Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
0
Helpful
6
Replies

PBR Not updating

Go to solution
Infrastructure Team
Level 1
Level 1

‎02-28-2017 08:56 AM - edited ‎03-05-2019 08:07 AM

Hi all, I hope you can help.  I have 2 issues.

We're implementing PBR to assist in firewall migration.  Because of the number of users/departments and suppliers we have traversing our connection, rather than big bang, rip out old add new, we're doing piecemeal.

Traffic is being passed into a 6509 L3 interface, with two separate L3 interfaces for outbound to old and new.

When applied for the first time with some test addresses this policy works fine, and continues to work for the first three entries into the acl.

Issue 1, when I add my IP as a source, I loose ssh access to the router.

Issue 2, when I add new addresses to the migrate ACL (in this case the 4th line), they're still being passed down the old route. as seen through the acl output

PBR-Router#sh access-list
Extended IP access list migrate
10 permit ip host 10.132.25.106 any (6 matches)
20 permit ip any host 62.253.228.16 (3 matches)
30 permit ip host 10.132.25.88 any (3 matches)
40 permit ip 10.45.0.124 0.0.0.3 any


Extended IP access list remain
10 permit ip any any (9334043 matches)



Config is as below

interface GigabitEthernet9/1

description route to lan
ip address 192.168.3.29 255.255.255.252
no ip redirects
ip policy route-map new-fw
!
interface GigabitEthernet9/2
no ip address
shutdown
!
interface GigabitEthernet9/3
description route to old FW
ip address 10.132.27.230 255.255.255.240
no ip redirects
!
interface GigabitEthernet9/4
description route to new FW
ip address 10.132.30.243 255.255.255.128
no ip redirects

ip access-list extended migrate
permit ip host 10.132.25.106 any
permit ip any host 62.253.228.16
permit ip host 10.132.25.88 any
permit ip 10.45.0.124 0.0.0.3 any
ip access-list extended remain
permit ip any any

route-map new-fw permit 10
match ip address migrate
set ip next-hop 10.132.30.241
!
route-map new-fw permit 20
match ip address remain
set ip default next-hop 10.132.27.225

Labels:
Preview file
34 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎02-28-2017 12:45 PM

Hello,

just to be sure, is the line 'set ip default next-hop 10.132.27.225' on purpose ? Traffic would only be policy routed if the destination address does not exist in the routing table, contrary to the 'set ip next-hop', where traffic is policy routed if the destination does exist in the routing table.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-28-2017 09:26 AM

Firstly the 6500 does PBR in hardware so using the acl hits is not necessarily accurate, traceroute is your friend here.

Secondly why are you doing PBR for both sets of traffic ie. presumably you have a default route on the 6500 for the existing traffic in which case you only need to do PBR for the traffic you do not want to use the default route.

As for your host traffic not being able to SSH it is probably because the PBR is picking up the traffic and sending it to the next hop. You need to exclude the specific traffic between your host and the switch IP in the acl before the permit any for your host.

Jon

0 Helpful

Go to solution
Infrastructure Team
Level 1
Level 1
In response to Jon Marshall

‎03-01-2017 01:02 AM

Hi Jon,

I did think about that, but when the IT VLAN gets migrated I'm going to need to use the PBR from my client, but still access the switch.  

I think the set ip default next hop is what's needed.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Infrastructure Team

‎03-01-2017 01:18 AM

Hello,

your route map:

route-map new-fw permit 20
match ip address remain
set ip default next-hop 10.132.27.225

It means that if 10.132.27.225 exists, nothing will be policy routed. If it doesn't exist, everything specified in the ACL 'remain' will be policy routed. Kind of weird actually, but that is how it supposedly works...

http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html#intro

0 Helpful

Go to solution
Infrastructure Team
Level 1
Level 1
In response to Georg Pauwen

‎03-01-2017 02:22 AM

Thanks for help all

Solution for my scenario was to add default to policy entry 10.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎02-28-2017 12:45 PM

Hello,

just to be sure, is the line 'set ip default next-hop 10.132.27.225' on purpose ? Traffic would only be policy routed if the destination address does not exist in the routing table, contrary to the 'set ip next-hop', where traffic is policy routed if the destination does exist in the routing table.

0 Helpful

Go to solution
Infrastructure Team
Level 1
Level 1
In response to Georg Pauwen

‎03-01-2017 01:00 AM

Hi Georg,

I've just uploaded a quick diagram.

You may have spotted the config.  I want ANYTHING in the ACL to be PBR, unless the route already exists.

I'll try changing that.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card