topic Re: PBR not working in Routing and SD-WAN

PBR not working

old&bald — Mon, 29 Jul 2019 11:36:52 GMT

Need to redirect all web requests from PPPOE users destined to 192.168.99.9 over another gateway 172.16.1.1 using an old 7200 router.

Below is my config, router also participates in OSPF and iBGP with its neighbors.

Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)

ip access-list extended gwadd
permit tcp any host 192.168.99.9 eq www

route-map GWPOL permit 10
match ip address gwadd
set ip next-hop 172.16.1.1

interface Virtual-Template70
ip policy route-map GWPOL

#sh route-map

route-map GWPOL, permit, sequence 10
Match clauses:
ip address (access-lists): GWPOL
Set clauses:
ip next-hop 172.16.1.1
Policy routing matches: 24707 packets, 2054970 bytes

#sh ip policy

Interface Route map
Vi4 GWPOL
Vi5 GWPOL
Vi6 GWPOL
Vi10 GWPOL
Vi11 GWPOL
Vi13 GWPOL
Vi14 GWPOL
Vi15 GWPOL
Vi17 GWPOL
Vi23 GWPOL
Vi26 GWPOL
Vi27 GWPOL
Vi32 GWPOL
Vi33 GWPOL
Vi38 GWPOL
Vi39 GWPOL

#sh logg | i 192.168.99.9
Jul 29 09:15:57.428: IP: s=10.8.7.6 (Virtual-Access647), d=192.168.99.9, len 64, FIB policy rejected(no match) - normal forwarding

Re: PBR not working

Georg Pauwen — Mon, 29 Jul 2019 13:06:26 GMT

Hello,

looking at the debug output, it seems like the packet that is not matching has a length of 64 bytes, which is the minimum size for an Ethernet frame. I guess to find out what kind of packet that is exactly, you would have to use a packet analyzer such as Wireshark...is that an option ?

Re: PBR not working

Richard Burts — Mon, 29 Jul 2019 16:05:45 GMT

What can you tell us about address 172.16.1.1? Can you post the output of show ip route so we can be sure that this is reachable as a next hop?

The log message tells us about the source address and the destination address but does not tell us about the what tcp port it uses. Can we be sure that it was www?

We see a specific message about this packet. I wonder if there might be other messages about it in the log file. Could you post the other syslog messages within a minute or 2 of this event?

HTH

Rick

Re: PBR not working

old&bald — Tue, 30 Jul 2019 08:40:44 GMT

matching has a length of 64 bytes, which is the minimum size for an Ethernet frame.

Yes it is true and even 52 sized packets appear in debug.

Wireshark...is that an option ?

Unfortunately not, router is still in production and under heavy load.

Re: PBR not working

paul driver — Tue, 30 Jul 2019 08:47:47 GMT

Hello

@old&bald wrote:

interface Virtual-Template70
ip policy route-map GWPOL

#sh logg | i 192.168.99.9
Jul 29 09:15:57.428: IP: s=10.8.7.6 (Virtual-Access647), d=192.168.99.9, len 64, FIB policy rejected(no match) - normal forwarding

Try applying the PBR to the physical interface associated with the VT70?

Re: PBR not working

old&bald — Tue, 30 Jul 2019 08:59:45 GMT

@Richard Burts wrote:
What can you tell us about address 172.16.1.1?

On this router 172.16.1.1 is in Directly Connected subnet, raising simple Static Route does the job, but I need to separate only 80 port.

We see a specific message about this packet. I wonder if there might be other messages about it in the log file. Could you post the other syslog messages within a minute or 2 of this event?

Unfortunately long debug is impossible as router currently uses over 90% of its cpu power. Yesterday to get this 1 second debug I've led down this router for 5 minutes. It is to be decommissioned and replaced with 9001 in short term, but up to then I planned to finish one small job using this PBR.

Will try to speed up migration to 9k then.

Re: PBR not working

old&bald — Tue, 30 Jul 2019 09:19:06 GMT

Didn't work, still routed to upstream.

Re: PBR not working

paul driver — Tue, 30 Jul 2019 10:00:47 GMT

Hello

@old&bald wrote:

interface Virtual-Template70
ip policy route-map GWPOL

#sh ip policy

Interface Route map
Vi4 GWPOL
Vi5 GWPOL
Vi6 GWPOL
Vi10 GWPOL
Vi11 GWPOL
Vi13 GWPOL
Vi14 GWPOL
Vi15 GWPOL
Vi17 GWPOL
Vi23 GWPOL
Vi26 GWPOL
Vi27 GWPOL
Vi32 GWPOL
Vi33 GWPOL
Vi38 GWPOL
Vi39 GWPOL

I dont see vt70 in this listing unless you haven't posted all the output?

Re: PBR not working

old&bald — Tue, 30 Jul 2019 10:04:33 GMT

Yes, I've shortened it, but it is there 🙂

Output on that command is 5-6 SPACEs long.

Re: PBR not working

paul driver — Tue, 30 Jul 2019 11:22:38 GMT

Hello

So in relation to the web host and the next hop ip address are those subnetnetworks on the same router, Is the next-hop reachable?

I am assuming you wish any host for tcp 80 to be pbr'd towards host 192.168.99.9 via 172.16.1.1 , if so try changing you acl to accommodate such traffic.

~~permit tcp any host 192.168.99.9 eq www~~
permit tcp any eq www host 192.168.99.9

Re: PBR not working

old&bald — Tue, 30 Jul 2019 13:52:10 GMT

Paul,

I need any host requesting 80 from 192.168.99.9 (masked for publication) to be routed over 172.16.1.1 (also masked).

192.168.99.9 is located on the Internet, I've created a fake web-site with this IP in internal perimeter which is accessible over 172.16.1.1. So I need all PPPoE clients requesting any web-page from 192.168.99.9 internet address to be forwarded to my web-server.

Currently when I browse 192.168.99.9 from Lab VM connected over PPPoE the request is timed out until I delete the policy setting from Virtual Template interface. So the policy is working, somehow, but packets are not forwarded to internal perimeter (have a normal monitoring there), so I stuck on 7200 due to normal debug unavailability and cannot troubleshoot it more comprehensively.