Solved: PBR policy rejected

Junior Mateus · ‎11-27-2013

Hello Everbody

I have 2 router ( setting as HSRP Standby )

My lan point to the defaut gateway of the standby address ( 10.30.21.6)

On the Router 1 (high priority standby ) i have configured on the lan interface a PBR that redirect traffic http/https from ip 10.30.104.0/24 from my lan to the next hop of 10.30.21.4 (R2)

I have to mention that R1 and R2 are on the same segement

here is the detail configuration

R1

****** LAN Interface Configuration *****

interface GigabitEthernet0/0

description LINK TO LAN

ip address 10.30.21.1 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow monitor MYMONITOR input

ip nat inside

ip virtual-reassembly in

standby 0 timers 2 4

standby 10 ip 10.30.21.6

standby 10 priority 200

standby 10 preempt

standby 10 name HSRPGRPE1

standby 10 track 10 decrement 150

ip policy route-map PBR_104

duplex auto

speed auto

service-policy input QOS-MARKING1

end

***** SH ACESSS-LIST

Extended IP access list 104

10 permit tcp 10.30.104.0 0.0.0.255 any eq www

20 permit tcp 10.30.104.0 0.0.0.255 any eq 443

***********SH ROUTE-MAP

route-map PBR_104, permit, sequence 10

Match clauses:

ip address (access-lists): 104

Set clauses:

ip next-hop recursive 10.30.21.4

Policy routing matches: 0 packets, 0 bytes

route-map PBR_104, permit, sequence 20

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

R2

****** LAN Interface Configuration *****

interface FastEthernet0/0

ip address 10.30.21.4 255.255.255.248

ip flow monitor MYMONITOR input

ip nat inside

ip virtual-reassembly in

standby 0 timers 2 4

standby 10 ip 10.30.21.6

standby 10 priority 150

standby 10 preempt

standby 10 name HSRPGRPE1

standby 10 track 20 decrement 100

duplex auto

speed auto

end

--------------------------------------------------------------------------------------

On R1 here is the debug of debug ip policy

IP: s=10.30.104.56 (GigabitEthernet0/0), d=195.8.12.141, len 40, FIB policy rejected(no match) - normal forwarding

IP: s=10.30.104.56 (GigabitEthernet0/0), d=195.8.12.141, len 40, FIB policy rejected(no match) - normal for

sh access-list

Extended IP access list 104

10 permit tcp 10.30.104.0 0.0.0.255 any eq www (331 matches)

20 permit tcp 10.30.104.0 0.0.0.255 any eq 443 (7 matches)

route-map PBR_104, permit, sequence 10

Match clauses:

ip address (access-lists): 104

Set clauses:

ip next-hop recursive 10.30.21.4

Policy routing matches: 0 packets, 0 bytes

route-map PBR_104, permit, sequence 20

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

As YOU CAN see Nothing working on the route-map and the PBR

I don´t know what happen ?

rfalconer.sffcu · ‎11-27-2013

The core switch is a better place for PBR since you can do better manipulation there. You can set up an SLA to verify the 2nd router is up and send the traffic there if it is. If its down, it can route as normal.

View solution in original post

Richard Burts · ‎11-27-2013

My first question would be where is 10.30.104? That does not match the subnet of the interface that you show us. So what interface does it connect to?

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

Junior Mateus · ‎11-27-2013

hello, thank you for your question,

The 10.30.104.X is on vlan of my CORE SWITCH

and my CORESW have a default route to the HSRP Standby address ( 10.30.21.6)

i have one vlan 21 on my CORW that have this address 10.30.21.2/29 and this interface are directly connected to the interface inside of the R1 ( 10.30.21.1/29)

interface Vlan21

description RESERVED-HSRP

ip address 10.30.21.2 255.255.255.248

interface GigabitEthernet2/17

description connected to Router 1

switchport

switchport access vlan 21

switchport mode access

spanning-tree portfast edge

ip route 0.0.0.0 0.0.0.0 10.30.21.6 250 name virtual_HSRP

The Router 1 and 2 Process NAT the for internet

Richard Burts · ‎11-27-2013

Thanks for the information. One thing I had wondered about was whether the PBR was configured on the right interface. It must be configured on the interface where the traffic arrives. And since the source address specified in the ACL did not match the subnet where PBR is configured I wondered if there was a mismatch. But your explanation clarifies that it is on the right interface. So I begin to wonder if the suggestion from Robert is something that we should check. Can you change the route map and specify a next hop that is not the other router - preferably a next hop is some other subnet. I know that it would not produce the result that you want but it would at least give you a chance to run the debug and see if PBR was not working because of the choice of next hop.

HTH

Rick

HTH

Rick

rfalconer.sffcu · ‎11-27-2013

The core switch is a better place for PBR since you can do better manipulation there. You can set up an SLA to verify the 2nd router is up and send the traffic there if it is. If its down, it can route as normal.

Junior Mateus · ‎11-28-2013

Hello , thanks, i have mouve the PBR to the Coresw now it working, thank all for your help !

rfalconer.sffcu · ‎11-27-2013

It looks like you're trying to redirect the matched traffic back out the same interface it entered on so it can travel to the other router. Is that correct?

I'm not sure if that type of redirection is supported with PBR.