06-21-2012 09:03 AM - edited 03-07-2019 07:23 AM
Hello,
I have a problem with Policy Based Routing on a Cisco Catalyst 6500 with IOS ipservicesk9-mz.122-33.SXH2a.
I try to redirect traffic, and only that traffic, for machines with private ip address (10.10.10.0/24) to the port TCP/1111
of a server 195.x.x.1 in public ip. The principle is: my 10.10.10.0/24 machines emit traffic bound for the port
tcp/1111 to 195.x.x.1 , the PBR on the 6500 router intercepts traffic which sends it on a Linux NAT (10.10.10.2) that translate through his second interface (public) on the destination server (195.x.x.1). The NAT server can not be made from 6500 but from a different machine for other reasons. The Policy Based Routing (ip policy route-map) is applied on a vlan interface, I also experimented with on a physical interface without further success.
The Linux NAT server is working properly.
Here, the Policy Based Routing (route-map) is not working. Here is the conf:
! Creation of the road-map
TST-route-map PBR permit 10
! Filtering machines
match ip address ACL-TST
! Address assignment redirect traffic (NAT server)
set ip next-hop 10.10.10.2
6500 # show ip access-list ACL-TST
Extended IP access list ACL-TST
10 permit tcp 10.10.10.0 0.0.0.255 host 195.x.x.1 eq 1111
Have you an idea where it comes from? if you need more informations, please feel free to ask me;-)
06-21-2012 09:29 AM
Hi,
do you mean that your designated traffic is sent to the NAT machine by the 6500. but it doesnt reach further to 195.x.x.1?
Soroush.
06-21-2012 01:24 PM
Hello soroushm,
Thank, no traffic is redirected from 6500 to the NAT server. I enabled the log on my ACL-TST and a tcpdump on the interface 10.10.10.2 of my NAT server, no redirected traffic is visible. I feel that this route-map doesn't work. I also have another road-map on 6500 (route redistribution) is not working also, do you think the two might be related?
06-21-2012 01:47 PM
Hi,
let this PBR be as it is. looks fine to me.
Try setting a static ARP entry for your next hop value (10.10.10.2) in your switch (find out 10.10.10.2 mac address and do it), see if it works.
plz Rate if it helped,
Soroush.
06-22-2012 12:07 AM
Hi Soroush,
Good idea ... I just tried but without success. The NAT server does not receive traffic redirexted by the 6500 PBR . I think I have a problem with my road-map, but which one?
A precision: the entire rest of the networks managed by this 6500 router is working properly.
06-22-2012 06:35 AM
I found a couple of complains about IOS bugs: CSCsm08087 and CSCsl39710.
maybe you r hitting those!
in this link: https://supportforums.cisco.com/thread/2048224
plz Rate if it helped,
Soroush.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide