Solved: Re: PBR not directing traffic properly... what am I missing?

matwood · ‎10-21-2019

Need to pass traffic from some specific internal IPs out an alternative internet connection.

Traffic origin is from vlan on a core switch, which routes to a dedicated 3750x that handles BGP and wan selection. 3750x has a default route, but want to override that for specific source IPs.

excepts from 3750x config (partially sanitized):

interface Vlan1000
ip address 10.10.0.11 255.255.255.0
no ip redirects
ip policy route-map FWD-OUT-ALT

route-map FWD-OUT-ALT permit 10
match ip address 5
set ip next-hop 10.10.0.250

access-list 5 permit 192.168.6.120
access-list 5 permit 192.168.6.119
access-list 5 permit 192.168.5.79

specific show commands:

XXX-Prod-BGP-SW1#show ip int vlan 1000
Vlan1000 is up, line protocol is up
Internet address is 10.10.0.11/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is enabled, using route map FWD-OUT-ALT
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Policy Routing, MCI Check
Output features: Input interface drop, Check hwidb
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled

XXX-Prod-BGP-SW1#show sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 10.875k
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 7.875k
number of IPv6 multicast groups: 64
number of IPv6 unicast routes: 32
number of directly-connected IPv6 addresses: 0
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.375k
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 58

192.168.5.79 is my test host, and when tracerouting from it to inet traffic gets to 10.10.0.11, then takes the normal default route instead of the next hop from the policy.

Thanks in advance for any help here...

paul driver · ‎10-22-2019

Hello

@matwood wrote:

hosts are not on any vlan directly connected to this router. this router is a hop in the chain, with vlan 1000 being the incoming interface for the routed traffic from those hosts.

do this rtr have a route to those hosts and does it go via vlan 1000?

If so try using an extended access-list in the PBR instead specifying (source/destination)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Jaderson Pessoa · ‎10-21-2019

Hello, try it

rt(config)# ip local policy route-map FWD-OUT-ALT

interface vlan1000

rt(config-if)# no ip policy route-map FWD-OUT-ALT

Jaderson Pessoa
*** Rate All Helpful Responses ***

Georg Pauwen · ‎10-21-2019

Would that not only redirect traffic generated on the router itself ? From what I understand, the IP addresses that need to be redirected are from internal hosts on another Vlan...

Jaderson Pessoa · ‎10-22-2019

i understood that is from router itself, maybe i'm wrong.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Georg Pauwen · ‎10-21-2019

Hello,

How does traffic from the source IP addresses in the access list flow through Vlan 1000 ?

paul driver · ‎10-22-2019

Hello

@matwood wrote:

Need to pass traffic from some specific internal IPs out an alternative internet connection.

Traffic origin is from vlan on a core switch, which routes to a dedicated 3750x that handles BGP and wan selection. 3750x has a default route, but want to override that for specific source IPs.

excepts from 3750x config (partially sanitized):

interface Vlan1000
ip address 10.10.0.11 255.255.255.0
no ip redirects
ip policy route-map FWD-OUT-ALT

route-map FWD-OUT-ALT permit 10
match ip address 5
set ip next-hop 10.10.0.250

access-list 5 permit 192.168.6.120
access-list 5 permit 192.168.6.119
access-list 5 permit 192.168.5.79

192.168.5.79 is my test host, and when tracerouting from it to inet traffic gets to 10.10.0.11, then takes the normal default route instead of the next hop from the policy.

Can you clarify -
Your test host 192.168.5.79 or any host specifed in your access-list does they reside off vlan 100 if not then your PBR will not work, Now if you are trying to reach those hosts then maybe that you dont require PBR to accomplish that espically when your using bgp.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

matwood · ‎10-22-2019

The host are on lets call them vlan 5 and vlan 6, the gateway for which resides on a different device. that device then routes traffic over vlan 1000 to the BGP switch.
Host<---[vlan5]--->Local_Router<---[vlan1000]--->BGP_router

rdz586 · ‎11-05-2019

Hi Matwood,

Its looks like your PBR is applied to the wrong interface if I understand the setup correctly.

It should be applied to the ingress interface for the traffic, apply the traffic to VLAN5 rather than 1000.

matwood · ‎10-22-2019

hosts are not on any vlan directly connected to this router. this router is a hop in the chain, with vlan 1000 being the incoming interface for the routed traffic from those hosts.

paul driver · ‎10-22-2019

Hello

@matwood wrote:

hosts are not on any vlan directly connected to this router. this router is a hop in the chain, with vlan 1000 being the incoming interface for the routed traffic from those hosts.

do this rtr have a route to those hosts and does it go via vlan 1000?

If so try using an extended access-list in the PBR instead specifying (source/destination)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

matwood · ‎11-04-2019

It was routing back through vlan 1000, but I have altered the architecture to simplify the routing (and solve other problems that had cropped up).

Still having PBR problems, but hopefully this should be a little more straitforward.

vlan 5 is now directly terminated on the router, here's and updated config:

~~~~~~~~~~~~~~~~~~~~~
interface Vlan1000
ip address 10.10.0.11 255.255.255.0
no ip redirects

interface Vlan5
ip address 192.168.5.1 255.255.255.0
no ip redirects

ip policy route-map FWD-OUT-ALT

route-map FWD-OUT-ALT permit 10
match ip address 101
set ip next-hop 10.10.0.250

access-list 101 deny ip host 192.168.5.79 10.0.0.0 0.255.255.255

access-list 101 deny ip host 192.168.5.79 192.168.0.0 0.0.255.255
access-list 101 permit ip host 192.168.5.79 any

~~~~~~~~~~~~~~~~~~~

as may be evidenced by the access list, the purpose is to direct internet traffic from that host out a non-default inet connection, internal wan connectivity is handled by the normal routing table. when I initially forgot to add the deny statements, I lost remote access to the host in question, so something is starting to work, however now traffic that should be policy routed seems to just drop.

Jon Marshall · ‎11-05-2019

Is it dropping at this device or further along ?

Your PBR configuration looks fine so perhaps a routing or NAT issue further down the path ?

Jon

Richard Burts · ‎11-05-2019

Would the original poster give us the output of show arp (or perhaps show ip arp) so that we can verify that 10.10.0.250 is reachable?

It might also be helpful to run debug for policy routing and see what it indicates.

HTH

Rick

HTH

Rick

matwood · ‎11-08-2019

CA2-Prod-BGP-SW1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.0.11 - 30f7.0dc8.5f47 ARPA Vlan1000
Internet 10.10.0.250 2 ecb9.0701.d251 ARPA Vlan1000

-truncated-

CA2-Prod-BGP-SW1#ping 10.10.0.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

when I enable debugging with "debug ip policy 101", and generate traffic from the host (using ping, nslookup targeting public DNS, and generic browser test), I get no debug logs. if I use just "debug ip policy" I get a deluge of messages, but all no match, normal forwarding. example entry:
Nov 8 12:18:30.862: IP: s=10.10.5.88 (Vlan5), d=10.10.130.250, len 747, FIB policy rejected(no match) - normal forwarding

there's too much traffic on the VLAN to spot any entries for the specific host I'm trying to redirect.

Jon Marshall · ‎11-08-2019

Have you tried a traceroute to see if it is being dropped by the switch with the PBR or further along ?

Jon