Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
0
Helpful
2
Replies

PBR and Virtual Interfaces

Go to solution
chrisayres
Level 1
Level 1

‎05-29-2015 01:09 AM - edited ‎03-05-2019 01:34 AM

Hi,

I am dynamically applying PBR to a virtual-access int via AV Pairs.

However not all traffic that should be policy routed is being, some is rejected and normal routed, If I remove CEF from the virtual-template nothing is PBR'd so it is definitely doing some PBR routing but not catching every packet. see below config's, debug and ping results.

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 07-Nov-12 17:00 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

route-map mymap permit 10
 match ip address mymapacl
 set ip next-hop 1.1.1.1

ip access-list standard mymapacl
 permit any

interface Virtual-Template1
 ip unnumbered Loopback100
 no peer default ip address
 ppp authentication chap

interface Virtual-Access3
 ip policy route-map mymap

 

453540: May 29 08:44:16: IP: route map mymap, item 10, permit
453541: May 29 08:44:16: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, policy rejected -- normal forwarding
453542: May 29 08:44:17: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, FIB policy match
453543: May 29 08:44:17: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, PBR Counted
453544: May 29 08:44:17: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, g=1.1.1.1, len 60, FIB policy routed
453545: May 29 08:44:17: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, policy match
453546: May 29 08:44:17: IP: route map mymap, item 10, permit
453547: May 29 08:44:17: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, policy rejected -- normal forwarding
453548: May 29 08:44:18: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, FIB policy match
453549: May 29 08:44:18: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, PBR Counted
453550: May 29 08:44:18: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, g=1.1.1.1, len 60, FIB policy routed
453551: May 29 08:44:18: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, policy match
453552: May 29 08:44:18: IP: route map mymap, item 10, permit
453553: May 29 08:44:18: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, policy rejected -- normal forwarding
453554: May 29 08:44:19: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, FIB policy match
453555: May 29 08:44:19: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, PBR Counted
453556: May 29 08:44:19: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, g=1.1.1.1, len 60, FIB policy routed
453557: May 29 08:44:19: IP: s=10.10.20.75 (Virtual-Access3), d=10.248.19.153, len 60, policy match
453558: May 29 08:44:19: IP: route map mymap, item 10, permit

 

Request timed out.
Reply from 10.10.20.75: bytes=32 time=54ms TTL=118
Reply from 10.10.20.75: bytes=32 time=59ms TTL=118
Request timed out.
Request timed out.
Reply from 10.10.20.75: bytes=32 time=57ms TTL=118
Reply from 10.10.20.75: bytes=32 time=60ms TTL=118
Reply from 10.10.20.75: bytes=32 time=61ms TTL=118
Request timed out.
Reply from 10.10.20.75: bytes=32 time=58ms TTL=118
Reply from 10.10.20.75: bytes=32 time=57ms TTL=118
Request timed out.
Request timed out.
Reply from 10.10.20.75: bytes=32 time=60ms TTL=118
Request timed out.
Reply from 10.10.20.75: bytes=32 time=56ms TTL=118
Reply from 10.10.20.75: bytes=32 time=58ms TTL=118
Reply from 10.10.20.75: bytes=32 time=56ms TTL=118

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎05-29-2015 03:57 AM

Hi Chris,

Unfortunately, this looks like a bug. The configuration does not seem to be specific in any way. Just curious, do you think you can afford to put the PBR route-map on the Virtual-Template interface statically and for the time being, remove the AV pairs from your RADIUS/TACACS+? I am trying to find out if the problem is generally related to the way the Virtual-Template is instantiated into Virtual-Access interfaces and their configuration cloned, or whether there is some specific regression in the dynamic application of the route-map via the AV pairs.

In any case, do you have an option of raising this issue with TAC?

Best regards,
Peter

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎05-29-2015 03:57 AM

Hi Chris,

Unfortunately, this looks like a bug. The configuration does not seem to be specific in any way. Just curious, do you think you can afford to put the PBR route-map on the Virtual-Template interface statically and for the time being, remove the AV pairs from your RADIUS/TACACS+? I am trying to find out if the problem is generally related to the way the Virtual-Template is instantiated into Virtual-Access interfaces and their configuration cloned, or whether there is some specific regression in the dynamic application of the route-map via the AV pairs.

In any case, do you have an option of raising this issue with TAC?

Best regards,
Peter

0 Helpful

Go to solution
chrisayres
Level 1
Level 1
In response to Peter Paluch

‎05-29-2015 05:11 AM

Hi, yep I suspected as much. I moved the policy onto the virtual-template and got the same results.

I will get TAC onto it

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card