Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2822
Views
10
Helpful
6
Replies

Policy Based Routing and IP Helper

Go to solution
RyanJohnstone
Level 1
Level 1

‎12-04-2013 05:18 AM - edited ‎03-07-2019 04:55 PM

Can anyone help with an issue i am having with PBR and an IP Helper.  I cannot get devices in the VLAN with the associated SVI to get DHCP addresses, there is no DHCP server in the VLAN so an IP Helper is used but whenever i enable PBR on the SVI, DHCP stops working.  The switch is a 6506 Catalyst running Version 12.2(17d)SXB11 of IOS

The SVI config for the VLAN is as below

ip address 10.2.60.254 255.255.255.0

ip helper-address 10.10.80.200

ip helper-address 10.10.80.201

ip policy route-map ACPBR

no ip igmp snooping explicit-tracking

no ipv6 mld snooping explicit-tracking

no ipv6 mld snooping

a route map configured as follows

route-map ACPBR permit 10

match ip address ACPBR_ACL

set ip default next-hop 10.99.1.252

!

route-map ACPBR permit 20

set default interface Null0

!

and an access list as follows

ip access-list extended ACPBR_ACL

deny udp any any eq bootps log

permit ip 10.2.60.0 0.0.0.255 any

So any DHCP traffic should hit the deny command and drop back to the normal routing process, at least thats my understanding.  The logs on the 6506 even show the DENY being hit, see below

list ACPBR_ACL denied udp 0.0.0.0(68) -> 255.255.255.255(67), 1 packet

Can anyone advise why this may be happening, if i add the PBR to the SVI DHCP stops working, if i remove it then it starts working so it is definately PBR doing something.

Thanks

Ryan

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎12-04-2013 05:58 AM

Ryan,

The deny line in your ACL merely causes the DHCP traffic to be not processed in the ACPBR block 10. However, for this traffic, the processing of the route-map continues to block 20 with the set default interface Null0 command. This could be the cause of the drops you are seeing. Remember, the permit/deny in ACL here only select packets to be dealt with in the particular route-map block. However, it is the permit/deny in the route-map block header that determines whether the packet is going to be PBR-ed or normally routed.

Assuming you want to keep the DHCP traffic to be normally routed, one of ways of doing that would be:

ip access-list extended ACPBR_ACL
 deny udp any any eq bootps log
 permit ip 10.2.60.0 0.0.0.255 any
!
ip access-list extended ACPBR_DHCP
 permit udp any any eq bootps
!
route-map ACPBR permit 10
 match ip address ACPBR_ACL
 set ip default next-hop 10.99.1.252
!
route-map ACPBR deny 15
 match ip address ACPBR_DHCP
!
route-map ACPBR permit 20
 set default interface Null0

This configuration causes the DHCP traffic to be processed in block 15, and because of the deny action in the block header, the traffic should fall back to normal routing.

While I am somewhat surprised that the PBR would affect broadcasts (it should not, and perhaps it affects only a part of the DHCP communication that does happen to be unicasted), I believe this modification of your config is worth trying.

Best regards,

Peter

View solution in original post

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-04-2013 06:07 AM

Ryan

What is happening is that your DHCP request is being matched by ACPBR_ACL. When a packet matches a deny entry in acl it simply jumps to the next route map statement if there is one and there is in your case ie.

route-map ACPBR permit 20

set default interface Null0

If you want to stop processing the route-map altogether then you need to use a deny in the actual route map statement rather than the acl. So you need to rewrite your route map with a deny statement for DHCP traffic eg.

route-map ACBPR deny 10

match ip address ACPBR_DHCP

route-map ACPBR permit 20

match ip address ACPBR_ACL

set ip default next-hop 10.99.1.252

route-map ACPBR permit 30

set default interface Null0

ip access-list extended ACPBR_DHCP

permit udp any any eq bootps log

ip access-list extended ACPBR_ACL

permit ip 10.2.60.0 0.0.0.255 any

Of course without knowing exactly how your topology is setup you may need to modify but based on what you have told us the above should work.

Jon

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎12-04-2013 05:58 AM

Ryan,

The deny line in your ACL merely causes the DHCP traffic to be not processed in the ACPBR block 10. However, for this traffic, the processing of the route-map continues to block 20 with the set default interface Null0 command. This could be the cause of the drops you are seeing. Remember, the permit/deny in ACL here only select packets to be dealt with in the particular route-map block. However, it is the permit/deny in the route-map block header that determines whether the packet is going to be PBR-ed or normally routed.

Assuming you want to keep the DHCP traffic to be normally routed, one of ways of doing that would be:

ip access-list extended ACPBR_ACL
 deny udp any any eq bootps log
 permit ip 10.2.60.0 0.0.0.255 any
!
ip access-list extended ACPBR_DHCP
 permit udp any any eq bootps
!
route-map ACPBR permit 10
 match ip address ACPBR_ACL
 set ip default next-hop 10.99.1.252
!
route-map ACPBR deny 15
 match ip address ACPBR_DHCP
!
route-map ACPBR permit 20
 set default interface Null0

This configuration causes the DHCP traffic to be processed in block 15, and because of the deny action in the block header, the traffic should fall back to normal routing.

While I am somewhat surprised that the PBR would affect broadcasts (it should not, and perhaps it affects only a part of the DHCP communication that does happen to be unicasted), I believe this modification of your config is worth trying.

Best regards,

Peter

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Peter Paluch

‎12-04-2013 06:08 AM

Peter

You beat me to it. I must be getting slower in my typing 

Jon

0 Helpful

Go to solution
RyanJohnstone
Level 1
Level 1
In response to Peter Paluch

‎12-05-2013 03:18 AM

Thanks Peter, made changes based on your guidance and all working well.

0 Helpful

Go to solution
veevekraj
Level 1
Level 1
In response to Peter Paluch

‎02-03-2020 04:03 AM

Thanks

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-04-2013 06:07 AM

Ryan

What is happening is that your DHCP request is being matched by ACPBR_ACL. When a packet matches a deny entry in acl it simply jumps to the next route map statement if there is one and there is in your case ie.

route-map ACPBR permit 20

set default interface Null0

If you want to stop processing the route-map altogether then you need to use a deny in the actual route map statement rather than the acl. So you need to rewrite your route map with a deny statement for DHCP traffic eg.

route-map ACBPR deny 10

match ip address ACPBR_DHCP

route-map ACPBR permit 20

match ip address ACPBR_ACL

set ip default next-hop 10.99.1.252

route-map ACPBR permit 30

set default interface Null0

ip access-list extended ACPBR_DHCP

permit udp any any eq bootps log

ip access-list extended ACPBR_ACL

permit ip 10.2.60.0 0.0.0.255 any

Of course without knowing exactly how your topology is setup you may need to modify but based on what you have told us the above should work.

Jon

0 Helpful

Go to solution
RyanJohnstone
Level 1
Level 1
In response to Jon Marshall

‎12-05-2013 03:18 AM

Thanks Jon, all working now.  appreciate your assistance.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card