Note the difference between

XEmmeX · ‎03-18-2016

Hi all,

I just need to set a different default gateway for one vlan (I mean setting a different 0.0.0.0 route for a specific vlan).

Here's what I did:

access-list 108 permit ip 10.117.192.0 0.0.0.255 any

route-map gw_test permit 10
match ip address 108
set ip default next-hop 10.0.96.10

int vlan 501

ip policy route-map gw_test

but it didn't work. My suspect is related to eigrp issue. Actually on this CoreSwitch, the default route is announced by EIGRP, so the "sh ip route" command tells something like this:

D*EX 0.0.0.0/0 [170/1275648] via 192.168.192.3, 6w2d, Vlan110

Shouldn't the pbr route overwrite the eigrp one?

Jon Marshall · ‎03-18-2016

Yes it should.

Your configuration will check the IP routing table and first and if there is a matching route that is not the default route it will use that entry to route the packets.

If the only matching route is the default route then it should use PBR and the next hop you have specified.

What platform is this being done on and how are you testing ?

Jon

XEmmeX · ‎03-21-2016

Hi Jon,

I think that the problem is just the eigrp default route.

I want a different default route for vlan 501 but it seems it gets the eigrp one.

Peter Koltl · ‎03-19-2016

Jon, you mean all the specific routes have priority over PBR?

Richard Burts · ‎03-19-2016

Note the difference between set ip default next-hop as shown in the original post and set ip next-hop. The first one will over ride the default route but allow all more specific routes to be used as normal. The second one will use the specified next-hop for any traffic matching the access list and will over ride all routes in the routing table.

We do not know whether the subnet in the access list 10.117.192.0 is the subnet in vlan 501 (in which case this PBR should work) or is in some other vlan (in which case this PBR would not work).

The original poster comments on the default route shown in show ip route as if he expects to see the PBR route in the output. That would not be the case. show ip route will always show the default route learned by the normal routing process (in this case EIGRP). The PBR default route will only be used for the specified vlan and would not show up in show ip route output.

HTH

Rick

HTH

Rick

XEmmeX · ‎03-21-2016

Hi all,

my bad for uncomplete info.

10.117.192.0 is the vlan 501.

about Platform -> C4500 configured in VSS mode (cat4500e-UNIVERSALK9-M, Version 03.06.00.E RELEASE SOFTWARE (fc3))

I tried both next-hop and default next-hop with no results.

Any suggest?

Richard Burts · ‎03-21-2016

Thanks for confirming that 10.117.192.0 is the IP for vlan 501. The other thing that might impact using PBR is to verify that the next hop/default next-hop that you specify 10.0.96.10 is a valid and reachable IP.

Can you tell us how you are testing and determining that PBR has no results? What does the output of show route-map have?

HTH

Rick

HTH

Rick

XEmmeX · ‎03-21-2016

10.0.96.10 is a firewall and it's well reachable.

I'm testing with a simple trace from host who belongs to vlan 501.

Since my purpose is to change the default route (0.0.0.0) for that vlan, ti should be enough to simply trace an internet ip address.

Richard Burts · ‎03-21-2016

Thanks for confirming that the PBR next hop address is reachable. At some point we may need to see the complete config to see if there is something that is impacting PBR. But for now would you post from the PC you are testing with the IP address, mask, and default gateway and then the traceroute results. Also please post the output of show ip route.

HTH

Rick

HTH

Rick

XEmmeX · ‎04-13-2016

Hi all,

I have some security rules and I can't post my configuration at the moment.

As far as I noticed, there's something with routing that I can't understand and control.

Just for example, I tried with a debug ip packet session on access-list 108 and I noticed that I had only logged traffic from vlan 501 vs other internal vlan. I had no logged traffic from vlan 501 vs external vlan or other external ip and that's very strange.

Richard Burts · ‎04-13-2016

It might be helpful if you could post your config. But if your security policies do not allow posting the config then we will have to get along without it (and accept the possibility that some aspect of the config may be impacting your PBR but we will not be able to find it).

I do not understand what you tell us about testing with access list 108. How is vlan 501 vs other internal vlan? Do you mean vlan 501 TO other internal vlan? In that case are you sure that traffic was generated from a device in vlan 501 that had an external destination? If that is so then it suggests that there is some policy configured on vlan 501 that impacts traffic.

I will repeat what I said in a previous post:"But for now would you post from the PC you are testing with the IP address, mask, and default gateway and then the traceroute results. Also please post the output of show ip route."

HTH

Rick

HTH

Rick

XEmmeX · ‎04-13-2016

About vlan 501, I mean that if I enable debug logging on the access list 108, which should match EVERY traffic made by that vlan, I see only the traffic made by that vlan vs other INTERNAL vlans.

For internal, I mean vlans which belong to that coreswitch.

For external, I mean every traffic routed OUTSIDE the coreswitch.

I'll try to post some traceroute. Meanwhile, is there something I can check about policy routing?

Jon Marshall · ‎03-19-2016

Peter

Yes, is that not what I said or can it be read another way ?

Jon

PBR wity EIGRP (issue?)