Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
0
Helpful
0
Replies

PBR/route map misbehavior on 6509 VSS running switch

mangesh.kamble
Level 1
Level 1

‎12-14-2010 10:36 AM - edited ‎03-06-2019 02:31 PM

Dear All,

I have been doing policy configuration on 6509 series switches for few days. And all of a sudden my 6509 started misbehaving, by giving shocking results.

I was configuring simple PBR policy wherein I am forwarding all my interesting traffic getting match in my Access-list to ISP-2. Please find the configuration details as below:-

6509 Core VSS Switch:
route-map PBR per 10
match ip add 110
set ip next-hop verify-availability 10.253.168.34 20 track 9
exit
route-map PBR per 20
exit

ip access-list extended 110
10 permit tcp 10.253.173.0 0.0.0.127 any eq 80
20 permit tcp 10.253.173.0 0.0.0.127 any eq 443

int vlan 311
ip address 10.253.173.1 255.255.255.128
ip policy route-map PBR
exit

But when I try to browse without any proxy, the browsing is success but my policies are not getting matched at all. When I say "show access-list" it shows me the access-list but there are no hit-counts, even when I do "show route-map PBR" my all traffic either matches permit 20 sequence or most of the time it don;t match PBR at all and still traffic gets forwarded to ISP-2 in both cases as per requirement.

I don't understand why is it happening, I suspect it may be because of some IOS bug too, as I am facing issue with accessing same switch using ssh. I am currently using 12.2(33)SXI3.bin IOS.

When I checked on my FW (ASA 5550), I found that I am having valid xlate entry but when I check sh conn I see my all connections are UDP sessions and generated from my Internal DNS server. So I tried changing my ACL using below configuation:

route-map PBR per 10
match ip add 110
set ip next-hop verify-availability 10.253.168.34 20 track 9
exit
route-map PBR per 20
exit

ip access-list extended 110
10 permit tcp 10.253.173.0 0.0.0.127 any eq 80
20 permit tcp 10.253.173.0 0.0.0.127 any eq 443
30 permit udp 10.253.173.0 0.0.0.127 10.253.79.5
40 permit tcp 10.253.173.0 0.0.0.127 10.254.231.143

int vlan 311
ip address 10.253.173.1 255.255.255.128
ip policy route-map PBR
exit


Still no success, its still not matching ny Access-list at all.

Please assist if anyone else has faced similar issue or an issue related to PBR on 6509 please.

Thanks and Regards,
Mangesh.

Labels:
76994-test_set.vsd.zip
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents