Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
15
Helpful
4
Replies

Strange PBR behaviour with VPDN and Virtual-Template interfaces

Sunderz
Level 1
Level 1

‎01-14-2022 06:52 AM - edited ‎01-14-2022 06:54 AM

This is an L2TP VPDN environment running on a CSR1000v in AWS.  If I apply a PBR policy via Cisco-AVPair via RADIUS it works every time.  However, if I apply a PBR policy via the Virtual-Template then it does not.  

V

However, when I first type the command into the Virtual-Template configuration then it does take effect and apply to every subscriber that's currently connected, but when the subscriber reconnects then whilst they continue to show up under 'show ip policy' as having the route-map applied, it doesn't actually do anything.

 

interface Virtual-Template1
ip unnumbered Loopback1
no ip redirects
no ip proxy-arp
ip nat inside
ip verify unicast reverse-path
ip tcp adjust-mss 1416
ip policy route-map PBRTest
no logging event link-status
no peer default ip address
keepalive 20 3
ppp mtu adaptive

 

ip access-list extended 101
5 deny ip host a.b.1.253 any
10 permit ip a.b.1.0 0.0.0.255 any
!
!
route-map PBRTest permit 10
match ip address 101
set ip next-hop 10.255.255.6

 

show ip policy
Interface Route map
Loopback1 PBRTest
Vi2.1 PBRTest

 

In the log file everything looks good:

 

Jan 14 14:35:05: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console
Jan 14 14:35:05.171: PBR Control Plane Notification: 10.255.255.6 PBR_CP_SET_NEXTHOP

Jan 14 14:35:05.171: Policy NextHop Inquiry: PBRTest seq: 10, type: SET NEXTHOP Nexthop: 10.255.255.6SW_OBJ_TYPE: 20, SW_HANDLE: 7F55ACDCBA10

Jan 14 14:35:05.171: PBR CP Notification sent: Type:SET NEXTHOP, 10.255.255.6SW_OBJ_TYPE: 20, SW_HANDLE: 7F55ACDCBA10

Jan 14 14:35:05.172: PR-RP: Set Virtual-Access1.1 policy_routemap=PBRTest; cached_map=PBRTest

4 Replies 4

MHM Cisco World
VIP
VIP

‎01-14-2022 07:26 AM

what is the config of AAA ? please share the config of Auth. & Author.

Sunderz
Level 1
Level 1
In response to MHM Cisco World

‎01-14-2022 07:28 AM

aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default group radius
aaa authentication ppp vpdn local
aaa authorization console
aaa authorization exec default local if-authenticated
aaa authorization network default group radius
aaa accounting update periodic 5
aaa accounting network default start-stop group radius
!
aaa session-id common
aaa policy interface-config allow-subinterface

0 Helpful

Georg Pauwen
VIP
VIP

‎01-14-2022 08:24 AM

Hello,

 

at first glance, this:

 

--> ip verify unicast reverse-path

 

could be a problem. Try and remove that line from the virtual template...

Sunderz
Level 1
Level 1
In response to Georg Pauwen

‎01-14-2022 09:05 AM

Hi Georg

 

Thank you for the suggestion but that didn't make any difference.

 

The strange thing is that if I have a live session and go into configure mode and do:

 

no ip policy route-map PBRTest

ip policy route-map PBRTest

 

Then without the session even needing to re-establish the PBR policy immediately takes effect.

 

Regards,

 

Adrian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card