PBR - DHCP Problem

Berikol · ‎09-18-2019

Hi. I am living problem about PBR with ip-helper function.

I want to use another internet connection with another firewall. So i create a routing map and activate it in Vlan 250 which i want to use another connection. It has ip-helper function enable. But when i enable routing map for that vlan, ip helper function stops working so anyone can't get ip address from DHCP server. But the PBR next hop working successfully. I can use it only by configuring static IP.

How can i use PBR with ip helper?

My route map config is like that ;

route-map PBR permit 10
set ip next-hop 172.22.100.4
interface Vlan250
ip policy route-map PBR

And my ip helper address is 172.22.0.3

Thank you for help.

Richard Burts · ‎09-18-2019

There are many things we do not know about your network, and some of them might impact the advice that we would give. But based on what we know so far I believe that the issue is that your policy routing map is setting the next hop for every packet because there is not any match statement and only a set statement. To solve your problem I believe that you need to change your policy routing map. Configure an extended access list in which the first statement denies any udp packet and denies any packet to a broadcast destination and then the access list can permit ip any any. This will allow the dhcp request to be processed normally and the helper address to function as intended.

HTH

Rick

HTH

Rick

Berikol · ‎09-18-2019

Hello Rick,

I think you are right in your thoughts. Could you write example commands to permit DHCP packets for extended access list.

I write this but maybe its not correct.

ip access-list extended Mobile
permit udp any any eq bootpc
permit udp any any eq bootps
permit tcp any host 172.22.0.2 eq domain
permit tcp any host 172.22.0.97 eq 8443
deny ip any 172.22.0.0 0.0.255.255
permit ip any any

Thank you.

Richard Burts · ‎09-19-2019

It seems my explanation was not as clear as I hoped, so let me discuss briefly the logic of the route map before I discuss specifics of the extended access list. As @paul driver mentions route maps can be written with permit or deny in the first statement of each route map stanza, such as:

route-map PBR permit 10

or

route-map PBR deny 10

In my experience the logic of route map using deny is more complex and difficult to understand. So my advice is to focus on using the permit statement and when you are very comfortable with that then you can expand into using the deny statement.

Also remember that when the route map is being used for PBR that the things that are permitted in the access list will not use normal routing logic but will use the routing logic of the set statement in the route map stanza. And that the things that are denied in the access list will use normal routing logic.

So in your case you want DHCP to use normal routing logic. So in your extended access list you want to deny DHCP packets. With that in mind I would suggest that your access list might look something like this

ip access-list extended Mobile
deny udp any any eq bootpc
deny udp any any eq bootps

deny ip any host 255.255.255.255 0.0.0.0

permit ip any any

HTH

Rick

HTH

Rick

paul driver · ‎09-19-2019

Hello @Richard Burts
I agree with you regards your last post i wasn't trying to say it was incorrect in anyway I was trying point out and maybe I didn't make it clear myself, is i have found using the route-map deny clause TO ME is much clearer to understand.

Basically using deny ace in a acl with a single route-map permit clause will indeed accomplish what the OP needs to do however as i understand it ( and you can correct me if i am wrong) this only works because there is only one route-map command.

If there were multiple RM commands then that initial deny ace entry wont match that first route-map but it would drop down to the next route-map command to be processed if there was one, However with a initial deny route-map command matching on a permit acl it will be matched straight away and wont be subjected to another route-maps commands if there was any or a need for others.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎09-19-2019

@paul driver I certainly did not interpret anything you said as indicating that my suggestion was incorrect. I am glad that you find a route-map statement with deny clearer to understand. My experience is that most people, especially people with limited experience, find the route-map deny to be more confusing than the route-map permit. And that is why I generally suggest that people with limited experience initially focus on route-map permit and get into route-map deny after they are comfortable with using route maps.

I agree that it is nice that we could accomplish what we wanted with a single stanza (a single route-map command). But it is not true that using the acl with a deny statement is limited to route maps with a single stanza. The key question is whether any of the following stanzas have an permit ip any any. Let me suggest a scenario to illustrate:

- we are configuring a router for a customer. On the router are connected 4 subnets (each a /24). In subnet A the first 28 host addresses are for servers which they want to use normal routing and all other hosts in the subnet should be forwarded to next hop a.b.c.d. In subnet B all of the hosts in the subnet should be forwarded to next hop b.c.d.e. In subnet C all of the hosts in the subnet should be forwarded to next hop c.d.e.f. In subnet D all of the hosts in the subnet should be forwarded using normal routing. So the config might look something like this.

ip access-list extended subnetA

deny ip a.a.a.0 0.0.0.224 any

permit ip a.a.a.0 0.0.0.255

ip access-list extended subnetB

permit ip b.b.b.0 0.0.0.255

ip access-list extended subnetC

permit ip c.c.c.0 0.0.0.255

route-map PBR permit 10

match ip address subnetA

set ip next hop a.b.c.d

route-map PBR permit 20

match ip address subnetB

set ip next hop b.c.d.e

route-map PBR permit 30

match ip address subnetC

set ip next hop c.d.e.f

interface fa0/1.10

ip address a.a.a.1 255.255.255.0

ip policy route-map PBR

interface fa0/1.20

ip address b.b.b.1 255.255.255.0

ip policy route-map PBR

interface fa0/1.30

ip address c.c.c.1 255.255.255.0

ip policy route-map PBR

interface fa0/1.40

ip address d.d.d.1 255.255.255.0

So the route map has multiple stanzas (each using permit statements rather than deny), the first stanza matches an acl that combines deny some hosts with permit other hosts, the remaining stanzas match acl that matches specified hosts. The first 28 hosts in subnet A and all hosts in subnet D will use normal routing while all other hosts are policy routed. Note that the hosts denied in acl subnetA do fall through and are evaluated in succeeding route map statements. But since they do not get permitted anywhere they are not policy routed but use normal routing.

HTH

Rick

HTH

Rick

paul driver · ‎09-18-2019

Hello

Just like to add to @Richard Burts post regards denying certain traffic within a PBR route-map

I have found that if you create an acl that permits traffic that you dont want to be policy routed and create a route-map statement of deny and append that acl, then this will negate PBR on that permitted acl and any other traffic you wish to be policy routed will fall into the catch all statement with just the set statement.

example:

route-map PBR deny 5
match ip address <ACL>

route-map PBR permit 10
set ip next-hop 172.22.100.4

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul