Hi
I've got a PBR configured in a interface Tunnel (with NHRP) that's not matching all the traffic coming from spokes...
Trafic comes from networks 10.0.0.0/16 10.1.0.0/16 10.2.0.0/16. Enters the tunnel, enters a VRF and with the PBR we split those networks to balance traffic among two proxy servers...The thing is, PBR matches some of the traffic but not all. Most of the traffic (70MB) don't match the PBR and goes with the default GW. Since the ACLs contains all the networks it should match all of the traffic (we use no nat)
Doing tests from one of the spokes (10.2.9.0/24) , if I ping internet the ACL don't match. But if I make a trceroute the ACL matches OK
Any clues ??
cisco WS-C6509-E (R7000) processor (revision 1.5) with 983008K/65536K bytes of memory
System image file is "sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ1.bin"
VSS#sh run int tu0
Building configuration...
Current configuration : 530 bytes
!
interface Tunnel0
ip vrf forwarding TMGINTERNET
ip address 10.8.0.1 255.255.0.0
no ip redirects
no ip proxy-arp
no ip next-hop-self eigrp 1
ip nhrp authentication sarm
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 300
ip nhrp registration no-unique
ip route-cache same-interface
no ip split-horizon eigrp 1
ip summary-address eigrp 1 0.0.0.0 0.0.0.0
ip policy route-map BALANCE
tunnel source Loopback10
tunnel mode gre multipoint
end
VSS#sh run int vlan 971
interface Vlan971
description Proxies
ip vrf forwarding TMGINTERNET
ip address 10.112.255.130 255.255.255.240
end
VSS#sh ip route vrf TMGINTERNET
Gateway of last resort is 10.112.255.134 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 569 subnets, 4 masks
D 10.0.234.0/24 [90/26882560] via 10.8.1.52, 03:34:21, Tunnel0
D 10.0.202.0/24 [90/26882560] via 10.8.1.83, 2d04h, Tunnel0
D 10.0.170.0/24 [90/26882560] via 10.8.1.114, 1d13h, Tunnel0
D 10.0.138.0/24 [90/26882560] via 10.8.1.146, 05:14:42, Tunnel0
D 10.0.106.0/24 [90/26882560] via 10.8.1.175, 00:35:42, Tunnel0
D 10.0.74.0/24 [90/26882560] via 10.8.1.207, 3d14h, Tunnel0
D 10.0.42.0/24 [90/26882560] via 10.8.1.237, 22:03:54, Tunnel0
D 10.0.10.0/24 [90/26882560] via 10.8.0.125, 00:56:38, Tunnel0
D 10.1.234.0/24 [90/26882560] via 10.8.0.111, 03:10:03, Tunnel0
D 10.1.202.0/24 [90/26882560] via 10.8.2.69, 01:44:09, Tunnel0
D 10.1.170.0/24 [90/26882560] via 10.8.2.99, 21:16:14, Tunnel0
D 10.1.138.0/24 [90/26882560] via 10.8.2.129, 1w1d, Tunnel0
D 10.1.106.0/24 [90/26882560] via 10.8.2.161, 05:23:39, Tunnel0
D 10.1.74.0/24 [90/26882560] via 10.8.2.188, 12:29:52, Tunnel0
D 10.1.42.0/24 [90/26882560] via 10.8.2.215, 00:40:45, Tunnel0
D 10.2.170.0/24 [90/26882560] via 10.8.0.214, 1w4d, Tunnel0
D 10.2.138.0/24 [90/26882560] via 10.8.0.182, 00:04:03, Tunnel0
D 10.2.106.0/24 [90/26882560] via 10.8.0.108, 01:31:36, Tunnel0
D 10.2.74.0/24 [90/26882560] via 10.8.0.77, 4d07h, Tunnel0
D 10.2.42.0/24 [90/26882560] via 10.8.0.45, 2d09h, Tunnel0
...(the list goes on)
route-map BALANCE, permit, sequence 5
Match clauses:
ip address (access-lists): TMG20
Set clauses:
ip next-hop verify-availability 10.112.255.135 10 track 120 [up]
ip next-hop verify-availability 10.112.255.136 20 track 122 [up]
ip next-hop verify-availability 10.112.255.134 30 track 121 [up]
Policy routing matches: 307 packets, 264160 bytes
route-map BALANCE, permit, sequence 10
Match clauses:
ip address (access-lists): TMG21
Set clauses:
ip next-hop verify-availability 10.112.255.134 10 track 121 [up]
ip next-hop verify-availability 10.112.255.136 20 track 122 [up]
ip next-hop verify-availability 10.112.255.135 30 track 120 [up]
Policy routing matches: 903 packets, 1134040 bytes
Extended IP access list TMG20
10 permit ip any host 10.112.255.134 (1 match)
15 permit ip 10.2.9.0 0.0.0.255 any (18 matches)
20 permit ip 10.1.0.0 0.0.255.255 any (76 matches)
25 permit ip 10.2.0.0 0.0.127.255 any (352 matches)
40 permit ip 10.2.244.0 0.0.0.255 any
Extended IP access list TMG21
10 permit ip 10.0.0.0 0.0.255.255 any (137 matches)
15 permit ip 10.2.128.0 0.0.127.255 any (1402 matches)
30 permit ip 10.2.243.0 0.0.0.255 any
