12-08-2005 02:45 AM - edited 03-03-2019 11:10 AM
We use PBR on a c3550, two ISP's.
One ISP is used for "normal"trafic the onther for a special application.
We use a default gate, the special traffic must go to the other gateway. When the link to the special gateway is down ALL the trfic goes to the other link. When the link come's backup it must go back, but that is not happening.
interface Vlan1
ip address 10.0.1.1 255.255.255.0 secondary
ip address 10.0.1.254 255.255.255.0
ip policy route-map ONE
!
interface Vlan9
ip address 10.27.9.254 255.255.255.0
!
router eigrp 767
network 10.0.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip default-gateway 10.0.9.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.9.1
ip route 10.0.32.0 255.255.255.0 10.4.1.5
!
!
access-list 130 permit udp any 10.0.0.0 0.0.255.255
access-list 130 permit tcp any 10.0.0.0 0.0.255.255
access-list 130 permit tcp any 10.0.0.0 0.255.255.255 eq www
access-list 130 permit tcp any 10.0.0.0 0.255.255.255 eq 443
access-list 140 permit tcp any 10.0.0.0 0.255.255.255 eq 102
access-list 140 permit tcp any eq 102 10.0.0.0 0.255.255.255
access-list 140 permit tcp any any eq www
access-list 140 permit tcp any any eq ftp
access-list 140 permit tcp any any eq 443
access-list 140 permit tcp any any eq 1494
access-list 140 permit udp any any eq 1604
access-list 140 permit tcp any eq 1494 any
access-list 140 permit udp any eq 1604 any
access-list 150 permit ip any 10.2.3.0 0.0.0.255
access-list 150 permit ip any 10.4.126.0 0.0.0.255
route-map ONE permit 10
match ip address 130
!
route-map ONE permit 20
match ip address 140
set ip next-hop 10.27.9.2 10.27.9.1
!
route-map ONE permit 30
match ip address 150
set ip next-hop 10.27.9.2 10.27.9.1
!
route-map ONE permit 40
!
12-08-2005 06:45 AM
Hi,
it looks like your route-map statement 10 matching access-list 130 matches parts of your statement 20 with access-list 140.
Route-map staatements are treated like access-lists: top down processing and once you have a match you stop evaluating the route-map. So it looks to me as if you never get to statement 20 or 30 where you set the next hop.
Rewriting your access-lists to be more specific and not overlapping or reordering your route-map statements might solve your problems.
Regards
Martin
12-08-2005 12:07 PM
Jefta
Martin is correct about the overlap between access list 130 and access list 140. Any traffic that matches 130 and also matches 140 will be treated by statement 10 and not have its next hop altered by statement 20. But I do not agree with his assertion that you would never get to statement 20 or 30. Any traffic whose destination was not in 10.x.x.x would have opportunity to match list 140 in statement 20.
Since list 130 is looking for destinations only in network 10 and list 140 has some permits for destination any, I believe that some traffic may get its next hop changed.
There are a couple of things that I see in the config that I do not understand. I am not sure whether they relate to the problem you are experiencing or not.
interface Vlan1
ip address 10.0.1.1 255.255.255.0 secondary
ip address 10.0.1.254 255.255.255.0
I do not understand why you are defining a secondary address within the same subnet as the primary address.
You are using address 10.0.9.1 in both your default gateway definition and in the default route. But the address is not in a connected subnet (at least as far as the posted config shows) so how does the router know how to get to it for the default route? And even more importantly how will the default gateway definition work?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide