PBR not working

old&bald · ‎07-29-2019

Need to redirect all web requests from PPPOE users destined to 192.168.99.9 over another gateway 172.16.1.1 using an old 7200 router.

Below is my config, router also participates in OSPF and iBGP with its neighbors.

Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)

ip access-list extended gwadd
permit tcp any host 192.168.99.9 eq www

route-map GWPOL permit 10
match ip address gwadd
set ip next-hop 172.16.1.1

interface Virtual-Template70
ip policy route-map GWPOL

#sh route-map

route-map GWPOL, permit, sequence 10
Match clauses:
ip address (access-lists): GWPOL
Set clauses:
ip next-hop 172.16.1.1
Policy routing matches: 24707 packets, 2054970 bytes

#sh ip policy

Interface Route map
Vi4 GWPOL
Vi5 GWPOL
Vi6 GWPOL
Vi10 GWPOL
Vi11 GWPOL
Vi13 GWPOL
Vi14 GWPOL
Vi15 GWPOL
Vi17 GWPOL
Vi23 GWPOL
Vi26 GWPOL
Vi27 GWPOL
Vi32 GWPOL
Vi33 GWPOL
Vi38 GWPOL
Vi39 GWPOL

#sh logg | i 192.168.99.9
Jul 29 09:15:57.428: IP: s=10.8.7.6 (Virtual-Access647), d=192.168.99.9, len 64, FIB policy rejected(no match) - normal forwarding

Georg Pauwen · ‎07-29-2019

Hello,

looking at the debug output, it seems like the packet that is not matching has a length of 64 bytes, which is the minimum size for an Ethernet frame. I guess to find out what kind of packet that is exactly, you would have to use a packet analyzer such as Wireshark...is that an option ?

Richard Burts · ‎07-29-2019

What can you tell us about address 172.16.1.1? Can you post the output of show ip route so we can be sure that this is reachable as a next hop?

The log message tells us about the source address and the destination address but does not tell us about the what tcp port it uses. Can we be sure that it was www?

We see a specific message about this packet. I wonder if there might be other messages about it in the log file. Could you post the other syslog messages within a minute or 2 of this event?

HTH

Rick

HTH

Rick

old&bald · ‎07-30-2019

@Richard Burts wrote:
What can you tell us about address 172.16.1.1?

On this router 172.16.1.1 is in Directly Connected subnet, raising simple Static Route does the job, but I need to separate only 80 port.

We see a specific message about this packet. I wonder if there might be other messages about it in the log file. Could you post the other syslog messages within a minute or 2 of this event?

Unfortunately long debug is impossible as router currently uses over 90% of its cpu power. Yesterday to get this 1 second debug I've led down this router for 5 minutes. It is to be decommissioned and replaced with 9001 in short term, but up to then I planned to finish one small job using this PBR.

Will try to speed up migration to 9k then.

old&bald · ‎07-30-2019

matching has a length of 64 bytes, which is the minimum size for an Ethernet frame.

Yes it is true and even 52 sized packets appear in debug.

Wireshark...is that an option ?

Unfortunately not, router is still in production and under heavy load.

paul driver · ‎07-30-2019

Hello

@old&bald wrote:

interface Virtual-Template70
ip policy route-map GWPOL

#sh logg | i 192.168.99.9
Jul 29 09:15:57.428: IP: s=10.8.7.6 (Virtual-Access647), d=192.168.99.9, len 64, FIB policy rejected(no match) - normal forwarding

Try applying the PBR to the physical interface associated with the VT70?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

old&bald · ‎07-30-2019

Didn't work, still routed to upstream.

paul driver · ‎07-30-2019

Hello

@old&bald wrote:

interface Virtual-Template70
ip policy route-map GWPOL

#sh ip policy

Interface Route map
Vi4 GWPOL
Vi5 GWPOL
Vi6 GWPOL
Vi10 GWPOL
Vi11 GWPOL
Vi13 GWPOL
Vi14 GWPOL
Vi15 GWPOL
Vi17 GWPOL
Vi23 GWPOL
Vi26 GWPOL
Vi27 GWPOL
Vi32 GWPOL
Vi33 GWPOL
Vi38 GWPOL
Vi39 GWPOL

I dont see vt70 in this listing unless you haven't posted all the output?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

old&bald · ‎07-30-2019

Yes, I've shortened it, but it is there :)

Output on that command is 5-6 SPACEs long.

paul driver · ‎07-30-2019

Hello

So in relation to the web host and the next hop ip address are those subnetnetworks on the same router, Is the next-hop reachable?

I am assuming you wish any host for tcp 80 to be pbr'd towards host 192.168.99.9 via 172.16.1.1 , if so try changing you acl to accommodate such traffic.

~~permit tcp any host 192.168.99.9 eq www~~
permit tcp any eq www host 192.168.99.9

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

old&bald · ‎07-30-2019

Paul,

I need any host requesting 80 from 192.168.99.9 (masked for publication) to be routed over 172.16.1.1 (also masked).

192.168.99.9 is located on the Internet, I've created a fake web-site with this IP in internal perimeter which is accessible over 172.16.1.1. So I need all PPPoE clients requesting any web-page from 192.168.99.9 internet address to be forwarded to my web-server.

Currently when I browse 192.168.99.9 from Lab VM connected over PPPoE the request is timed out until I delete the policy setting from Virtual Template interface. So the policy is working, somehow, but packets are not forwarded to internal perimeter (have a normal monitoring there), so I stuck on 7200 due to normal debug unavailability and cannot troubleshoot it more comprehensively.