Sorry I'm explained evil and

dinocecchini · ‎11-04-2014

Hi,

i have a problem with a PBR statement.

in juniper this statement work fine, but now i change the juniper with a Cisco 4500X.

I try to disable the cef on the interface vlan but nothing.. what can be?

the juniper per config and the cisco per config are attached.

Thanks

brian-andrews51 · ‎11-04-2014

From what I can see, you want to take all traffic that comes from 10.51.243.221 and set the next hop to 192.168.0.1 when it enters interface vlan 501.

Since 10.51.243.221 is not part of the subnet 192.168.150.1/24, the only time traffic from 10.51.243.221 will enter this interface is when the destination IP resides with in 192.168.150.1/24.

What is the overall goal for this PBR?

dinocecchini · ‎11-04-2014

Hi Brian

Thanks for the support,

Because the default route point to 192.168.150.1, but for the traffic with source 10.51.243.221 i need that is redirected to 192.168.0.1

John Blakley · ‎11-04-2014

Some switches require you to set their template before they'll use pbr.

Do a "show sdm prefer" and see if it says default. If so, change the template and reload the switch to make the change take effect. To change the template:

sdm prefer routing

Then reload.

HTH,

John

HTH, John *** Please rate all useful posts ***

dinocecchini · ‎11-04-2014

Hi John,

thanks for the reply, now i'm outs of office and i don't have a VPN for try what you said me.

Tomorrow i try and i'll let you know.

Thanks again,

Dino

John Blakley · ‎11-04-2014

Also, your policy isn't going to work the way it's currently written:

access-list 118 permit ip host 10.51.243.221 any

route-map PBR118 permit 10
 match ip address 118
 set ip next-hop 192.168.0.1

interface Vlan501
 ip address 192.168.150.1 255.255.255.0
ip policy route-map PBR118

The problem is that v501 has a subnet of 192.168.150.0/24, but you're wanting to match on 10.251.243.221. PBR is inbound only, so you would need to match on something in the 192.168.150.0/24 range. If you have an SVI on the switch that's supporting 10.251.243.0/xx, you'll want this policy applied to that interface and not vlan 501.

HTH,

John

HTH, John *** Please rate all useful posts ***

dinocecchini · ‎11-04-2014

Hi John,

Thanks again for the support,

You're right, but the problem is that the address 10.51.243.221 is an ip from another side and I receive through the wan. And the vlan that connects me to the wan is the v501.

Dino

Aref Alsouqi · ‎11-04-2014

Hi/Ciao Dino,

Please check if the next hop ip address does exist in the switch routing table. Since you are using the "set ip next-hop" command, the policy will look first for that ip address (192.168.0.1) in the routing table, if it does exist then it would route the packet to that ip address, otherwise the packet would be routed normally not by the policy (bypassing the policy).

Regards,

Aref

dinocecchini · ‎11-04-2014

Hi Aref,

Yes the ip 192.168.0.1 is exist in the routing table.

Thanks and regards,

Dino

Aref Alsouqi · ‎11-04-2014

Do you see any hits on the route map with "sh route-map"?

Regards,

Aref

Richard Burts · ‎11-04-2014

It is highly unlikely that there are hits on the route map. As John has explained there is a severe logic flaw in the route map. Given the config shared with us the access list is looking for a source address that does not exist on the interface to which the route map is applied.

HTH

Rick

HTH

Rick

Aref Alsouqi · ‎11-04-2014

Just an assumption, would not I have a design like the following:

(LAN 10.51.243.0/24) Router <--- (192.168.150.0/24) ---> Switch (Access port on vlan 501)

And on the Router there is no nat configured and the default route is towards the vlan 501 svi on the switch which is 192.168.150.1?

Regards,

Aref

Richard Burts · ‎11-04-2014

Aref (glad to see you so active in the Support Community)

I am not sure that I understand your post. Are you suggesting the possibility that there is a router and a switch and the switch has an access port connected to the router? And that the address 10.51.243.221 is accessed via vlan 501 on the switch? In that case the route map could be correct. We need some clarification from the original poster about the topology of the network.

HTH

Rick

HTH

Rick

Aref Alsouqi · ‎11-04-2014

Thank you Rick, I really appreciate it.

Yes, you got me correctly, that what I was try to say. As you said, more clarification from the original poster would help for troubleshooting.

Regards,

Aref

dinocecchini · ‎11-04-2014

Sorry I'm explained evil and I have given little information on the topology.

I have a 4500x that has :

Vlan10 192.168.0.10
Vlan401 10.51.6.1
Vlan501 192.168.150.1

In this case i received the packet from 10.51.243.221 from a another side of my network by the wan and the wan it's directly connected at the van 501, but for ip routing the packet are routing to the 192.168.150.4 but for another reason i need redirect to 192.168.0.1.

Thanks again,

Dino

PBR doesn't work