01-14-2022 06:52 AM - edited 01-14-2022 06:54 AM
This is an L2TP VPDN environment running on a CSR1000v in AWS. If I apply a PBR policy via Cisco-AVPair via RADIUS it works every time. However, if I apply a PBR policy via the Virtual-Template then it does not.
V
However, when I first type the command into the Virtual-Template configuration then it does take effect and apply to every subscriber that's currently connected, but when the subscriber reconnects then whilst they continue to show up under 'show ip policy' as having the route-map applied, it doesn't actually do anything.
interface Virtual-Template1
ip unnumbered Loopback1
no ip redirects
no ip proxy-arp
ip nat inside
ip verify unicast reverse-path
ip tcp adjust-mss 1416
ip policy route-map PBRTest
no logging event link-status
no peer default ip address
keepalive 20 3
ppp mtu adaptive
ip access-list extended 101
5 deny ip host a.b.1.253 any
10 permit ip a.b.1.0 0.0.0.255 any
!
!
route-map PBRTest permit 10
match ip address 101
set ip next-hop 10.255.255.6
show ip policy
Interface Route map
Loopback1 PBRTest
Vi2.1 PBRTest
In the log file everything looks good:
Jan 14 14:35:05: %SYS-5-CONFIG_P: Configured programmatically by process VTEMPLATE Background Mgr from console as console
Jan 14 14:35:05.171: PBR Control Plane Notification: 10.255.255.6 PBR_CP_SET_NEXTHOP
Jan 14 14:35:05.171: Policy NextHop Inquiry: PBRTest seq: 10, type: SET NEXTHOP Nexthop: 10.255.255.6SW_OBJ_TYPE: 20, SW_HANDLE: 7F55ACDCBA10
Jan 14 14:35:05.171: PBR CP Notification sent: Type:SET NEXTHOP, 10.255.255.6SW_OBJ_TYPE: 20, SW_HANDLE: 7F55ACDCBA10
Jan 14 14:35:05.172: PR-RP: Set Virtual-Access1.1 policy_routemap=PBRTest; cached_map=PBRTest
01-14-2022 07:26 AM
what is the config of AAA ? please share the config of Auth. & Author.
01-14-2022 07:28 AM
aaa authentication login default local
aaa authentication enable default enable
aaa authentication ppp default group radius
aaa authentication ppp vpdn local
aaa authorization console
aaa authorization exec default local if-authenticated
aaa authorization network default group radius
aaa accounting update periodic 5
aaa accounting network default start-stop group radius
!
aaa session-id common
aaa policy interface-config allow-subinterface
01-14-2022 08:24 AM
Hello,
at first glance, this:
--> ip verify unicast reverse-path
could be a problem. Try and remove that line from the virtual template...
01-14-2022 09:05 AM
Hi Georg
Thank you for the suggestion but that didn't make any difference.
The strange thing is that if I have a live session and go into configure mode and do:
no ip policy route-map PBRTest
ip policy route-map PBRTest
Then without the session even needing to re-establish the PBR policy immediately takes effect.
Regards,
Adrian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide