PBR Problem.....Help

lcd_shouldit · ‎12-20-2012

route-map TEST permit 10

match ip address TEST

set ip next-hop recursive 1.1.1.1

set ip default next-hop 2.2.2.2

ip route 0.0.0.0 0.0.0.0 3.3.3.3

I want traffic TEST , first go to 1.1.1.1 , and 1.1.1.1 is learned via EIGRP , not directly connected , so I can not use "set ip next-hop *.*.*.*" , Right ?

and I use this command "set ip next-hop recursive"

when 1.1.1.1 can not learned cause line problem or something else problem ,

traffic TEST should go to 2.2.2.2.

But now , when 1.1.1.1 can not learned via EIGRP and can not install into route table , traffic ACL TEST will go to 3.3.3.3 , and not go to 2.2.2.2.

So I want to know WHY...

According to this link,

www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

Case Study 3:

When the only route to the destination is the default route—there is no specific route for that destination in the routing tale—the packet is policy routed.

this means

set ip default next-hop 2.2.2.2

is prefered,

But now why the only default route is prefered.....

Thank you ! Help...

Abzal · ‎12-20-2012

Hi,

Specifies the action(s) to take on the packets that

match the criteria. You can specify any or all of the

following:

precedence: Sets precedence value in the IP

header. You can specify either the precedence

number or name.

•df: Sets the ‘Don’t Fragment’ (DF) bit in the ip

header.

•vrf: Sets the VPN Routing and Forwarding

(VRF) instance.

•next-hop: Sets next hop to which to route the

packet.

•next-hop recursive: Sets next hop to which to

route the packet if the hop is to a router which is

not adjacent.

•interface: Sets output interface for the packet.

•default next-hop: Sets next hop to which to

route the packet if there is no explicit route for

this destination.

•default interface: Sets output interface for the

packet if there is no explicit route for this

destination.

May be you should try

set ip next-hop x.x.x.x

Because you already have default static route.

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr.pdf

Hope it will help.

Best regards,
Abzal

cadet alain · ‎12-21-2012

Hi,

the default route shouldn't be considered as an explicit route so the set ip default next-hop action should take place.

Can you provide a topology diagram and the running config as well as output from:

-sh ip route before and after the PBR should be started

-sh access-list TEST

-traceroute before and after the PBR should be started

-debug ip policy

Regards.

Alain

Don't forget to rate helpful posts.

lcd_shouldit · ‎12-23-2012

Hi,

I want to ask about how does this "set ip next-hop recursive 1.1.1.1" command work.

Router first will check the route table , to see whether there is a special route to 1.1.1.1 . right ?

For this special route is learned by eigrp , if cause some reason , like some part of the line between the two router is down , router can not learn this special route to 1.1.1.1 any more , at the same time , router has a static default route , now does router change go to 1.1.1.1 via this static default route ?

If this is the reason , that can explain why when the router does not have the special route to 1.1.1.1 , It changed the next hop to the static default route 3.3.3.3 , and not go to 2.2.2.2, so this command (set ip default next-hop 2.2.2.2) does not work.

Thank you !

cadet alain · ‎12-23-2012

Hi,

if the recursive next-hop is not available then it should try to PBR to 2.2.2. if there is no explicit route to 2.2.2.2 and if there ain't then it will be routed according to routing table.

What does sh ip route 2.2.2.2 is saying ?

Regards.

Alain

Don't forget to rate helpful posts.

lcd_shouldit · ‎12-23-2012

I have a test. please find the attachment for config and top.

I configured PBR on R1 interface Fa0/0.

route-map dd permit 10

match ip address 10

set ip next-hop recursive 2.2.2.2

set ip default next-hop 13.13.13.3

2.2.2.2 is R2 Loopback0 ip address , which is learnd by eigrp.

R1#show ip route eigrp

2.0.0.0/24 is subnetted, 1 subnets

D 2.2.2.0 [90/2297856] via 12.12.12.2, 00:00:06, Serial0/0

I ping 2.2.2.2 on R5 is OK.

R5#ping 2.2.2.2 repeat 1

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!

Success rate is 100 percent (1/1), round-trip min/avg/max = 104/104/104 ms

R5#

traceroute is also OK.

R5#traceroute

Protocol [ip]:

Target IP address: 2.2.2.2

Source address: 15.15.15.5

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 2.2.2.2

1 15.15.15.1 64 msec 60 msec 32 msec

2 12.12.12.2 64 msec * 92 msec

R5#

Here is R1: debug ip policy

*Mar 1 00:39:17.379: IP: s=15.15.15.5 (FastEthernet0/0), d=2.2.2.2, len 100, FIB policy match

*Mar 1 00:39:17.379: IP: s=15.15.15.5 (FastEthernet0/0), d=2.2.2.2, g=2.2.2.2, len 100, FIB policy routed

then I shutdown R1 Loopback0 , and now R1 can not learn the route 2.2.2.2. and debug ip icmp on R3 and R4 to see what exactly ICMP from R1 go to where.

R1#show ip route eigrp

R1#

debug ip policy on R1 still show this

R1#

*Mar 1 00:42:31.703: IP: s=15.15.15.5 (FastEthernet0/0), d=2.2.2.2, len 100, FIB policy match

*Mar 1 00:42:31.703: IP: s=15.15.15.5 (FastEthernet0/0), d=2.2.2.2, g=2.2.2.2, len 100, FIB policy routed

R1#

R3 shows nothing , But R4 shows

R4#

*Mar 1 00:42:27.799: ICMP: dst (2.2.2.2) host unreachable sent to 15.15.15.5

R4#

means packet is policy route-map to R4, not to R3 13.13.13.3

here is R1's route table :

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 14.14.14.4 to network 0.0.0.0

12.0.0.0/24 is subnetted, 1 subnets

C 12.12.12.0 is directly connected, Serial0/0

13.0.0.0/24 is subnetted, 1 subnets

C 13.13.13.0 is directly connected, Serial0/1

14.0.0.0/24 is subnetted, 1 subnets

C 14.14.14.0 is directly connected, Serial0/2

15.0.0.0/24 is subnetted, 1 subnets

C 15.15.15.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 14.14.14.4

so looks like packet does not go to 13.13.13.3 , BUT go to14.14.14.4 at last. ???

Rolf Fischer · ‎12-21-2012

Until now I didn't even know the recursive option but I think there's missing one IP-address in your command:

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_pi/command/iri-cr-s1.html#GUID-72CDBB9D-A107-43DD-B8F9-3540255299C9

recursive ip-address

Sets the IP address of the recursive next-hop router.

Note The next-hop IP address must be assigned separately from the recursive next-hop IP address

set ip next-hop { [recursive ] }

Another idea:

Probably you already knew, but when you want to test PBR with an IP address of the router itself you need to add the

ip local policy route-map

command.

HTH

Rolf