Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
5
Replies

PBR Problem on CISCO ME380X

baxta2712
Level 1
Level 1

‎05-07-2018 12:57 AM - edited ‎03-08-2019 02:55 PM

Hello I need help

after applying PBR to VLAN interface on my switch, I cant ping 192.168.0.51 and 192.168.0.30 neither form switch nor from other networks connected to switch 

 

 

interface Vlan192
ip address 192.168.0.1 255.255.255.0
no ip proxy-arp
ip policy route-map MAIL
end

 

Extended IP access list 101
10 permit ip host 192.168.0.51 any
20 permit ip host 192.168.0.30 any (138 matches)

 

route-map MAIL, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop 10.100.100.2
Policy routing matches: 66 packets, 5998 bytes

can anyone help me?

 

 

 

 

Labels:
0 Helpful
5 Replies 5

Diana Karolina Rojas
Cisco Employee
Cisco Employee

‎05-07-2018 06:28 AM

Helllo estimated,

 

I need to know what did you try to do? Because in your output you are forwanding all the traffic from 192.168.0.51 and 192.168.0.30 to 10.100.100.2, so this device (10.100.100.2) knows how to reach all the networks from which you are doing ping? when you did a tracer which is the result? why do not you try to specify what kind of traffic do you want to be affected for the PBR? 

Do not forget to rate useful post---

 

Best Regards,

0 Helpful

baxta2712
Level 1
Level 1
In response to Diana Karolina Rojas

‎05-07-2018 06:34 AM - edited ‎05-07-2018 06:37 AM

Hello, I have L3 switch, several interface VLAN-s are configured there, for example one network is 192.168.1.0/24, another is 192.168.0.0/24, host 192.168.0.51 is mail server so it should have next hop 10.100.100.2 default gateway for switch is 10.100.100.1, it is very strange but after configuring PBR i cant ping 192.168.0.51 neither from switch (192.168.0.1), nor from 192.168.1.0/24 network, when i tried to put on ACL entry above permit, to deny  host  192.168.0.51 to network 192.168.1.0/24 still not working.

if I remove pbr from interface it starts working

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to baxta2712

‎05-07-2018 01:56 PM

We do not have enough information to be able to give you good suggestions. As a start can you post a simple diagram that shows your network topology. In particular can you provide clarification about the relationship between the subnet 192.168.0 (where the mail server is) and subnet 10.100.100 (where the next hop is)?

 

As a further step would you post the configuration of this layer 3 switch? Also post the output from this switch of shop ip route and of show ip interface brief?

 

HTH

 

Rick

HTH

Rick
0 Helpful

baxta2712
Level 1
Level 1
In response to Richard Burts

‎05-08-2018 12:15 AM

Hello, this is configuration and diagram

==========================


no ip domain lookup
ip domain name gino.ge
ipv6 multicast rpf use-bgp
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-110,112-500 priority 24576
spanning-tree vlan 111 priority 4096
diagnostic bootup level minimal
no errdisable detect cause pagp-flap
no errdisable detect cause dtp-flap
no errdisable detect cause link-flap
no errdisable detect cause gbic-invalid
no errdisable detect cause arp-inspection
no errdisable detect cause loopback

!
!
transceiver type all
monitoring
vlan internal allocation policy ascending
!
vlan 10
name ESXi
!
vlan 11
name CCTV1
!
vlan 12
name CCTV2
!
vlan 13
name CCTV3
!
vlan 14
name CCTV4
!
vlan 15
name CCTV5
!
vlan 16
name CCTV6
!
vlan 17
name CCTV7
!
vlan 18
name CCTV8
!
vlan 20
!
vlan 30
name Guests
!
vlan 40
name Wifi-Office
!
vlan 44
!
vlan 50
name Voice
!
vlan 60
name Servers
!
vlan 91
name Welness
!
vlan 93
name BackUp
!
vlan 100
name Management
!
vlan 101
name Unifi
!
vlan 123
name OUTSIDE
!
vlan 168
name Miner
!
vlan 192
!
vlan 200
name Exchange
!
vlan 754
name Internet
!
vlan 756
name TBC-Bnkomati
!
ip ssh version 2
lldp run
!
!
!
interface GigabitEthernet0
no ip address
shutdown
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/1
description Delta-Internet
switchport trunk allowed vlan 754,756
switchport mode trunk
no cdp enable
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/2
description Gino-Router
switchport mode trunk
!
interface GigabitEthernet0/3
description Server-SW
switchport mode trunk
!
interface GigabitEthernet0/4
description SW1-Patara-Otaxi
switchport mode trunk
!
interface GigabitEthernet0/5
description SW-GASTRO
switchport mode trunk
!
interface GigabitEthernet0/6
description SW-Camera1
switchport mode trunk
!
interface GigabitEthernet0/7
description SW-PuertoRico
switchport mode trunk
!
interface GigabitEthernet0/8
description Gastro lan
switchport mode trunk
!
interface GigabitEthernet0/9
switchport mode trunk
!
interface GigabitEthernet0/10
switchport mode trunk
!
interface GigabitEthernet0/11
description didi auzi
switchport mode trunk
!
interface GigabitEthernet0/12
switchport mode trunk
!
interface GigabitEthernet0/13
switchport mode trunk
!
interface GigabitEthernet0/14
switchport mode trunk
!
interface GigabitEthernet0/15
switchport mode trunk
!
interface GigabitEthernet0/16
switchport mode trunk
!
interface GigabitEthernet0/17
switchport mode trunk
!
interface GigabitEthernet0/18
switchport mode trunk
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
switchport mode trunk
!
interface GigabitEthernet0/21
switchport mode trunk
!
interface GigabitEthernet0/22
switchport mode trunk
!
interface GigabitEthernet0/23
switchport mode trunk
!
interface GigabitEthernet0/24
switchport mode trunk
!
interface TenGigabitEthernet0/1
!
interface TenGigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description ::CAM_ESX1::
ip address 10.10.0.1 255.255.255.0
!
interface Vlan11
description ::CAM11::
ip address 10.11.0.1 255.255.255.0
!
interface Vlan12
description ::CAM12::
ip address 10.12.0.1 255.255.255.0
!
interface Vlan13
description ::CAM13::
ip address 10.13.0.1 255.255.255.0
!
interface Vlan14
description ::CAM14::
ip address 10.14.0.1 255.255.255.0
!
interface Vlan15
description ::CAM15::
ip address 10.15.0.1 255.255.255.0
!
interface Vlan16
description ::CAM16::
ip address 10.16.0.1 255.255.255.0
!
interface Vlan17
description ::CAM17::
ip address 10.17.0.1 255.255.255.0
!
interface Vlan18
description ::CAM18::
ip address 10.18.0.1 255.255.255.0
!
interface Vlan40
description ::Office-WIFI::
ip address 10.40.0.1 255.255.255.0
!
interface Vlan50
description ::Voice::
ip address 10.50.0.1 255.255.255.0
!
interface Vlan91
description ::Welness::
ip address 192.168.1.1 255.255.255.0
!
interface Vlan100
description ::Management::
ip address 10.100.0.1 255.255.255.0
!
interface Vlan101
description ::Unifi::
ip address 192.168.8.1 255.255.252.0
!
interface Vlan111
no ip address
!
interface Vlan123
description ::OUTSIDE::
ip address 10.100.100.3 255.255.255.0
!
interface Vlan192
description ::Molareebi::
ip address 192.168.0.1 255.255.255.0
no ip proxy-arp
ip policy route-map MAIL
!
interface Vlan200
description ::EXCHANGE::
ip address 172.16.0.1 255.255.255.0
!
ip default-gateway 10.100.0.1
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.100.100.1
ip route 92.241.67.178 255.255.255.255 10.100.100.2 name Mtskheta_VOIP
ip route 192.168.3.0 255.255.255.0 10.100.100.1 name Servers
ip route 192.168.32.0 255.255.255.0 10.100.100.2 name GWE_LAN
ip route 192.168.34.0 255.255.255.0 10.100.100.2 name GWE_LAN_WIFI_EMP
ip route 192.168.35.0 255.255.255.0 10.100.100.2 name GWE_VPN_AnyConnect
ip route 192.168.128.0 255.255.255.0 10.100.100.2 name EC_LAN_SERVERS
ip route 192.168.130.0 255.255.255.0 10.100.100.2 name EC_LAN_WORKSTATIONS
ip route 192.168.134.0 255.255.255.0 10.100.100.2 name EC_LAN_WIFI
ip route 192.168.136.0 255.255.255.0 10.100.100.2 name EC_LAN_GIO-B_GPB
ip route 192.168.144.0 255.255.255.0 10.100.100.2 name KO_LAN_SERVERS
ip route 192.168.146.0 255.255.255.0 10.100.100.2 name KO_WORKSTATIONS
ip route 192.168.149.0 255.255.255.0 10.100.100.2 name KO_WIFI
ip route 192.168.152.0 255.255.255.0 10.100.100.2 name KO_PBX
!
ip access-list extended PBR
permit ip host 192.168.0.51 any
permit ip host 192.168.0.30 any
!
access-list 101 permit ip host 192.168.0.51 any
access-list 101 permit ip host 192.168.0.30 any
!
route-map MAIL permit 10
match ip address 101
set ip next-hop 10.100.100.2
!
route-map PBR permit 10
match ip address PBR
set ip next-hop 10.100.100.2
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
transport input ssh
line vty 5 15
exec-timeout 0 0

!
controller BITS input applique E1 framing fas_nocrc linecode ami
!
end

 

=========================

 

 

Preview file
9 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to baxta2712

‎05-09-2018 03:48 PM

Thanks for the additional information. The config does clarify how PBR is applied and that any packet from those hosts, including any attempt to respond to ping, is sent to the next hop which is your ASA. So the question becomes if your ASA receives a packet with a source address of one of these servers and a destination address of some device connected to the L3 switch, what does the ASA do with this? Would the ASA forward the ping response back to the L3 switch?

 

One part of this would be to ask whether your ASA is configured to allow same security level intra interface?

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card