Solved: Policy Based Routing to modify default route

bberry · ‎10-08-2013

Hi all,

I have an issue that I am trying to overcome in that I need to modify the default route on two servers in my server farm. We are in the process of changing routing with our ISP but I have two serves that need to keep the old routing as that passes through an older firewall. I think I should be able to do this with PBR but seem to be missing something as I set it up to use the existing routing as a test and when I implement I break the connections. Here is basically what I have.

access-list 190 permit ip host 172.16.4.53 any

access-list 190 permit ip host 172.16.4.193 any

route-map pbr permit 10
match ip address 190
set ip next-hop 172.16.11.26

When I want to activate I add the following to my VLAN interface

ip policy route-map pbr

The 172.16.11.26 is my current default route so figure this would not break anything. The 4.53 address is my exchange server and when I apply it to the VLAN, I loose connectivity from the client. Do I need to clear the IP routing table after I apply this to my VLAN? I figured this should be pretty simple as I though I was not really changing anything in regards to routing.

Brent

rfalconer.sffcu · ‎10-08-2013

Next-hop checks for the existence in the routing table of the next hop specified. If it exists, that's where it sends it.

If it doesn't, then it checks the routing table for the destination address.

Default next hop checks for the existence of the destination address first.

View solution in original post

bberry · ‎10-08-2013

OK .. I tried changing the ACL to a standard ACL thinking that was my issue but still not working. I am still breaking the connections ... as soon as I remove the policy from my VLAN connectivity is re-established.

access-list 12 permit 172.16.4.53

Brent

cadet alain · ‎10-08-2013

Hi,

traffic not matching ACL 190 will use the RIB default route, so when you do the PBR you've gotno more internet access for every machine or just the hosts in the ACL ?

Can you do debug ip policy and post the output.

Regards

Alain

Don't forget to rate helpful posts.

bberry · ‎10-08-2013

Alain,

How do I debug the policy? Debug IP policy and debug IP policy 12 have returned nothing. Same holds true for debug route-map api.

This is on a 4500x switch.

Brent

rfalconer.sffcu · ‎10-08-2013

So the Exchange server continues to access the internet but clients cannot access it?

Are the clients on a different subnet(s) than the server?

If so, use 'set ip default next-hop' command instead. This will check the local routing table before policy routing. If the destination exists locally, it will route it correctly.

bberry · ‎10-08-2013

Yes the clients are on different subnets.

I will give the set ip default next-hop a try and will advise. I thought that the next-hop also checked the table but guess it is more of a hard coded thing.

Thanks ...

rfalconer.sffcu · ‎10-08-2013

Next-hop checks for the existence in the routing table of the next hop specified. If it exists, that's where it sends it.

If it doesn't, then it checks the routing table for the destination address.

Default next hop checks for the existence of the destination address first.

bberry · ‎10-08-2013

Robert,

set ip default next hop seems to be working. At least I have not lost the connection to my server from the client when I applied the policy to my VLAN.

Thanks ...

How do I complete the debug as the debug IP policy commands have so far returned nothing.

Brent

rfalconer.sffcu · ‎10-08-2013

It should show output when something is policy routed. Did you do term mon or sh logging to see if there was anything in there?

cadet alain · ‎10-08-2013

Hi,

enable

terminal monitor

conf t

logging monitor 7

Regards

Alain

Don't forget to rate helpful posts.

cadet alain · ‎10-08-2013

Hi,

set ip next-hop doesn't check the RIB and set ip default next-hop will only work if you haven't got a longest match route so even with a default route it won't hit the first statement and will use the RIB default route.

Regards

Alain

Don't forget to rate helpful posts.