Solved: Need help with PBR on 3560X

siddhartham · ‎06-11-2013

Can you have a look at the below config and let me know what I am missing.

We want to send the traffic from three IPs (defined in ACL 171) to 10.1.60.16 and send the rest of the traffic in that VLAN to 10.1.0.1

When we did a traceroute from 10.1.101.35 it matches the acl 171 but all the other traffic is matching acl 172- is this because of the default route on the switch?

Thanks for the help..

DIST_A#sh route-map

route-map PL-Test, permit, sequence 10

Match clauses:

ip address (access-lists): 171

Set clauses:

ip next-hop 10.1.60.16

Policy routing matches: 9 packets, 666 bytes

route-map PL-Test, permit, sequence 20

Match clauses:

ip address (access-lists): 172

Set clauses:

ip next-hop 10.1.0.1

Policy routing matches: 110782 packets, 12316838 bytes

DIST_A#sh ip access-list 171

Extended IP access list 171

10 permit ip host 10.1.101.35 any (9 matches)

20 permit ip host 10.1.101.36 any

30 permit ip host 10.1.101.37 any

DIST_A#sh ip access-list 172

Extended IP access list 172

10 permit ip any any (111026 matches)

DIST_A#sh run int vlan 101

Building configuration...

Current configuration : 327 bytes

!

interface Vlan101

description Data1

ip address 10.0.101.2 255.255.255.0

ip policy route-map PL-Test

standby 101 ip 10.0.101.1

standby 101 priority 110

standby 101 preempt delay minimum 180

standby 101 track 1 decrement 15

end

The switch has a default route

S* 0.0.0.0/0 [1/0] via 10.1.0.1

Siddhartha

guibarati · ‎06-11-2013

If you are using a next-hop that is not directly connected you need to set next hop recursive option.

I wanted to see if your next hop was directly connected.

View solution in original post

guibarati · ‎06-11-2013

Actually, on feature navigator, if you filter by Policy Based Routing: Recursive Next Hop, 3560 is not one option for the platform, so even the IOS upgrade won't do it.

View solution in original post

guibarati · ‎06-11-2013

Send the complete show ip route.

Richard Burts · ‎06-11-2013

Siddhartha

I am not understanding your question. What I see in your post is that access list 171 matches the traffic with source address of three hosts. The output in your post suggests that PBR is working correctly for these. Your PBR also uses access list 172 which contains only a permit ip any any. So all other traffic originating from vlan 101 will match access list 172 and have its next hop set as 10.1.0.1. The output suggests that this also is working.

The address 10.1.0.1 set in the second part of the route map is the same as the configured static default route. So it looks to me that you could remove the second part of the route map and the routing would be the same. But with the configuration the way that it is the traffic is set in the route map and is not really using the static default route.

If this does not address your question then please provide clarification of your question.

HTH

Rick

HTH

Rick

siddhartham · ‎06-11-2013

Sorry Rick, didn't explain correctly.

Only traceroute traffic from 10.1.101.35 is matching acl 171 rest of the traffic from 10.1.101.35 (web or any other traffic) is matching acl 172 instead of acl 171

guibarati,

Is there any specific reason for requestinfg the ip route output- we have hundreads of EIGRP routes in the routing table and I can't send all of the info...

Siddhartha

guibarati · ‎06-11-2013

If you are using a next-hop that is not directly connected you need to set next hop recursive option.

I wanted to see if your next hop was directly connected.

siddhartham · ‎06-11-2013

Thank you for the response- I think thats my issue--10.1.60.16 is not a directly connected next hop

but my switch (3560X--12.2(55)SE3) doesn't have the recursive next hop option-

DIST_A(config-route-map)#set ip next-hop ?

A.B.C.D IP address of next hop

dynamic application dynamically sets next hop

in-vrf VRF for VPNv4 nexthop

peer-address Use peer address (for BGP only)

verify-availability Verify if nexthop is reachable

Siddhartha

guibarati · ‎06-11-2013

Also, te source host is not on the same network as vlan 101, so somebody is routing it before this one. Is there no PBR before this hop?

Richard Burts · ‎06-11-2013

This is a very good catch. I had missed the fact that the address on the vlan interface is 10.0.101.2 and assumed that it was 10.1.101.2 which would match the logic in the access list.

This makes it a very interesting question how the route map gets 9 matches on PBR for 10.1.101.35?

HTH

Rick

HTH

Rick

siddhartham · ‎06-11-2013

Sorry guys, I copied the wrong vlan info-- the address is in the vlan ip range

interface Vlan101

ip address 10.1.101.2 255.255.255.0

ip policy route-map PL-Test

standby 101 ip 10.1.101.1

Siddhartha

guibarati · ‎06-11-2013

Ok, but still, if you don't have the ip 10.1.60.16 direcly connected I think you need the recursive option.

Or you can point it to the connected IP that the recursive would send it to anyway.

siddhartham · ‎06-11-2013

Do you know whether 3560X(12.2(55)SE3) switch supports that option--- I think we have to upgrade the IOS to 15.0(1)SE for it support the recursive command---

Siddhartha

guibarati · ‎06-11-2013

Actually, on feature navigator, if you filter by Policy Based Routing: Recursive Next Hop, 3560 is not one option for the platform, so even the IOS upgrade won't do it.

siddhartham · ‎06-11-2013

Thanks both of you

Siddhartha