05-18-2012 12:15 PM - edited 03-07-2019 06:47 AM
I am trying to implement PBR in order to route certain trafic to a specific destination, but it seems that match statement in route-map is not working as I would like to! The topology is in attachment and router configs are as below:
Router1:
interface GigabitEthernet0
ip address 10.8.20.30 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1200
ip policy route-map PBR1
duplex auto
speed auto
standby 20 ip 10.8.20.15
standby 20 priority 120
standby 20 preempt
!
route-map PBR1 permit 10
match ip address ACL1
set tag 180
!
route-map PBR1 permit 15
match tag 181
!
route-map PBR1 permit 20
match ip address ACL2
set ip next-hop 10.8.20.40
!
ip access-list extended ACL1
permit ip A.A.A.A 0.0.0.255 C.C.C.C 0.0.0.255
!
ip access-list extended ACL2
permit ip B.B.B.B 0.0.0.255 C.C.C.C 0.0.0.255
Router2:
interface GigabitEthernet0
ip address 10.8.20.40 255.255.255.0
ip tcp adjust-mss 1200
ip policy route-map PBR2
duplex auto
speed auto
standby 20 ip 10.8.20.15
standby 20 preempt
!
route-map PBR2 permit 5
match ip address ACL2
set tag 181
!
route-map PBR2 permit 10
match tag 180
!
route-map PBR2 permit 20
match ip address ACL1
set ip next-hop 10.8.20.30
!
ip access-list extended ACL1
permit ip A.A.A.A 0.0.0.255 C.C.C.C 0.0.0.255
!
ip access-list extended ACL2
permit ip B.B.B.B 0.0.0.255 C.C.C.C 0.0.0.255
Here is the situation, Router1 is active in HSRP, so it receives all the packets no matter what the source is! When it receives a packet from network B.B.B.B destined to network C.C.C.C, it is supposed to send it to Router2 because of statement 20 of PBR1, but instead of doing that, statement 20 of PBR1 accept the packet and route it via Router1!
Basically Tag 181 is when the packet is from ACL2 and has already entered Router2, while the packet source from network B.B.B.B never entered Router2, so it is not tagged 181 to be routed by statement 20 of PBR1.
Your help is most appreciated that I understand what's going on here :-)
05-18-2012 07:32 PM
ok are you sure that the source ip address is B.B.B.B that is entering the interface on the R1? because I can see there is a FW in the middle. Is it not doing any NAT or anything. Essentialy what I am saying is that the source ip address needs to be intact when it hits R1. If this is a test lab or something you can do a debug ip packet with a condition and see what is the source ip address coming into the R1 router. PBR would only kick in if it sees B.B.B.B as the source.
HTH
Kishore
05-19-2012 12:42 AM
Try to change the route map sequence as shown below on Router R1 & share the result.
route-map PBR1 permit 10
match ip address ACL1
set tag 180
!
route-map PBR1 permit 15
match ip address ACL2
set ip next-hop 10.8.20.40
!
route-map PBR1 permit 20
match tag 181
Regards,
Kunal
05-21-2012 07:30 PM
@Kishore, no NAT is used in this scenario! All addresses are real.
@Kunal, great hint! The problem with this solution is that, when the connection of Router2 to the destination C.C.C.C is down, the default route will be on Router1, then all the trafic no matter the source wil go via Router1.
So the statement 15 of PBR1 sends the packet to Router2, Router2 has no route to reach the network C.C.C.C and send the packet back to Router1 and Router1 will send back the packet to Router2 because of the same statement 15 of PBR1 and a loop will be generated! I put "match tag 181" the second statement to avoid this loop actually!
05-21-2012 11:32 PM
Hi,
As far as I know, the match tag and set tag statement are not supported in PBR and I think that's the reason why it is not working.
Regards.
Alain
05-22-2012 04:48 AM
I lost 3 days on something which exist but not supported! Not really brilliant but typical Cisco!
Thanks Alain for the hint! Do you know any other alternative to replace tagging within PBR?
05-22-2012 04:54 AM
Tagging is for route-tagging. Routing protocol packets can carry tags, not IP packets themselves. If you wish to "color" your IP packets, you might use IP Precedense or DSCP. It is not for that task, of course, but you can use them. But be carefull - you also can't set IPP/DSCP with route-map. You need to use policy-map for that
05-23-2012 11:56 AM
Thanks for clarification Sergey.
As you mentioned I won't be able to use policy-map in this context! Is there any other alternative?
05-24-2012 05:02 AM
Please, let me know why do not you simply put
match ACL
set ip next-hop
in your route-maps (it is 20th permits in your current route-maps)?
05-24-2012 10:26 AM
Because when the connection of Router2 to the destination C.C.C.C is down, the default route will be on Router1, then all the trafic no matter the source wil go via Router1.
So the statement 15 of PBR1 sends the packet to Router2, Router2 has no route to reach the network C.C.C.C and send the packet back to Router1 and Router1 will send back the packet to Router2 because of the same statement 15 of PBR1 and a loop will be generated! I put "match tag 181" the second statement to avoid this loop actually!
05-24-2012 05:16 AM
Hi Mehdi,
Can you modify your route-map to the below and test.
route-map PBR1 permit 10
match ip address ACL2
set ip next-hop 10.8.20.40
HTH
Kishore
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide