Re: PBR does not with HSRP

cheung.kelvin · ‎07-26-2006

access-list 102 permit ip 10.20.126.0 0.0.0.255 10.64.0.0 0.3.255.255

access-list 102 permit ip 10.20.126.0 0.0.0.255 10.70.0.0 0.1.255.255

access-list 102 permit ip 10.20.126.0 0.0.0.255 10.72.0.0 0.3.255.255

access-list 102 permit ip 10.20.126.0 0.0.0.255 10.68.0.0 0.1.255.255

access-list 102 permit ip 10.20.54.0 0.0.0.255 10.64.0.0 0.3.255.255

access-list 102 permit ip 10.20.54.0 0.0.0.255 10.68.0.0 0.3.255.255

access-list 102 permit ip 10.20.54.0 0.0.0.255 10.72.0.0 0.3.255.255

interface Vlan54

ip address 10.20.54.5 255.255.255.0

no ip redirects

ip route-cache policy

ip policy route-map via-SSWAHS

standby 1 ip 10.20.54.1

standby 1 priority 200

end

interface Vlan126

ip address 10.20.126.1 255.255.255.0

no ip redirects

ip route-cache policy

ip policy route-map via-SSWAHS

end

route-map via-SSWAHS, permit, sequence 10

Match clauses:

ip address (access-lists): 102

Set clauses:

ip next-hop 10.20.32.1

Anybody can help ??

PBR only works on interface Vlan126. The interface Vlan54 with HSRP does not following PBR rule.

Thanks

Kelvin

jackyoung · ‎07-26-2006

Can you configure two ACL for VLAN 54 & 126 then check the ACL counter to determine the ACL is working on VLAN 54 ?

Are you confirm the VLAN 54 is the active HSRP ? And where is 10.20.32.1 ?

cheung.kelvin · ‎07-26-2006

HTLVISR2#sh stan

HTLVISR2#sh standby vlan54

Vlan54 - Group 1

Local state is Active, priority 200

Hellotime 3 sec, holdtime 10 sec

Next hello sent in 0.044

Virtual IP address is 10.20.54.1 configured

Active router is local

Standby router is unknown

Virtual mac address is 0000.0c07.ac01

2 state changes, last state change 16w4d

IP redundancy name is "hsrp-Vl54-1" (default)

HTLVISR2#

HTLVISR2#traceroute

Protocol [ip]:

Target IP address: 10.66.2.2

Source address: 10.20.126.1

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 10.66.2.2

1 10.20.32.209 0 msec 0 msec 0 msec

2 isdx01-f6-0.hdoc.nsw.gov.au (10.20.32.1) 0 msec 0 msec 0 msec

3 10.32.1.68 0 msec 0 msec 0 msec

4 10.33.126.5 0 msec 0 msec 0 msec

5 10.33.254.1 4 msec 4 msec 0 msec

6 10.66.0.5 16 msec 16 msec 16 msec

7 10.66.2.2 20 msec 20 msec 24 msec

HTLVISR2#

HTLVISR2#traceroute

Protocol [ip]:

Target IP address: 10.66.2.2

Source address: 10.20.54.5

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 10.66.2.2

1 10.20.32.209 0 msec 0 msec 0 msec

2 hdswacr1-v33.hdoc.nsw.gov.au (10.20.33.3) 0 msec 0 msec 0 msec

3 10.255.192.33 0 msec 4 msec 0 msec

4 10.255.192.30 4 msec 4 msec 0 msec

5 10.192.135.36 4 msec 4 msec 0 msec

6 10.75.1.1 28 msec 20 msec 20 msec

7 10.66.0.5 20 msec 20 msec 20 msec

8 10.66.2.2 16 msec 20 msec 16 msec

HTLVISR2#

HTLVISR2#sh ip route 10.20.32.1

Routing entry for 10.20.32.0/30

Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 1

Last update from 10.20.32.209 on Vlan20, 1d03h ago

Routing Descriptor Blocks:

* 10.20.32.209, from 10.20.4.1, 1d03h ago, via Vlan20

Route metric is 20, traffic share count is 1

HTLVISR2#

Thank you for your reply. I will try your advise soon as long as My boss get back to me.

Kelvin

jackyoung · ‎07-26-2006

It looks like the packet is routed to the correct next hop that 10.20.32.1 that its next-hop is 10.20.32.209.

Can you check the ACL counter ? I suspect it is the remote side issue, the packet seems route to 10.20.32.209 but that router route the source IP w/ 10.20.54.x to 10.20.33.3 and not 10.20.33.1. It is out of your control. You better check the remote side to confirm they route the packet correctly. Please also provide the routing table of the 10.20.32.209 router for analyse.

Hope this helps.

cheung.kelvin · ‎07-26-2006

Please see the flyer

Kelvin Cheung

jackyoung · ‎07-26-2006

Kevin, according to the config. of HTLVISR1, there is no such ACL for the source of 10.20.54.x for PBR. Therefore, it cannot use PBR to redirect the packet to the preferred next-hop and use the routing table to forward the packet. Please configure similiar ACL in HRLVISR1 to HRLVISR2. It should solve the problems.

Hope this helps.

Roberto Salazar · ‎07-26-2006

That's true and this is a good example of having enough information to go to the next level of troubleshooting. However, this would mean why is PBR needed on HRLVISR2 since both source (10.20.126.0/24 and 10.20.54.0/24) will be taking the 10.20.32.209 next-hop anyway? PBR is not required on HRLVISR2.

jackyoung · ‎07-27-2006

Hi Roberto, I agreed on the information point. But in this case, the packet is first arrive the HRLVISR2 then 1 and the routing table in 2 is not the same as PBR path, so I believe both routers still require the PBR in order to make the packet to travel on the whole pre-defined path(PBR). Do you agreed ?

Roberto Salazar · ‎07-27-2006

on HRLVISR2 the packet will take the same next-hop with or without PBR. it is really not doing anything on that device, logically speaking.

jackyoung · ‎07-27-2006

Thanks. I got your point.

Kevin, could you please provide the routing table of 2 ? If the routing table show the traffic is already running outside to the preferred path then we don't need PBR at 2, otherwise, we still need it.

cheung.kelvin · ‎07-30-2006

Thankyou everybody to help.

It is working now.

I added the following:

HTLVISR1#sh run | in access-list 101

access-list 101 permit ip 10.20.126.0 0.0.0.255 10.64.0.0 0.7.255.255

access-list 101 permit ip 10.20.126.0 0.0.0.255 10.72.0.0 0.3.255.255

access-list 101 permit ip 10.20.54.0 0.0.0.255 10.64.0.0 0.7.255.255

access-list 101 permit ip 10.20.54.0 0.0.0.255 10.72.0.0 0.3.255.255

Kelvin Cheung