02-08-2018 05:48 PM - edited 03-05-2019 09:53 AM
I am trying to direct traffic coming from another router and forward it to an IP address that is not directly connected to the outgoing interface.
I have tried applying the access list outbound to the interface and hit counters increment so I know the router can recognize the traffic. As soon as I apply it as a policy based route to the interface, it seems like it cant find the traffic and forward it like I want. ive tried 'recursive', 'set ip vrf' within the route map, 'set default interface', etc... but traffic still wants to go to the default of .66. it seems like it is ignoring the PBR and using the default vrf table. what am I missing? thanks. please let me know if more info is needed.
7204vxr Version 12.4(24)T4
ip vrf
rd 5771:60023
route-target export 5771:60023
route-target import 5771:60023
!
interface GigabitEthernet0/2.108
encapsulation dot1Q 108
ip vrf forwarding vrf
ip address 10.242.60.65 255.255.255.248
no ip redirects
no ip proxy-arp
ip mtu 1500
ip policy route-map pbr
!
ip access-list extended acl_108
permit ip host 10.10.12.76 10.226.59.0 0.0.0.255 log
permit ip host 10.10.12.77 10.226.59.0 0.0.0.255 log
permit ip host 10.10.12.80 10.226.59.0 0.0.0.255 log
!
route-map pbr permit 10
match ip address acl_108
set ip vrf vrf next-hop 10.242.60.68
set default interface GigabitEthernet0/2.108
!
route-map pbr permit 20
!
pe01#show route-map
route-map pbr, permit, sequence 10
Match clauses:
ip address (access-lists): acl_108
Set clauses:
ip vrf vrf next-hop 10.242.60.68
default interface GigabitEthernet0/2.108
Policy routing matches: 0 packets, 0 bytes
route-map pbr, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 4431693 packets, 1083168116 bytes
pe01# show ip route vrf vrf
Routing Table: vrf
Gateway of last resort is 10.242.60.66 to network 0.0.0.0
x.y.z.a/29 is subnetted, 2 subnets
S x.y.z.a [1/0] via 10.242.60.66
S x.y.z.a [1/0] via 10.242.60.66
10.0.0.0/8 is variably subnetted, 4 subnets, 4 masks
B 10.10.12.0/22 [200/0] via p.q.r.s, 3w0d
B 10.11.12.0/24 [200/0] via p.q.r.s, 3w0d
C 10.242.60.64/29 is directly connected, GigabitEthernet0/2.108
B 10.242.30.84/30 [200/0] via p.q.r.s, 3w0d
a.b.c.d/28 is subnetted, 1 subnets
B a.b.c.d [200/0] via p.q.r.s, 3w0d
S* 0.0.0.0/0 [1/0] via 10.242.60.66
pe01.usac#show ip policy
Interface Route map
Gi0/2.108 pbr
02-08-2018 08:54 PM
Hi
The sequence permit 20 isn't important as by default, traffic not catched will follow the normal routing. You can remove the statement.
For the sequence 10, you're using an acl with log keyword that's not supported by pbr.
Can you remove this keyword in all your ace and test again please?
02-08-2018 09:01 PM
02-08-2018 09:13 PM - edited 02-08-2018 09:21 PM
duplicate response. I guess my posts took a while to show up.
debug policy: it appears it processes some of the PBR, but im just not catching traffic from 10.10.12.7x... im wondering now if its even coming to me...
02-08-2018 09:37 PM
02-08-2018 09:54 PM - edited 02-08-2018 09:54 PM
sure.
"Can you share more information about your design to validate that pbr is applied on the right interface?"
MPLS PE routers in separate cities. one PE router is at customer prem in one city, directly attached to customer. other PE router is in another city directly attached to customer.
network->customer rtr->PE->vpnv4 mpls->PE->customer rtr->network
"Also why having a set clause interface with the same interface on which PBR is applied to?"
I am trying anything possible to catch traffic and force it out the int gi0/2.108. I have removed that statement with no change. will gladly try again.
"Can you ping your next hop up?"
yes sir.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.242.60.65, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
pe01#ping vrf vrf 10.242.60.68
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.242.60.68, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
pe01#
"On your debug, it saying FIB policy refected and doing a normal forwarding, that means pbr isn't working."
hmm. I see. I was taking it as evidence that it was attempting to match, but not finding a match and rejecting based on not finding the match. is this not working because it has an MPLS label? i attempted to set mpls-lable in the route-map but that didnt change anything.
02-09-2018 04:07 PM
more testing: an access list applied outbound is showing that traffic is attempting to go where I want it to, but the route map cant find it and direct traffic. toggled 'set mpls-label' and doesnt seem to help. im reading that PBR may not be supported coming out of mpls. if that is the case I may have to try moving it to the incoming upstream router before it gets encapsulated.
interface GigabitEthernet0/2.108
encapsulation dot1Q 108
ip vrf forwarding vrf
ip address 10.242.60.65 255.255.255.248
ip access-group 105 out
no ip redirects
no ip proxy-arp
ip mtu 1500
ip policy route-map pbr
!
access-list 105 permit ip host 10.10.12.76 10.226.59.0 0.0.0.255 log
access-list 105 permit ip host 10.10.12.77 10.226.59.0 0.0.0.255 log
access-list 105 permit ip host 10.10.12.80 10.226.59.0 0.0.0.255 log
access-list 105 permit ip any any
!
show log:
Feb 9 14:39:18.223 AKST: %SEC-6-IPACCESSLOGP: list 105 permitted tcp 10.10.12.76(49210) -> 10.226.59.10(28500), 1 packet
Feb 9 14:41:18.381 AKST: %SEC-6-IPACCESSLOGP: list 105 permitted tcp 10.10.12.76(49211) -> 10.226.59.10(28500), 1 packet
Feb 9 14:42:29.470 AKST: %SEC-6-IPACCESSLOGP: list 105 permitted tcp 10.10.12.77(2054) -> 10.226.59.10(7780), 1 packet
Feb 9 14:44:29.471 AKST: %SEC-6-IPACCESSLOGP: list 105 permitted tcp 10.10.12.76(49210) -> 10.226.59.10(28500), 5 packets
Feb 9 14:46:29.473 AKST: %SEC-6-IPACCESSLOGP: list 105 permitted tcp 10.10.12.76(49211) -> 10.226.59.10(28500), 1 packet
pe01# show route-map
route-map pbr, permit, sequence 10
Match clauses:
ip address (access-lists): acl_108
Set clauses:
mpls label
ip vrf vrf next-hop 10.242.60.68
ip next-hop recursive 10.242.60.68
default interface GigabitEthernet0/2.108
Policy routing matches: 0 packets, 0 bytes
02-11-2018 06:25 AM
The best clue for identifying the problem is this "force it out the int gi0/2.108". You are applying the ip policy statement on the outbound interface. But for PBR to work you need to apply the statement on the inbound interface that receives the traffic rather than on the outbound interface.
HTH
Rick
02-11-2018 04:22 PM
Totally agree with Richards, that's why I asked at the beginning:
Also why having a set clause interface with the same interface on which PBR is applied to?
Anyway, can you share a quick drawing showing your mpls cloud and where you're trying to apply PBR?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide