ā06-24-2012 06:43 AM - edited ā03-07-2019 07:25 AM
Hello Friends
Referring to my topology, I have configured PBR on Schroeder Router, which supposed to do traffic control for telnet & ftp. Telnet traffic should flow through Lucy Router & FTP Traffic should go to Pigpen.
But it is not happening. Here is the configuration of Schroeder Router.
interface FastEthernet0/0
ip address 172.16.1.254 255.255.255.0
ip policy route-map PATH_CONTROL
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 172.16.2.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 172.16.3.2 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
router-id 5.5.5.5
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip http server
no ip http secure-server
!
!
!
access-list 105 permit tcp 172.16.1.0 0.0.0.255 eq telnet any
access-list 106 permit tcp 172.16.1.0 0.0.0.255 eq ftp any
access-list 106 permit tcp 172.16.1.0 0.0.0.255 eq ftp-data any
!
route-map PATH_CONTROL permit 10
match ip address 105
set ip next-hop 172.16.2.1
!
route-map PATH_CONTROL permit 20
match ip address 106
set ip next-hop 172.16.3.1
Debug result on Schroeder
Schroeder# debug ip policy
Policy routing debugging is on
*Mar 1 00:01:56.699: IP: s=172.16.1.1 (FastEthernet0/0), d=172.16.6.1, len 44, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:01:56.871: IP: s=172.16.1.1 (FastEthernet0/0), d=172.16.6.1, len 40, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:01:56.875: IP: s=172.16.1.1 (FastEthernet0/0), d=172.16.6.1, len 49, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:01:56.879: IP: s=172.16.1.1 (FastEthernet0/0), d=172.16.6.1, len 40, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:01:57.043: IP: s=172.16.1.1 (FastEthernet0/0), d=172.16.6.1, len 43, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:01:57.047: IP: s=172.16.1.1 (FastEthernet0/0), d=172.16.6.1, len 43, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:01:57.051: IP: s=172.16.1.1 (FastEthernet0/0), d=172.16.6.1, len 49, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:01:57.307: IP: s=172.16.1.1 (FastEthernet0/0), d=172.16.6.1, len 40, FIB policy rejected(no match) - normal forwarding
Schroeder# debug ip policy
Policy routing debugging is on
*Mar 1 00:05:16.871: IP: s=172.16.1.2 (FastEthernet0/0), d=172.16.7.1, len 1024, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:05:17.087: IP: s=172.16.1.2 (FastEthernet0/0), d=172.16.7.1, len 1024, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:05:17.307: IP: s=172.16.1.2 (FastEthernet0/0), d=172.16.7.1, len 1024, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:05:17.555: IP: s=172.16.1.2 (FastEthernet0/0), d=172.16.7.1, len 1024, FIB policy rejected(no match) - normal forwarding
*Mar 1 00:05:17.775: IP: s=172.16.1.2 (FastEthernet0/0), d=172.16.7.1, len 1024, FIB policy rejected(no match) - normal forwarding
Best Regards
Sabby
Solved! Go to Solution.
ā06-24-2012 07:09 AM
Sabby,
Your source port will be a high port, but the destination will be ports 20, 21, and 23. Try changing your acls to the following and retest:
access-list 105 permit tcp 172.16.1.0 0.0.0.255 any eq telnet
access-list 106 permit tcp 172.16.1.0 0.0.0.255 any eq 20
access-list 106 permit tcp 172.16.1.0 0.0.0.255 any eq 21
HTH,
John
ā06-24-2012 10:59 PM
Hi,
You donot configure the correct ACL, you must restrict the destination port not the source port.
example :
access-list 101 permit tcp host x.x.x.x source-port host x.x.x.x destination-port
ā06-24-2012 07:09 AM
Sabby,
Your source port will be a high port, but the destination will be ports 20, 21, and 23. Try changing your acls to the following and retest:
access-list 105 permit tcp 172.16.1.0 0.0.0.255 any eq telnet
access-list 106 permit tcp 172.16.1.0 0.0.0.255 any eq 20
access-list 106 permit tcp 172.16.1.0 0.0.0.255 any eq 21
HTH,
John
ā06-24-2012 11:50 PM
Hi John
I changed the config & now PBR is in action.
Thanks & Regards
Sabby
ā06-24-2012 10:59 PM
Hi,
You donot configure the correct ACL, you must restrict the destination port not the source port.
example :
access-list 101 permit tcp host x.x.x.x source-port host x.x.x.x destination-port
ā06-25-2012 12:00 AM
Hi
I am using a book & doing all the labs as shown but i dont know how he get the result with same config(bit confuse). I dont understand, I am doing something wrong or this book hav issue with this config.
Here is the screen shot of the page.
Thanks
Sabby
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide