Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1674
Views
0
Helpful
11
Replies

Policy Based Routing

ithelpdesk
Level 1
Level 1

‎10-26-2014 08:59 PM - edited ‎03-05-2019 12:02 AM

I have attached diagram.  I want to route traffic from certain host to host using policy based routing. Basically traffic from host 10.87.6.151 should route through next-hop 10.87.6.3.  Traffic from host 10.87.1.151 should route through next-hop 10.87.1.3.  Here is the config I have on Core switch for 10.87.6.1:

route-map Plymouth permit 10

match ip address 112

set ip next-hop 10.87.6.3

 

access-list 112 permit ip host 10.87.6.151 host 10.87.1.151

interface vlan 10

ip policy route-map Plymouth

 

Policy for Core Switch 10.87.1.1:

 

route-map Lebanon permit 10

match ip address 112

set ip next-hop 10.87.1.3

 

access-list 112 permit ip host 10.87.1.151 host 10.87.6.151

interface vlan 10

ip policy route-map Lebanon

 

I want to know if this is possible.  My Headquarters in Site B, when I apply to both Sites I lose connection to Site A.

Labels:
Preview file
23 KB
0 Helpful
11 Replies 11

LJ Gabrillo
Level 5
Level 5

‎10-28-2014 04:15 AM

You can only have one PBR per interface, you can't have two :)
Just simply combine your route-map statements with additional IP-SLA. Why?I am assuming you have redundant routes for your traffic, just in case their main tunnel goes down, they will failover :))


I am assuming that 10.87.6.3 is in tun0 and 10.87.1.3 in in tun1

conf t

ip sla 1

  icmp-echo 10.87.6.3 source-interface tun0

  timeout 1500

  frequency 5

ip sla 1 schedule life forever start-time now

 

ip sla 2

  icmp-echo 10.87.1.3 source-interface tun1

  timeout 1500

  frequency 5

ip sla 2 schedule life forever start-time now

track 1 rtr 1 reachability

track 2 rtr 2 reachability

 

access-list 112 permit ip host 10.87.6.151 host 10.87.1.151

access-list 113 permit ip host 10.87.1.151 host 10.87.6.151


route-map POLICY_1 permit 10

  match ip address 112

  set ip next-hop verify-availability  10.87.6.3 track 1

 

route-map POLICY_1 permit 11

  match ip address 113

  set ip next-hop verify-availability 10.87.1.3 track 2

 

 

interface vlan 10

  ip policy route-map POLICY_1

 

Considering you have PBR I would assume you have redundant paths to these destination networks. Anyway here is how it works:

1. In case any of the links to the desired destination goes down PBR will not become a hindrance that traffic is not forwarded even if PBR statement exist.
2. If the nex-hop is not verified, then it makes the packets "skip" the route-map statement. and as we know, if nothing matches, then it forwards traffic normally using the routing table :)

 

 

0 Helpful

ithelpdesk
Level 1
Level 1
In response to LJ Gabrillo

‎10-28-2014 05:57 AM

I was told that I had to apply the policy to different interfaces, meaning it can't be applied to interface vlan 10 on both sides (exit of of different interface).  So without the SLA in place what would happen to the traffic if the next hop is down?

0 Helpful

LJ Gabrillo
Level 5
Level 5
In response to ithelpdesk

‎10-28-2014 06:02 AM

Without the SLA the router will still forward traffic to the next-hop even if its not alive :)



Don't forget to rate or mark as correct helpful answers :)

0 Helpful

LJ Gabrillo
Level 5
Level 5
In response to LJ Gabrillo

‎10-28-2014 09:07 AM

------------

 

Don't forget to rate or mark as correct helpful answers :)

0 Helpful

ithelpdesk
Level 1
Level 1
In response to LJ Gabrillo

‎10-28-2014 09:07 AM

I was under the assumption that the PBR had to be placed on both sides in order to work correctly.  You are correct traffic is between 2 servers at each site.

0 Helpful

LJ Gabrillo
Level 5
Level 5
In response to ithelpdesk

‎10-28-2014 09:09 AM

Ooops correction on that, we need to apply PBR to both ends of the devices. You are correct

0 Helpful

ithelpdesk
Level 1
Level 1
In response to ithelpdesk

‎10-28-2014 07:02 AM

Ok good to know.  lsgabrillo,  can I apply the policy map to VLAN 10 on both site A and B?  when I applied last week I lost connection to Site A core switch.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ithelpdesk

‎10-28-2014 12:59 PM

You should be able to apply Policy Based Routing to VLAN 10 on both sites. If you applied PBR on both sites and lost connection to one then there was some error in how you set it up. We do not have enough information here to know what the cause was. If you supply more detail about what you configured perhaps we might be able to find the issue.

 

HTH

 

Rick

HTH

Rick
0 Helpful

LJ Gabrillo
Level 5
Level 5
In response to Richard Burts

‎10-28-2014 07:53 PM

Yeap just as Burts said

And also, though the configuration "pattern" (a.k.a commands/syntax used) is the same, the configuration itself is different from Site A and Site B

You can't simply copy the config above, and paste it on both sites

0 Helpful

ithelpdesk
Level 1
Level 1
In response to LJ Gabrillo

‎10-28-2014 08:16 PM

Ok call me crazy; I applied this policy first to both side and traffic was routing properly between 10.87.6.101 and 10.87.1.101:

*****Lebanon Site B*****
route-map OHIO permit 20
 match ip address 111
 set ip next-hop 10.87.1.3
access-list 111 permit ip host 10.87.1.101 host 10.87.6.101
interface vlan10
ip policy route-map OHIO


!****Plymouth Site A****
route-map PLYMOUTH permit 10
 match ip address 111
 set ip next-hop 10.87.6.3
access-list 111 permit ip host 10.87.6.101 host 10.87.1.101

 

Now when I apply this policy below I lose connection to my Core switch (10.87.1.1) and access to Core switch (10.87.6.1)


****testing Lebanon Site B****
route-map OHIO permit 30
 match ip address 112
 set ip next-hop 10.87.1.3
access-list 112 permit ip host 10.87.1.151 host 10.87.6.151

interface vlan10
ip policy route-map PLYMOUTH
!
***testing Plymouth Site A***
route-map PLYMOUTH permit 20
 match ip address 112
 set ip next-hop 10.87.6.3
access-list 112 permit ip host 10.87.6.151 host 10.87.1.151

 

 

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ithelpdesk

‎10-29-2014 04:55 AM

Thanks for the additional information. There are several things that I do not understand and I hope that you can clarify.

- looking at the diagram that was with the original post 10.87.1.3 and 10.87.6.3 appear to be the addresses of the MPLS routers that connect the sites. If you are using these as the set next hop then it implies that this is not the normal path for traffic between the sites. So can you clarify what the normal path between the sites is? I am wondering if the normal path does work but that there is something broken with the MPLS?

- Did the Policy Routing for hosts 10.87.1.101 and 10.87.6.101 really work? Were those hosts able to successfully communicate with each other?

- It appears that the difference between the Policy Routing that did not cause a problem and the Policy Routing that did cause a problem was that one dealt with hosts 101 and the other dealt with hosts 151. So what are hosts 151? And is there something that if they do not communicate would impact access to core switches?

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents