PBR Problem

atiye.bigdeli · ‎08-28-2018

Hi friends.

We have 2 ISP and now we use only isp 1 for forwarding traffic and the isp 2 is for backup.

we decided to forward some traffic toward isp 2 using pbr,

also we have dmvpn for all branch,

we have a problem with pbr and it does not forward the traffic toward the second link.

my access-list and the pbr policy matches.

---------------------------------------------------------------

Extended IP access list Antivirus_To_Branch2
10 permit ip host 172.30.111.88 10.113.1.128 0.0.0.127 (62934 matches)

----------------------------------------------------------------

route-map Backup_Link permit 2
match ip address Antivirus_To_Branch2
set ip next-hop 10.198.198.130

----------------------------------------------------------------

sho route-map Backup_Link

route-map Backup_Link, permit, sequence 1
Match clauses:
ip address (access-lists): Antivirus_To_Branch2
Set clauses:
Policy routing matches: 63320 packets, 40651445 bytes

-------------------------------------------------------

when I use the debug command " debup ip policy"

I got this error

CEF-IP-POLICY: fib for addr 10.198.198.130 is Not Attached; Nexthop rejected

what is the problem? the second link is connect.

best regards

Georg Pauwen · ‎08-28-2018

Hello,

is 10.198.198.130 a directly connected next hop ? Post the full configuration of your router...

atiye.bigdeli · ‎08-28-2018

Hi and thank you for answer.

hub config

int tu 3

ip adress 10.198.198.129 255.255.128

tu des mode multipoint

tu source int gi0/1.100

int gi 0/0

ip policy route-map backup_link

antvirus_To_Branch2
10 permit ip host 172.30.111.88 10.113.1.128 0.0.0.127 (62934 matches)

----------------------------------------------------------------

route-map Backup_Link permit 2
match ip address Antivirus_To_Branch2
set ip next-hop 10.198.198.130

---------------

spoke that is the next hop

int t 3

ip address10.198.198.130 255.255.255.128

.

the two interface are dmvpn interfaces that have connectivity through WAN MPLS

best regards

Georg Pauwen · ‎08-28-2018

Hello,

change your set clause to:

route-map Backup_Link permit 2
match ip address Antivirus_To_Branch2
set interface Tunnel 3

paul driver · ‎08-28-2018

Hello

just like to add - suggest to apply some validation of availability for the nexthop otherwise if it become unavailable you will incur blackholing of what ever is being pbr’d

Set ip next-hop verifiy availability x.x.x.x track x

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

atiye.bigdeli · ‎08-28-2018

Hi

thank you for your help and answer

is there no problem with adding the multipoint dmvpn interface in the " set interface " command?

can the router decide the correct destination?

when I set the dmvpn interface I received this error.

%Warning:Use P2P interface for routemap setinterface clause

and it does not work

best regards

paul driver · ‎08-29-2018

Hello

Did you set the next hop towards the NBMA address of the DMPN spoke?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

atiye.bigdeli · ‎09-01-2018

Hi

No I dont set the NBMA address I set the tunnel address as the next hop.

is that correct?

best regards