Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2991
Views
20
Helpful
23
Replies

Policy Routing failure (order of operation?)

Jay47110
Level 1
Level 1

‎12-15-2020 12:32 PM - edited ‎12-16-2020 04:41 AM

Hi,

 

This question is relating the order of operation in Cisco IOS-XE for an ingress packet.

I am currently troubleshooting an issue where a Host1 with IP 192.168.1.1 is trying to ping a remote Host2 192.168.2.2 and the router in question R1 is the transit router.

The traffic is PBR'd on R1 on the ingress interface based on source IP 192.168.1.1 and destination IP 192.168.2.2 and an IP next-hop is set.

Here is the trouble, 192.168.2.2 also happens to be a directly connected interface IP address on R1 which is completely separate and has nothing to do with Host2's 192.168.2.2 that host1 is trying to ping. And Although the traffic is PBR'd on the ingress interface, it never gets Policy based routed to the correct IP next-hop specified in the PBR. Here is the "debug ip packet detail" output of the failed routing:

*Dec 15 19:22:22.190: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.2.2, len 100, input feature
*Dec 15 19:22:22.191: ICMP type=0, code=0, Policy Routing(103), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Dec 15 19:22:22.191: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.2.2, len 100, input feature
*Dec 15 19:22:22.192: ICMP type=0, code=0, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Dec 15 19:22:22.192: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 192.168.1.1 dst 192.168.2.2
*Dec 15 19:22:22.193: FIBfwd-proc: Default:192.168.2.2/32 receive entry
*Dec 15 19:22:22.193: FIBipv4-packet-proc: packet routing failed
*Dec 15 19:22:22.193: IP: tableid=0, s=192.168.1.1 (GigabitEthernet0/1), d=192.168.2.2 (GigabitEthernet0/2), routed via RIB
*Dec 15 19:22:22.194: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.2.2, len 100, rcvd 4
*Dec 15 19:22:22.194: ICMP type=0, code=0
*Dec 15 19:22:22.195: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.2.2, len 100, stop process pak for forus packet
*Dec 15 19:22:22.195: ICMP type=0, code=0

 

However, once the directly connected interface with IP 192.168.2.2 is shutdown, PBR kicks in fine and routes traffic to the correct next-hop interface. Here is the "debug ip packet detail" output for successful routing:

*Dec 15 19:21:25.785: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.2.2, len 100, FIB policy match
*Dec 15 19:21:25.785: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.2.2, len 100, PBR Counted
*Dec 15 19:21:25.785: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.2.2, g=192.168.12.2, len 100, FIB policy routed

 

What am I missing here, isn't Policy based routing triggered before RIB or CEF in the ingress order of operations? Or is the fact that the destination is also a directly connected prefix takes precedence over the PBR?

 

Kind regards

Topology.png

Preview file
4 KB
Preview file
4 KB
0 Helpful
23 Replies 23

paul driver
VIP
VIP
In response to Georg Pauwen

‎12-16-2020 05:09 AM

Hello @Georg Pauwen 

I wouldn’t suggest to have two directly connected rtrs  point default routes towards each other- your asking for trouble- it will cause whole lot of heartache - routing loop galore!


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver
VIP
VIP
In response to Georg Pauwen

‎12-16-2020 05:12 AM

Hello

@Georg Pauwen how would host 192.168.1.1 reach the same host on the same rtr if it needed to?

Nat would be preferable in this case not PBR


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

paul driver
VIP
VIP

‎12-15-2020 02:22 PM - edited ‎12-16-2020 12:37 AM

Hello
FYI - Cef isn’t used in some PBR statments as such packets PBR are process switched which means every packet needs to be punted to the cpu for a forwarding decision.
Regards your PBR the set-interface and ip next- hop are roughly the same-

ip next- hop x.x.x. requires the ip to be part of a directly connected interface on the rtr
set interface x/x - requires the destination address of the packet needs be on the same segment of the interface specified or that some proxy arp is being used to forward the packet

Can you confirm what you are trying to accomplish here - Are you trying to ping a connect interface of the rtr that’s has PBR enabled?
Also have you have specified the PBR ip next hop address to point to a connected interface ip on the same rtr- If so this isnt correct.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jay47110
Level 1
Level 1
In response to paul driver

‎12-16-2020 02:18 AM

Hi Paul,

 

For ease of understanding I've attached a topology diagram in the original post.

I am using ip next-hop (address) in the route-map.

 

Kind regards

0 Helpful

paul driver
VIP
VIP
In response to Jay47110

‎12-16-2020 05:04 AM - edited ‎12-16-2020 05:06 AM

Hello

thanks for sharing - i think i see now what your trying to achieve- please correct me if i am wrong

you want policy based route towards a host in another router that has the same ip address as a host on connected interface on rtr 1 - however PBR isn’t what you need it’s NAT - Network Address Translation applied on either rtr so to enable you to reach both hosts of 192.168.2.2 successfully.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Jay47110
Level 1
Level 1
In response to paul driver

‎12-16-2020 06:01 AM

Hi Paul,

 

Yes, spot on that's exactly what the scenario is based upon. I agree, NAT would be the preferred choice here, but I just wanted to find out about the order of operation when the packet arrived from host1 on R1. Is the router's directly connected interface taking precedence over policy based routing?

 

Kind regards

0 Helpful

paul driver
VIP
VIP
In response to Jay47110

‎12-16-2020 08:31 AM - edited ‎12-16-2020 08:33 AM

Hello

Then the order of preference which i have already stated when using ip next-hop would be to for the rtr to bypass the route table lookup and policy route directly to the related interface of the specified next-hop ip in the pbr

Your scenario here without using nat wouldn’t be valid in a real network as you would have a discontiguous overlapping network so PBR isnt the correct feature choice in this instance 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen
VIP
VIP
In response to Jay47110

‎12-16-2020 08:42 AM

Hello,

 

I am starting to think maybe this is a flaw in the simulation software you are using. I used GNS3, and as documented, your PBR configuration works flawlessly. What are you using (VIRL) ?

0 Helpful

MHM Cisco World
VIP
VIP

‎12-16-2020 08:15 AM

ip route-cache policy 

try fast switch PBR enable than use CEF-PBR

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card