Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
3
Replies

policy based routing(PBR) next hop not being detected

David_Beldi
Level 1
Level 1

‎10-26-2017 03:36 AM - edited ‎03-08-2019 12:30 PM

please help, trying to reroute traffic that came from source (192.168.183.220) but for some reason pbr isn't working, its like its not even detecting route maps! I am trying to redirect traffic goint to vlan 10 to vlan 20! 

 

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 06YFDUHH61wAE/kLkDq9BGho1QM5EnRtoyr8cHAUg.2
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name cisco.com
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2901/K9 sn FGL163713TC
!
!
username R1 password 0 david
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.183.51 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 10
ip address 11.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map honR
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 20
ip address 11.0.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map honR
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip local policy route-map honR
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 11.0.10.5 22 192.168.183.51 22 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 100 permit ip host 192.168.183.220 host 11.0.10.5
access-list 101 permit ip 11.0.10.0 0.0.0.255 any
access-list 101 permit ip 11.0.20.0 0.0.0.255 any
!
route-map honR permit 10
match ip address 100
set ip next-hop 11.0.20.5
!
!
control-plane host
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
3 Replies 3

chrihussey
VIP Alumni
VIP Alumni

‎10-26-2017 03:54 AM

You need to apply the route map to the G0/0 interface and not the others.

 

Hope this helps

0 Helpful

David_Beldi
Level 1
Level 1
In response to chrihussey

‎10-26-2017 03:59 AM

Hey thanks for your reply, originally i had it like that, i am just trying all the options, just changed it but no luck. :(

 

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 06YFDUHH61wAE/kLkDq9BGho1QM5EnRtoyr8cHAUg.2
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name cisco.com
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2901/K9 sn FGL163713TC
!
!
username R1 password 0 david
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.183.51 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip policy route-map honR
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 10
ip address 11.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 20
ip address 11.0.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip local policy route-map honR
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 11.0.10.5 22 192.168.183.51 22 extendable
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 100 permit ip host 192.168.183.220 host 192.168.183.51
access-list 101 permit ip 11.0.10.0 0.0.0.255 any
access-list 101 permit ip 11.0.20.0 0.0.0.255 any
!
route-map honR permit 10
match ip address 100
set ip next-hop 11.0.20.1
!
!
control-plane host
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
end

0 Helpful

chrihussey
VIP Alumni
VIP Alumni
In response to David_Beldi

‎10-26-2017 04:21 AM

A couple things:

 

Your access-list changed when you moved it back to G0/0. It should remain:

access-list 100 permit ip host 192.168.183.220 host 11.0.10.5

 

The fact that you are NATing is also an issue. Any traffic from the 11.0.10.x/24 or 11.0.20.x/24 to 192.168.183.220 is NATed to the G0/0 IP. So the likelihood of 192.168.183.220 seeing any packets from the 11.x.x.x networks is not going to happen. Policy routing may work to the 11.0.20.5, but the return gets NATed and probably gets dropped. If you omit 11.0.20.5 from the NAT it may work.

Better still, if possible, remove the NAT altogether and verify if PBR is working.

Hope that makes sense.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card