01-13-2010 11:40 AM - edited 03-06-2019 09:16 AM
Hi,
I have configured Catalyst 6503 switch with PBR based on following requirements
If the source address is 10.91.x.x and the destination address is 10.152.x.x or 10.153.x.x route the packet to 10.91.208.5 (ie make 10.91.208.5 the next hop address)
If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245
The 6503 is a core distribution with all the traffic coming in from Catalyst 3750 access switches connected to the 6503 over uplink connection. I have attached the main parts of the configuration. Hence I have applied the policy to the uplink ports. I think the problem may be with the static routes.
Please could somebody have a look through the configuration and tell me why it is not working.
Thanks
Solved! Go to Solution.
01-13-2010 11:51 AM
gsidhu wrote:
Hi,
I have configured Catalyst 6503 switch with PBR based on following requirements
If the source address is 10.91.x.x and the destination address is 10.152.x.x or 10.153.x.x route the packet to 10.91.208.5 (ie make 10.91.208.5 the next hop address)
If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245
The 6503 is a core distribution with all the traffic coming in from Catalyst 3750 access switches connected to the 6503 over uplink connection. I have attached the main parts of the configuration. Hence I have applied the policy to the uplink ports. I think the problem may be with the static routes.
Please could somebody have a look through the configuration and tell me why it is not working.
Thanks
What exactly is not working ?
Also when you say this -
If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245
do you mean any other source with the destination as 10.152.x.x or 10.153.x.x ? If you mean any source to any destination if the destination is not 10.152.x.x or 10.153.x.x then it will use the default-route on your 6500 which is 10.91.208.5.
Jon
01-13-2010 11:51 AM
gsidhu wrote:
Hi,
I have configured Catalyst 6503 switch with PBR based on following requirements
If the source address is 10.91.x.x and the destination address is 10.152.x.x or 10.153.x.x route the packet to 10.91.208.5 (ie make 10.91.208.5 the next hop address)
If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245
The 6503 is a core distribution with all the traffic coming in from Catalyst 3750 access switches connected to the 6503 over uplink connection. I have attached the main parts of the configuration. Hence I have applied the policy to the uplink ports. I think the problem may be with the static routes.
Please could somebody have a look through the configuration and tell me why it is not working.
Thanks
What exactly is not working ?
Also when you say this -
If the source is any other address (non 10.91.x.x) route the packet to 10.153.47.245
do you mean any other source with the destination as 10.152.x.x or 10.153.x.x ? If you mean any source to any destination if the destination is not 10.152.x.x or 10.153.x.x then it will use the default-route on your 6500 which is 10.91.208.5.
Jon
01-13-2010 12:21 PM
Thank you for your quick reply
Yes I mean any other source with destination as 10.152.x.x or 10.153.x.x should be routed via the static route.
I have set up loopback addresses on a Catalyst 3750 switch which is connected to port 2/5 on the 6503 (the loopback addresses are for testing PBR)
int loopback 512
ip address 10.91.215.129 255.255.255.128
int loopback 522
ip address 10.153.45.129 255.255.255.128
when I do an extended ping to 10.152.19.8 using 10.153.45.129 as the source address I get a reply - which is what I expect as there is a static route for 10.152.0.0 network via 10.153.47.245.
when I do an extended ping to 10.152.19.8 using 10.91.215.129 as the source address I don't get a reply.
I have 'debug ip policy' running on the 6503 and nothing shows up in the logs.
01-13-2010 12:46 PM
gsidhu wrote:
Thank you for your quick reply
Yes I mean any other source with destination as 10.152.x.x or 10.153.x.x should be routed via the static route.
I have set up loopback addresses on a Catalyst 3750 switch which is connected to port 2/5 on the 6503 (the loopback addresses are for testing PBR)
int loopback 512
ip address 10.91.215.129 255.255.255.128
int loopback 522
ip address 10.153.45.129 255.255.255.128
when I do an extended ping to 10.152.19.8 using 10.153.45.129 as the source address I get a reply - which is what I expect as there is a static route for 10.152.0.0 network via 10.153.47.245.
when I do an extended ping to 10.152.19.8 using 10.91.215.129 as the source address I don't get a reply.
I have 'debug ip policy' running on the 6503 and nothing shows up in the logs.
Okay, so what device is 10.91.208.5 because that is where you should be looking. Assuming the PBR is working on the 6500 the packet will be sent to 10.91.208.5.
Could you try using a traceroute from the 3750 to see how far it gets ?
Jon
01-13-2010 01:23 PM
jon
During the day a user connected to the switch with a 10.91.x.x IP address was able to get to all servers, internet...etc (via the default route through 10.91.208.5) User was unable to get to 10.152.x.x addresses and 10.153.x.x addresses. I'm wondering if the issue is with the Firewall rules at the remote site?
The user was only able to get to 10.152.x.x and 10.153.x.x networks when he changed his IP address to a 10.153.45.x address.
When I trace route from the 3750 switch - (hence my source Ip address 10.91.209.110) the packet goes as far as 10.91.208.109 which is the gi 2/5 interface of the 6503 then it times out.
I'm going to remove the 10.152.x.x and 10.153.x.x static routes so that all traffic gets routed via 10.91.208.5
01-13-2010 02:14 PM
Hi Jon,
I removed
ip route 10.152.0.0 255.255.0.0 10.153.47.245
ip route 10.153.0.0 255.255.0.0 10.153.47.245
leaving one static (default) route:
ip route 0.0.0.0 0.0.0.0 10.91.208.5
I also removed policy from gi 2/5 on the 6503.
Extended ping from both loopback interfaces to 10.152.19.8 (which is the addresses on the remote site) failed.
It looks like the packets get to the remote site but on the return path they get dropped.
.
01-13-2010 02:25 PM
gsidhu wrote:
Hi Jon,
I removed
ip route 10.152.0.0 255.255.0.0 10.153.47.245
ip route 10.153.0.0 255.255.0.0 10.153.47.245leaving one static (default) route:
ip route 0.0.0.0 0.0.0.0 10.91.208.5
I also removed policy from gi 2/5 on the 6503.
Extended ping from both loopback interfaces to 10.152.19.8 (which is the addresses on the remote site) failed.
It looks like the packets get to the remote site but on the return path they get dropped.
.
Thanks for letting me know. It's not an issue with your PBR config then but a routing issue further down the line.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide