLAN620 ... is that what you want? Anything not going to those two IPs will not be touched by PBR ...
0
 

Author Comment

by:bluejojordan
ID: 36538846
Yes, for now I only want to send traffic to those two IP address 3.3.3.3 (VLAN620) and 2.2.2.2(VLAN1). However, access-list is getting hits, but the policy is not being applied.  I trying to figure out what I am missing because I do not know.  I thought it might be some limitation on the 861W
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36539000
Can you post the output of the command "show route-map" ?

Without having the config of the router, based on your original description, this is what currently happens:

When you don't have the default route configured, the routing table of the 860 router will look something like this:

10.1.11.0/25 -> connected, ETH0 (?)
172.25.20.0/24 -> connected, VLAN 620
172.18.1.0/23 -> connected, VLAN 1

Additionally, with the syntax used in the .txt file, the route-map matches for both 3.3.3.3 and 2.2.2.2, causing the router to check the routing table. The "set ip default next-hop" syntax checks whether a route for the destination IP (either 3.3.3.3 or 2.2.2.2) is available - which it isn't - and therefor should use the next hop defined ... Again, please note that the current config will forward packets to both IP addresses via VLAN620, not like you listed in the PDF

Can you do a "debug ip policy" then create some traffic to either IP?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:bluejojordan
ID: 36539152
The traffic below is VPN (L2L) ISAKMP traffic.  I also added the  ip local policy route-map VPN_ROUTING command.  Once I did that I started actually seeing the messages below.


Route-map Config
**************************************************************
route-map VPN_ROUTING permit 10
 match ip address LOWSEC
 set ip default next-hop 172.25.20.1
*************************************************************


Route Table
C       172.18.0.0 is directly connected, FastEthernet4.1
     172.25.0.0/24 is subnetted, 1 subnets
C       172.25.20.0 is directly connected, FastEthernet4.620
C       10.1.11.0 is directly connected, Loopback0


*Mar  1 01:28:06.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:16.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:26.163: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:36.159: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
*Mar  1 01:28:46.039: IP: s=172.25.20.125 (local), d=2.2.2.2, len 56, policy rejected -- normal forwarding
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 36539647
Remove the set interface from the route-map
0
 

Accepted Solution

by:
bluejojordan earned 0 total points
ID: 36816968
Problem seemed to be that I had my source and destination backward.
0
 

Author Closing Comment

by:bluejojordan
ID: 36908449
I figured the problem by trying numerous configurations and debugs.  Turned out the problem was the src/dst were backward.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month10 days, 17 hours left to enroll

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question