Re: PBR issue on 6509/4506

mangesh.kamble · ‎12-12-2010

Dear All,

I am facing one weird issue on my 6509, may be it's a genuine one but I am really not sure why is it happening.

I am having 2 nos. 6509 running in VSS, to which there are 4 nos. 45k acting as Access Switches. I have 2 FW's running independently which are connected to VSS.

I am having proxy configured and everything is working perfectly fine as of now.

I am having 2 ISP's terminated, ISP-1 connected on FW-1 and ISP-2 connected on FW-2.

By default ISP-1 is working as primary and ISP-2 is working as secondary.

I have around 20 odd vlans on my 65k running with VSS. Now for all of them to access internet they have to go to proxy and proxy wil redirect all traffic to primary ISP-1, which is working perfectly fine. Now as I want to test my primary secondary failover when my ISP-2 acts as primary I am doing PBR on my 65k, wherein I am matching particular vlan subnet and setting all traffic pertaining to that vlan to next-hop ISP-2 FW-2. So now onwards for that particular traffic ISP-2 will act as primary and ISP-1 will act as secondary.

But the moment I add PBR under SVI of that particular vlan after 2-3 mins or even less, sometimes immediately my reachability to gateway and internal DNS is lost. Which affects my Internet traffic for that particular vlan, off-course I am not expecting to use proxy-server in that case; but when I am using DNS address 4.2.2.2 my ISP-2 internet traffic is working fine, but when I do failover not working, so i thought its a DNS issue.

But when I reverted back to ISP-2 there was no internet working, when I chekc xlate entries they are populating on FW, I tried reaching gateway not reachable. When I checked on 65k as well as 45k, there are no arp entries for my machine but there is an entry in mac-address-table.

But from switch also machine not reachable, the moment I remove my PBR I am achieving my reachability immediately.

Please assist........

Configuration:-

access-list 102 permit ip 192.168.10.0 0.0.0.127 any

route-map PBR permit 50
match ip address 102
set ip next-hop 192.168.16.34
!
route-map PBR permit 100

interface Vlan11
ip address 192.168.10.1 255.255.255.128
ip policy route-map PBR

and I have one default route pointing ot ISP-1 and floating static route pointing to FW-2.

Dale Miller · ‎12-12-2010

Where is your internal DNS? If it's in another local VLAN your PBR ACL could be causing you some troubles. Right now all traffic from 192.168.10.0/128 is redirected to the ISP-2 FW. IF the 6500 is doing your intervlan routing and the DNS server resides in another VLAN PBR will redirect it the FW.

Also, on the 6500 you have an empty route map statement that will cause high CPU.

route-map PBR permit 50
match ip address 102
set ip next-hop 192.168.16.34
!
route-map PBR permit 100 <--

You will want to remove this,

HTH,

Dale

mangesh.kamble · ‎12-15-2010

Hi all,

I have been doing policy configuration on 6509 series switches for few days. And all of a sudden my 6509 started misbehaving, by giving surprizing results.

I was configuring simple PBR policy (I edited the original policy mentioned above) wherein I am forwarding all my interesting traffic getting match in my Access-list to ISP-2. Please find the configuration details as below:-

6509 Core VSS Switch:
route-map PBR per 10
match ip add 110
set ip next-hop verify-availability 10.253.168.34 20 track 9
exit
route-map PBR per 20
exit

ip access-list extended 110
10 permit tcp 10.253.173.0 0.0.0.127 any eq 80
20 permit tcp 10.253.173.0 0.0.0.127 any eq 443

int vlan 311
ip address 10.253.173.1 255.255.255.128
ip policy route-map PBR
exit

But when I try to browse without any proxy, I get success, but none of my policies are not getting matched. When I say "show access-list" it shows me the access-list but there are no hit-counts, even when I do "show route-map PBR" my all traffic either matches permit 20 sequence or most of the time it don't match PBR at all and still traffic gets forwarded to ISP-2 in both cases as per requirement.

I don't understand why is it happening, I suspect it may be because of some IOS bug too but not pretty sure. I am currently using 12.2(33)SXI3.bin IOS.

When I checked on my FW (ASA 5550), I found that I am having valid xlate entry but when I check sh conn I see my all connections are UDP sessions and generated from my Internal DNS server. Well mt concern is not that why am I getting UDP connections it is why my policies are getting matched. In order to understand that I tried changing my ACL using below configuation:

route-map PBR per 10
match ip add 110
set ip next-hop verify-availability 10.253.168.34 20 track 9
exit
route-map PBR per 20
exit

ip access-list extended 110
10 permit tcp 10.253.173.0 0.0.0.127 any eq 80
20 permit tcp 10.253.173.0 0.0.0.127 any eq 443
30 permit udp 10.253.173.0 0.0.0.127 10.253.79.5
40 permit tcp 10.253.173.0 0.0.0.127 10.254.231.143

int vlan 311
ip address 10.253.173.1 255.255.255.128
ip policy route-map PBR
exit

Still no success, its still not matching any of the Access-list statements.

Please assist if anyone else has faced similar issue or an issue related to PBR on 6509 please.

OUTPUT:-

WE-CORE1#sh access-lists 110
Extended IP access list 110
    10 permit tcp 10.253.173.0 0.0.0.127 any eq www
    20 permit tcp 10.253.173.0 0.0.0.127 any eq 443
    30 permit udp 10.253.173.0 0.0.0.127 any eq 80
    40 permit udp 10.253.173.0 0.0.0.127 any eq 443

WE-CORE1#sh route-map PBR
route-map PBR, permit, sequence 10
Match clauses:
    ip address (access-lists): 110
Set clauses:
    ip next-hop verify-availability 10.253.168.34 30 track 9 [up]
Policy routing matches: 0 packets, 0 bytes
route-map PBR, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 328 packets, 24272 bytes

Please assist.........

Dale Miller · ‎12-18-2010

Sir,

I still see you are using a route-map seq with no set statement. I can tell you that will cause traffic to be processed by the RP instead of in HW. The matches in the output below are all SW switched and packets that don't match against Seq 10 .

I do know of a bug where using "set ip next-hop verify-availability" to verify if a next-hop is available via CDP is still forwarding traffic without the next hop in the CDP table. CSCtc40711 "Next-hop verify-availablity still forwards traffiic with no CDP neighbor". The bug is fixed in SXI4.

As for the ACL/PBR counters I recommend you take this thread and submit a TAC case. More information will be required to troubleshoot this issue.

Regards,

Dale