Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1263
Views
20
Helpful
11
Replies

Switch PBR working is not normal.

eeebbunee
Level 1
Level 1

‎11-22-2022 01:15 PM

Hello Professionals,

I have unexpected issue when applying PBR with my Cisco switch, but don't understand why this happened.

First things First,

   - Switch: C9300L-48P-4G-E
   - Version: 16.12.4
   - Image: CAT9K_IOSXE

I have PBR policy and it applied to 2 different VLANs.

interface Vlan111
description Default
ip address 10.111.0.1 255.255.255.0
ip policy route-map SVN_Project_R
!

interface Vlan222
description SVN Project Users
ip address 10.222.0.1 255.255.255.0
ip policy route-map SVN_Project_R
!

ip access-list extended SVN_Project
10 permit ip 10.111.0.128 0.0.0.15 host 172.21.100.100
20 permit ip host 10.222.0.10 host 172.21.100.100
!
!
route-map SVN_Project_R permit 10
match ip address SVN_Project
set ip next-hop 10.333.0.254

 

So, my configuration working fine so far. 

However when tried to delete configuration like this>>

  BB(Config)# no ip access-list extended SVN_Project

 

All networking is stopped. It looks like switch no longer routing.
I thought even though I delete the PBR ACL, routing works fine cause switch has last resort as a gateway.

I would like to make sure routing was messed because I just deleted ACL or switch works weird way.

 

Please help.. much appreciated.

Labels:
11 Replies 11

IP_Cartel
Level 1
Level 1

‎11-22-2022 01:23 PM

do you have an ip policy route-map SVN_Project_R permit 10 on the interface?  This is the correct name of the route map? SVN_Project_R permit 10

0 Helpful

eeebbunee
Level 1
Level 1
In response to IP_Cartel

‎11-22-2022 01:39 PM

Hello,



Yes that is configured like that.

I'm not sure the differences between



Route-map SVN_Project_R permit 10



And



Route-map SVN_Project_R



Should I change configuration to 'Route-map SVN_Project_R'?





Thank you very much for your comment!




0 Helpful

MHM Cisco World
VIP
VIP

‎11-22-2022 02:41 PM

You are right the SW can use RIB to routing the traffic if route-map (PBR) is delete BUT
are you config any default route in SW to make SW use it to forward packet after you delete PBR ??
if NO, then you need to config default route

0 Helpful

eeebbunee
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2022 02:58 PM

Hello @MHM Cisco World



Default route means the configuration has 'ip route 0.0.0.0 0.0.0.0 next hop'?



When I do >> sh ip route



Gateway of last resort is 10.333.0.254 to network 0.0.0.0



Please advise me if that isn't that enough to have default route..



Thank you very much..!




0 Helpful

MHM Cisco World
VIP
VIP
In response to eeebbunee

‎11-22-2022 03:16 PM

Yes I think so,
you need default route as you mention above.
'ip route 0.0.0.0 0.0.0.0 next hop'

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎11-24-2022 02:40 AM

jkjljkllklkjllkjlkj.png

friend you are right, @Georg Pauwen mention using debug ip policy to notice the behave of PBR with empty ACL and as you notice 
the traffic still mark as match and use next-hop set in PBR even after I config static route and ip default-gateway. 

so it not normal 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎11-24-2022 01:42 PM

I am not clear about "so it not normal ". What is not normal?

The behavior of an empty (or non existent) acl has changed over time. In early versions of IOS a reference to an empty/non existent acl would use the implicit deny all. Then the behavior changed. For a long time the normal behavior of reference to an empty/non existent acl is permit any.

I agree that the way to really settle this question is to run debug for PBR. I predict that it will show that all traffic is using the special PBR forwarding and not the normal forwarding.

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎11-24-2022 02:26 PM

I found this in cisco doc. which can explain the behave of empty ACL. 
""If no ACL is configured in order to establish the match criteria, it results in all traffic being policy-routed.""

Richard Burts
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎11-24-2022 08:04 PM

Thank you. That reference does confirm my explanation of what is going on.

HTH

Rick

Georg Pauwen
VIP
VIP

‎11-23-2022 01:23 AM

Hello,

with the access list removed, turn on 'debug ip policy' and post the output.

Richard Burts
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎11-23-2022 03:07 PM

Am I correct in understanding that the ip policy route-map is still applied on both vlan interfaces and that the route map is still in the configuration, and only the acl has been deleted? I believe that the behavior of the route map is that if there is a match statement pointing to an acl but that acl does not exist then effectively there is no match statement logic in the policy. The result is that all traffic now matches the route map and is being forwarded to 10.333.0.254.

If you delete the acl used by PBR then why would you retain the route map and the ip policy statements? 

I believe that if you remove the ip policy route-map statement from both vlan interfaces then your routing will return to normal.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents