11-01-2012 03:22 AM - edited 03-04-2019 06:01 PM
Hi Guys,
I have a PBR with route-map applied on the LAN interface of the router. PBR has below route-map :
R1 :
route-map PBR permit 10
match ip address OFFLOAD
set ip next-hop 172.16.1.5
ACL contents :
ip access-list extended OFFLOAD
deny tcp 10.0.0.0 0.255.255.255 20.0.0.0 0.0.3.255 eq 14xx
deny ip 10.0.0.0 0.255.255.255 host 30.1.1.1
deny ip 10.0.0.0 0.255.255.255 host 30.1.1.5
permit ip 10.0.0.0 0.255.255.255 any
int fa 0/0
ip add 172.16.1.2 255.255.255.0
stand 1 ip 172.16.1.1
stand 1 preempt
ip policy route-map PBR
R2 :
R2 has same interface config with HSRP with Fa0/0 of R1. The policy is applied to offload traffic from R1 to R2 i.e. keep only denied traffic in ACL on R1 WAN link.
But some how the policy is not working and denied traffic is going via R1 itself. I guess we can't use deny statements in route-map ?
Regards,
Santosh
Solved! Go to Solution.
11-02-2012 08:25 AM
Santosh
Thank you for the additional explanation which does help to clear up the issue. Some people do get confused about what happens when the access list in PBR has deny statements, so you are in good company about this. If a packets matches the deny in the access list used in PBR then it just follows the normal routing logic.
Some people assume that if an access list denies a packet that the packet is dropped and not forwarded. This is true if the access list is used on an interface with access-group. But it is not the case with PBR. When used with PBR the deny just says "do not use PBR logic" and the regular routing logic is used. So I would expect that any traffic that is denied in the access list (any host in 10.0.0.0 with destination 30.1.1.1 or 30.1.1.5) will use the outbound connection on R1.
HTH
Rick
11-01-2012 07:17 AM
Santosh
It is possible to use deny statements in an access list used for PBR.
I find your post confusing. You tell us first that:"i.e. keep only denied traffic in ACL on R1 WAN link."
and then you tell us that the fact that denied traffic is going via R1 is reason to believe that PBR is not working.
I am also confused by your addressing. The interface where PBR is applied is in subnet 172.16.1. But the access list is permitting source addresses in 10.0.0.0. Where are the 10.0.0.0 hosts and how do they get to your fa0/0 interface?
HTH
Rick
11-01-2012 10:41 PM
Hi Richard,
Thanks for the reply & sorry for the confusion. I have messed it while drafting. Let me explain it again :
R1 & R2 have HSRP configured with R1 primary and R2 secondary (two different telco's). Network 10.x is behind R1-R2 LAN (defined routing at LAN). The purpose of PBR is to offload some traffic from R1 to R2 (to use standby telco).
PBR is used with route-map wherein an ACL is defined with deny statements. I guess this traffic should go via R1 (follow R1 routing table). The last permit statement should divert traffic to R2 ( LAN interface IP) to follow R2's telco due to set interface statement for sure.
The question is whether the deny statements will follow R1 routing ? As generally we use permit statement and then divert using set interface, IP etc.
Regards,
Santosh
11-02-2012 08:25 AM
Santosh
Thank you for the additional explanation which does help to clear up the issue. Some people do get confused about what happens when the access list in PBR has deny statements, so you are in good company about this. If a packets matches the deny in the access list used in PBR then it just follows the normal routing logic.
Some people assume that if an access list denies a packet that the packet is dropped and not forwarded. This is true if the access list is used on an interface with access-group. But it is not the case with PBR. When used with PBR the deny just says "do not use PBR logic" and the regular routing logic is used. So I would expect that any traffic that is denied in the access list (any host in 10.0.0.0 with destination 30.1.1.1 or 30.1.1.5) will use the outbound connection on R1.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: