Solved: PBR problem on WS-C4500X-32

Sebastian Helmer · ‎02-17-2014

Dear all,

I configured a quiet easy PBR config for a test szenario, but it will not work. when I add a static route for an exmaple destination it works. So i guess the PBR is not working but I don't know why, also the debug didn't show me an error..

Version:

cat4500e-universalk9.SPA.03.05.01.E.152-1.E1.bin

PBR Config:

ip access-list extended ACL_WW_Test
permit ip host 10.79.20.80 any
permit ip host 10.79.20.81 any
permit ip host 10.79.20.82 any

Switch#sh route-map
route-map RM_WW_TEST, permit, sequence 10
   Match clauses:
     ip address (access-lists): ACL_WW_Test
   Set clauses:
     ip next-hop 10.79.0.1
   Policy routing matches: 4528 packets, 1399594 bytes

interface Vlan20

description xyz

ip address 10.79.20.1 255.255.255.0

ip policy route-map RM_WW_TEST

ip local policy route-map RM_WW_TEST (just to make sure, I know I don't really need it in that case)

Debug:

Feb 17 18:53:53 MEWZ: IP: Vlan20 to Vlan999 10.79.0.1
Feb 17 18:53:54 MEWZ: IP: s=10.79.20.80 (Vlan20), d=173.194.113.191, len 60, policy match
Feb 17 18:53:54 MEWZ: IP: route map RM_WW_TEST, item 10, permit
Feb 17 18:53:54 MEWZ: IP: s=10.79.20.80 (Vlan20), d=173.194.113.191 (Vlan999), len 60, policy routed
Feb 17 18:53:54 MEWZ: IP: Vlan20 to Vlan999 10.79.0.1
Feb 17 18:53:54 MEWZ: IP: s=10.79.20.80 (Vlan20), d=173.194.113.191, len 60, policy match
Feb 17 18:53:54 MEWZ: IP: route map RM_WW_TEST, item 10, permit
Feb 17 18:53:54 MEWZ: IP: s=10.79.20.80 (Vlan20), d=173.194.113.191 (Vlan999), len 60, policy routed
Feb 17 18:53:54 MEWZ: IP: Vlan20 to Vlan999 10.79.0.1
Feb 17 18:53:54 MEWZ: IP: s=10.79.20.80 (Vlan20), d=173.194.113.191, len 60, policy match
Feb 17 18:53:54 MEWZ: IP: route map RM_WW_TEST, item 10, permit
Feb 17 18:53:54 MEWZ: IP: s=10.79.20.80 (Vlan20), d=173.194.113.191 (Vlan999), len 60, policy routed
Feb 17 18:53:54 MEWZ: IP: Vlan20 to Vlan999 10.79.0.1

Any ideas would be great and hopefully helpful ,)..

regards,

Sebastian

Jon Marshall · ‎02-17-2014

Sebastian

From the IOS XE 3.5.0E release notes -

Starting with Cisco IOS Release XE 3.5.0E, support for policy-based routing (PBR) have been extended from Enterprise Services to IP Base, also OSPF Routed Access in IP Base now supports up to 1000 routes.

So it looks like it should be supported on your switch with the license you have.

I can't see anything wrong with your configuration at the moment.

Next thing is to do a bug check so i'll let you know if i find anything.

Jon

View solution in original post

Jon Marshall · ‎02-17-2014

Sebastian

Not clear how you know it is not working ?

Have you done a traceroute ?

Jon

Sebastian Helmer · ‎02-17-2014

Hey John,

nice to have fast answer from you.

Yes by treaceroute from the host I configured in the ACL and on the firewall log 10.79.0.1.

Jon Marshall · ‎02-17-2014

Sebastian

A few more details might help.

So you traceroute from a host in the acl and the debugging shows it being policy routed but what exactly ie. i assume it is using the routing table but you haven't clarified what that looks like etc.

Jon

Sebastian Helmer · ‎02-17-2014

Sorry Jon,

I used host 10.79.20.80 as source to my tests. I tracert to google.de (173.194.113.191).

I expect due to my config, it should use 10.79.0.1 on VLAN999 as next hop. But on that firewall nothing happends in the log and on the trace I see it use the normal routing way..BUT in the "debug ip policy" u see that it is policy routed without any "error" messages which could help me to find a problem.

When I add a static route "ip route 173.194.113.191 255.255.255.255 10.79.0.1"

The test host 10.79.20.80 use that route.

hoe that makes it more clear...I'm to deep in that thought in the moment ...

Jon Marshall · ‎02-17-2014

Sebastian

No problem, i know what it;s like to be lost in thought

What feature set are you running on the 4500 ?

Also can you try adding a specific line in the acl before anything else eg.

permit host 10.79.20.80 host 173.194.113.191

and try the trasceroute again.

Jon

Sebastian Helmer · ‎02-17-2014

It's Ipbase

and I'm not sure if i did it already, but anyway I have no access to that switch in the moment..because I'm just in a consulting role for an old colleague which part of the compony was sold. So we can just go ahead tomorrow he is already offline...ist 9PM in Germany...

I will update that case tomorrow with your idea....But if that works, our Design idea will not work, because we need any as destination to test that new Internet proxy routing way..

Jon Marshall · ‎02-17-2014

Sebastian

IP Base usually does not support PBR ie. you need IP Services but i don't know for sure whether this is the case with your particular switch.

Your debugging does suggest it is policly routing (or at least trying) and certainly on some switches you cannot apply the PBR to an interface without the right license but you have clearly applied it in your configuration so it's not entirely clear.

I will have a dig around and see what i come up with.

Jon

Jon Marshall · ‎02-17-2014

Sebastian

From the IOS XE 3.5.0E release notes -

Starting with Cisco IOS Release XE 3.5.0E, support for policy-based routing (PBR) have been extended from Enterprise Services to IP Base, also OSPF Routed Access in IP Base now supports up to 1000 routes.

So it looks like it should be supported on your switch with the license you have.

I can't see anything wrong with your configuration at the moment.

Next thing is to do a bug check so i'll let you know if i find anything.

Jon

Sebastian Helmer · ‎02-20-2014

I've got a second look and he also said everything is fine..maybe somthing with the system we want to connect...Its a special HA cluster...so we can close that here thanks...I rate for you!