Solved: PBR default next-hop not working

tato386 · ‎03-16-2022

I have a 3850 with several VLANs and two Internet gateways. The switch has a static route for it's default gw and I need 1 of the VLANs to route to a different gw. I used the config below and it seems like "default next-hop" is working like if it was "next-hop" because when I add it the default route works but I lose connectivity to all other subnets in the switch's routing table. I tested by adding a deny for one of my internal networks and it the subject VLAN works to that internal subnet.

I have seen posts with similar issues and recommendations were to use "match interface" but that is not available on my platform. I saw another suggestion to use tracking but I don't see why I would need to track for this to work. Any ideas? TIA

ip access-list extended RouteMap1
permit ip 10.3.3.0 0.0.0.255 any
deny ip any any
!
route-map RouteMap1 permit 10
match ip address RouteMap1
set ip default next-hop 10.4.4.254
!
interface Vlan300
description alt gateway VLAN
ip address 10.3.3.1 255.255.255.0

!
interface Vlan400
desc where gateways live
ip address 10.4.4.1 255.255.255.0

18:58:41.681: IP: route map RouteMap1, item 10, permit
16 18:58:41.681: IP: s=10.3.3.10 (Vlan300), d=10.3.3.255, len 229, policy rejected -- normal forwarding
16 18:58:45.307: IP: s=10.3.3.24 (Vlan300), d=10.5.5.255, len 229, policy match
16 18:58:45.308: IP: route map RouteMap1, item 10, permit
16 18:58:45.308: IP: s=10.3.3.24 (Vlan300), d=10.5.5.255, len 229, policy rejected -- normal forwarding
16 18:58:46.980: IP: s=10.3.3.23 (Vlan300), d=10.3.3.255, len 229, policy match
16 18:58:46.980: IP: route map RouteMap1, item 10, permit

MHM Cisco World · ‎03-16-2022

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-12/configuration_guide/rtng/b_1612_rtng_3850_cg/configuring_protocol_independent_features.html

View solution in original post

MHM Cisco World · ‎03-16-2022

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-12/configuration_guide/rtng/b_1612_rtng_3850_cg/configuring_protocol_independent_features.html

tato386 · ‎03-16-2022

If set default next-hop is not supported do I have any other options?

Probably doesn't help that I am running 3.06.06E

MHM Cisco World · ‎03-17-2022

Hi friend,
we can try the following
add two line in route-map
first one is use next-hop that appear in routing table with availability option if it failed then the route-map<-same as default behavior
use the second set next-hop

tato386 · ‎03-17-2022

Unfortunately that will not work for me because I am not looking for failover, I need to route to both gateways simultaneously. I appreciate your help sir!

Thanks

balaji.bandi · ‎03-16-2022

what is the version of IOS Code running on this Cisco 3850 switch ( we need to bear in mind this is a switch not full fledge router)

where is your policy map applied, not seen the config posted or i ignore it?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎03-16-2022

Hello
FYI - you need to set the PBR statement to = set ip next-hop x.x.x.x

Set ip default next-hop x.x.x.x -works ONLY when there is no alternative default- route existing in the route table
Set ip next-hop x.x.x.x = works implicitly irrespective of a current default route existing in the route table

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

KetchikanSchools · ‎06-15-2023

The accepted solution, is not a solution, typical, this is what we did with our 3850 03.07.05E, to add a separate default gateway, I used your info for the example.

ip access-list 100 deny 10.3.3.0 0.0.0.255 10.0.0.0 0.255.255.255
ip access-list 100 permit 10.3.3.0 0.0.0.255 any

route-map PBR permit 100
match ip address 100
set ip next-hop 10.4.4.254

interface Vlan300
ip policy route-map PBR
ip address 10.3.3.1 255.255.255.0

First ACL just blocks the Policy based route from being applied when you are accessing the rest of your network, you can adjust the wildcard or add other VLANs, I made the assumption you are working with 10.x.x.x internally, you can add multiple deny ACLs if you have other networks. Second ACL picks up the subnet you want sent to a different gateway as long as it isn't destine internally/ previously blocked from policy. The ACLs are in the 100 range to make them extended, the "PBR" (Policy Based Route) is just a word you could insert "RouteMap1" in its place. We have a similar setup and multiple gateways without issue.