cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1159
Views
5
Helpful
11
Replies

PBR

ramesh.karki
Level 1
Level 1

hi all,

one of our customer using 3750G-12S L3 switch for Internet connection, it has two internet connection coming from different service provider (sp1/SP2)

and two vlans (22/23) for internal use. what they wants the members of vlan 22 use sp1 and the member of vlan 23 use sp2 for internet connection.

For this I configured PBR but this configuration is not working, here what i did :

sdm prefer routing

reload

ip orute x.x.x.x x.x.x.x x.x.x.2 ( default route for sp 1)

ip route x.x.x.x x.x.x.x x.x.x.3 ( default route for sp 2)

int vlan 22

ip add 172.22.23.0 255.255.255.0

ip policy route-map mymap

no shut

int vlan 23 ( assume not in use right now)

ip access-list standard int-sp1

permit 172.22.23.0 0.0.0.255

route-map mymap permit 10

match ip addrss int-sp1

set ip next-hop x.x.x.2

doing this no traffic is going out from vlan 22

suggest me what could be the solution.

thank you

Ramesh

11 Replies 11

dal
Level 3
Level 3

I would guess it has something to do with that your ip addresses (172.22.23.x) are private, and cannot be routed directly on to the internet. They have to be NAT'ed first.

hi,

actually I just wrote this ip for example, the real IP of vlan 22 is public IP which is by sp1 (202.63.x.x/28). no require for translation. they have two pool of public IP address one pool for point to point and another for Inside use (vlan 22).

Ramesh

I would suggest that before you try Policy Based Routing, that you test and verify access for VLAN 22 (especially as you are assuming in the original post that VLAN 23 is not yet active). So I suggest that you remove the other static route: no ip route x.x.x.x x.x.x.x x.x.x.3 ( default route for sp 2).

That should leave VLAN 22 active with a default route that they should use. If it works correctly and they have successful Internet access then you know that the basics are working (the provider is routing the second address block as they should) and you can then address PBR. Since your configuration of PBR does not have any obvious problems I am wondering if the problem is basic routing.

HTH

Rick

HTH

Rick

hi Rick,

I did all the best from my side, I tried what you told, without policy route-map with single default G/W towards sp1 users from vlan 22 able to access the internet. but when i applied the policy map the connection went down. even there was single gateway of sp1.

Rick, is there any difference to apply the policy map in SVI instead of L3-routed port. because I am using SVI interface.

int g1/0/5

switchport access vlan 22

switchport mode access

no shut

!

int g1/0/5

switchport access vlan 22

switchport mode access

no shut

!

int vlan 22

ip add 202.63.x.x 255.255.255.240

ip policy route-map mymap

hope you will get me.

Ramesh

Ramesh

Thank you for doing the testing that I suggested. It is helpful to know that regular routing is working. And it would seem to confirm that there is some issue about this policy based routing.

I have not done Policy Based Routing on a layer 3 switch so I can not speak from personal experience. But as far as I know, as long as you have selected the routing template then Policy Based Routing should work on the SVI like it does on router physical interfaces. And even if it did not work on layer 3 switch SVI interfaces I would not expect that attempting it would break an otherwise working routing environment.

So at this point I would assume that there is some detail of your environment or some detail of how PBR is configured that is a problem. Perhaps if you would post the output of show ip route, the output of show ip interface brief, and the output of show route-map then perhaps we might find the problem.

HTH

Rick

HTH

Rick

pauloroque
Level 1
Level 1

Hi Ramesh,

There is a statement missing on your route map.

You must create a permit any at the end, without any 'match' or 'set' clause.

'route-map mymap permit 20'

Paulo Roque

Paulo

Why would Ramesh need the extra instance in his route map? If the route map were controlling the redistribution of routes or filtering something else, then I would agree that an instance to permit everything else would be appropriate. But for Policy Based Routing it only needs to permit the traffic that it wants to treat differently. All traffic not selected by the route map would then get normal routing. So why is permit 20 needed?

HTH

Rick

HTH

Rick

Hi Paulo / Hi Rick

As i know router forwards the packet based on destination router don't care where the packet came from. But PBR forward the packet matching source address. here in my scenario I have to match all the source address of vlan22, if i have to match only few members of this vlan22 to forward the packet to sp1 and don't care rest, then i can be agree with Paulo.

Rick, sorry i can't show you the configuration. I don't have permission to do this. I noticed two things the ACL is matching and when i ping the G/W ip of SP1 i got two reply in 10 request. I'm confused all, same configuration is working using IOS router 1811.

ramesh

Ramesh

It is quite puzzling. I am not sure why a ping of SP1 gateway would get only 2 of 10 replies. I understand the issue about needing permission to show details. Without the information I am not sure if we can be of help.

HTH

Rick

HTH

Rick

Hi Rick,

This issue has been solved now adding one more router for indivitual SP.

thanks for your good response.

ramesh

Ramesh

I am glad that you got it resolved. Thank you for posting to the forum and indicating that you have resolved the issue. It helps make the forum more useful when people can know that issues that they read were successfully resolved.

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card