Re: PBR gateway problems

jefvaneijk · ‎12-08-2005

We use PBR on a c3550, two ISP's.

One ISP is used for "normal"trafic the onther for a special application.

We use a default gate, the special traffic must go to the other gateway. When the link to the special gateway is down ALL the trfic goes to the other link. When the link come's backup it must go back, but that is not happening.

interface Vlan1

ip address 10.0.1.1 255.255.255.0 secondary

ip address 10.0.1.254 255.255.255.0

ip policy route-map ONE

!

interface Vlan9

ip address 10.27.9.254 255.255.255.0

!

router eigrp 767

network 10.0.0.0

no auto-summary

no eigrp log-neighbor-changes

!

ip default-gateway 10.0.9.1

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.9.1

ip route 10.0.32.0 255.255.255.0 10.4.1.5

!

access-list 130 permit udp any 10.0.0.0 0.0.255.255

access-list 130 permit tcp any 10.0.0.0 0.0.255.255

access-list 130 permit tcp any 10.0.0.0 0.255.255.255 eq www

access-list 130 permit tcp any 10.0.0.0 0.255.255.255 eq 443

access-list 140 permit tcp any 10.0.0.0 0.255.255.255 eq 102

access-list 140 permit tcp any eq 102 10.0.0.0 0.255.255.255

access-list 140 permit tcp any any eq www

access-list 140 permit tcp any any eq ftp

access-list 140 permit tcp any any eq 443

access-list 140 permit tcp any any eq 1494

access-list 140 permit udp any any eq 1604

access-list 140 permit tcp any eq 1494 any

access-list 140 permit udp any eq 1604 any

access-list 150 permit ip any 10.2.3.0 0.0.0.255

access-list 150 permit ip any 10.4.126.0 0.0.0.255

route-map ONE permit 10

match ip address 130

!

route-map ONE permit 20

match ip address 140

set ip next-hop 10.27.9.2 10.27.9.1

!

route-map ONE permit 30

match ip address 150

set ip next-hop 10.27.9.2 10.27.9.1

!

route-map ONE permit 40

!

mheusinger · ‎12-08-2005

Hi,

it looks like your route-map statement 10 matching access-list 130 matches parts of your statement 20 with access-list 140.

Route-map staatements are treated like access-lists: top down processing and once you have a match you stop evaluating the route-map. So it looks to me as if you never get to statement 20 or 30 where you set the next hop.

Rewriting your access-lists to be more specific and not overlapping or reordering your route-map statements might solve your problems.

Regards

Martin

Richard Burts · ‎12-08-2005

Jefta

Martin is correct about the overlap between access list 130 and access list 140. Any traffic that matches 130 and also matches 140 will be treated by statement 10 and not have its next hop altered by statement 20. But I do not agree with his assertion that you would never get to statement 20 or 30. Any traffic whose destination was not in 10.x.x.x would have opportunity to match list 140 in statement 20.

Since list 130 is looking for destinations only in network 10 and list 140 has some permits for destination any, I believe that some traffic may get its next hop changed.

There are a couple of things that I see in the config that I do not understand. I am not sure whether they relate to the problem you are experiencing or not.

interface Vlan1

ip address 10.0.1.1 255.255.255.0 secondary

ip address 10.0.1.254 255.255.255.0

I do not understand why you are defining a secondary address within the same subnet as the primary address.

You are using address 10.0.9.1 in both your default gateway definition and in the default route. But the address is not in a connected subnet (at least as far as the posted config shows) so how does the router know how to get to it for the default route? And even more importantly how will the default gateway definition work?

HTH

Rick

HTH

Rick