Re: PPR next hop command not working

saleh.alsalamah · ‎04-17-2019

HI Community team,

I was trying the PPR configuration for particular IP list but unfortunately the IP next hop address command is not working.

Attached the picture for the command-line and the save configuration file .

Jon Marshall · ‎04-17-2019

The default route points to the same next hop IP so why do you need PBR.

As for PBR you need to apply the route map to the SVI eg.

int vlan 140
ip policy route-map To-FW

also in the configuration you posted your route map has no next hop defined although your screenshot does show you applying it.

Jon

saleh.alsalamah · ‎04-17-2019

Hi Jon

We don't want the traffic from vlan 60 to Vlan 140 ROUTED in the switch, instead we need this traffic to be forwarded toward the firewall IP 192.168.251.1 and the Firewall do the routing instead.

Example Source IP: 192.168.140.10 Destination IP 192.168.60.30, by default the traffic won't pass the firewall, and that is way we need to apply the route-map.

In the screenshot showing that I was applying the next hop but is not showing in configuration and that is my problem.

Jon Marshall · ‎04-17-2019

It looks like you want any traffic to vlan 140 to be routed via the firewall so why not just move the L3 interface for vlan 140 to the firewall.

Note even if you get PBR working the return traffic from vlan 140 would route directly back and not via the firewall which probably isn't what you want.

Jon

saleh.alsalamah · ‎04-17-2019

Hi Jon

We can Apply the same rule for the return traffic, instead we can create an ACL for 192.168.60.0/24 and apply the opposite direction.

Moving L3 interface for vlan 140 is a best option as you mentioned but I was thinking of another easier solution.

Jon Marshall · ‎04-18-2019

You could do although I would argue it is easier to move the L3 interface to be honest because logically it just makes more sense to me ie. you want all traffic to and from vlan 140 to go via the firewall so move it to the firewall.

An alternative solution could be to use VRFs and put that vlan into it's own VRF and have a default route in that VRF pointing to the firewall.

That said you want to use PBR so what is the device ie. model etc. that you are trying to apply the PBR on ?

Jon

saleh.alsalamah · ‎04-18-2019

The device doesn't support VRF.

PID: WS-C4507R+E

License Information for 'WS-X45-SUP7-E'
License Level: ipbase Type: Permanent
Next reboot license Level: ipbase

Version 03.04.04.SG

Jon Marshall · ‎04-18-2019

I don't think IPBase supports PBR, from the 4500E IOS 15.1(2)SGx release notes -

The IP Base image supports Open Shortest Path First (OSPF) for Routed Access, Enhanced Interior Gateway Routing Protocol (EIGRP) "limited" Stub Routing, Nonstop Forwarding/Stateful Switchover (NSF/SSO), and RIPv1/v2. The IP Base image does not support enhanced routing features such as BGP, Intermediate System-to-Intermediate System (IS-IS), Internetwork Packet Exchange (IPX), AppleTalk, Virtual Routing Forwarding (VRF-lite), GLBP, and policy-based routing (PBR).

Full link -

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_27991-01.html

Jon

Jon Marshall · ‎04-18-2019

Just updated link to release notes as I can never work out which is which ie. IOS or IOS XE :)

Both say the same thing though ie. IPBase does not support PBR.

Jon

Jon Marshall · ‎04-18-2019

Just checked switch configuration and can see you are running 4500.

What feature set are you running on that switch ?

Jon