03-05-2008 11:05 AM - edited 03-03-2019 08:59 PM
I have a site that has two frame-relay DS1's built as point-point circuits. Both provide Internet access. I want to use PBR to send some user traffic over one T1 and some traffic over the other. I believe I've built the PBR correctly but it doesn't appear to be working. When I query the route-map I see policy routing matches. Both the packets and bytes counters are incrementing. However I am unable to resolve DNS or surf. When I put a default static route pointing out one of the interfaces I am able to surf. I have included a config. Any help would be appreciated.
03-05-2008 11:23 AM
Hi:
The access lists on both serial interfaces -- ACL 101 and 102 -- are denying all traffic coming in from the firewall, except icmp.
HTH
Victor
03-05-2008 11:30 AM
This config was generated by the SDM software and it currently works using a default static route with those ACL's in place. I believe that it allows return traffic that it matches to an outbound connection. It is only denying unsolicited inbound traffic.
03-05-2008 11:51 AM
Cerp:
Not to be repetitive, but this is your interface configuration:
interface Serial0/3/0:0.1 point-to-point
description FW_OUTSIDE#1
ip address 211.111.85.82 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
And here is the access list...
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 211.111.85.84 0.0.0.3 any
access-list 101 deny ip 10.100.2.0 0.0.0.31 any
access-list 101 permit icmp any host 211.111.85.82 echo-reply
access-list 101 permit icmp any host 211.111.85.82 time-exceeded
access-list 101 permit icmp any host 211.111.85.82 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
This access list denies everything but ICMP traffic coming in from the firewall. What am I missing?
Which interface did you point that static route to? ip route 0.0.0.0 0.0.0.0 ?.?.?.?
Victor
!
03-05-2008 12:31 PM
The default route points to s0/3/0:0.1. I am currently surfing over that link right now.
03-05-2008 01:06 PM
Oh, wait a minute...Im sorry! I just noticed the ip inspect commands in your configuration...
You're running an IOS with a firewall feature set, which means that it is stateful. So, all your internally-generated traffic is automatically allowed back in....
That explains the access list question, but that leaves your initial problem still unresolved....
03-05-2008 07:52 PM
Within route-map path-select, try setting "set default interface Serial0/3/0:0.1" and "set default interface Serial0/3/1:0.1" to "set ip next-hop x.x.x.x" where x.x.x.x is the appropriate external next hop address.
03-06-2008 04:26 AM
I changed the "set default interface" statement to a "set ip next-hop" statement still no change. I see the route-map matching packets, but am unable to route. As soon as I put in a static route pointing to either serial link routing starts working.
03-06-2008 05:51 AM
I had suspected PBR with "interface" wasn't NATing. Hopefully the "next-hop" would otherwise NAT. At this point, would need to activate debug and see what's going on.
PS;
What next hop addresses did you use?
03-06-2008 06:12 AM
Hi,
The (set default interface) has different concept than (set ip next-hop).
the first would perform PBR if it has exact matche in the routing table, and would therfore need (extended access-list).
therfore, the set ip next-hop would resolve
your issue , and you dont need a default route for this.
Make sure the next hop is reachable.
HTH
Mohamed
03-06-2008 07:34 AM
Ok, I've got it working. I changed my ACL's to extended ACL's (no change), set the route-map to set ip next-hop (no change) and then I put a default static route pointing to each of my T1's. The route-map would then send the packets out the correct interface. Does the router have to do a route lookup even if you have a route map pointing to the next hop address?
03-06-2008 08:15 AM
Does the router have to do a route lookup even if you have a route map pointing to the next hop address?
It depends on the set statement within the route-map.
If you use set ip next-hop address, the router will use PBR first and if it fails, it will use the routing table.
If you use set ip default next-hop address, the router will use the routing table first and then the next-hop specified in the route-map.
Please see:
http://www.cisco.com/en/US/docs/ios/12_4/ip_route/configuration/guide/piconfig.html#wp1001398
for further understand on PBR features.
HTH,
__
Edison.
03-06-2008 10:08 AM
Ok, but if I dont have any static routes configured I am unable to route. I could ping the next-hop IP. With the static routes configured the route-map (set ip next-hop address) is sending my user traffic out the correct interfaces. No matter what method I used I would always show my ACL's matching interesting traffic and the route-map matching packets. Very odd behaviour!
03-06-2008 10:20 AM
Packets generated by the router are not normally policy routed unless you configure a local PBR.
http://www.cisco.com/en/US/docs/ios/12_4/ip_route/configuration/guide/piconfig.html#wp1001559
That's the reason that a lack of 'static route' produces the result you are seeing.
HTH,
__
Edison.
03-06-2008 02:14 PM
If might help if you clarified what the next hop address your using with PBR and the specific statics which fixed the problem.
Since your original default route was using an interface, not a next hop, perhaps PBR doesn't "know" where the next hop is without a connected route or a static. I.e. your NAT pool is using 60.x.x.x but your physical link are 211.x.x.x. Or perhaps the issue is, without the statics, NAT doesn't see an inside to outside need for address translation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide