Policy routing not working

Randy Ethridge · ‎08-06-2010

Hello, I have a problem with policy routing not working in a 6513 with a Sup720 running 12.2(18)SXD7. I have 3 other 6513's with the exact same hardware and IOS running the same policy configuration without issues. When looking at the acl's and route-map it shows hits but the next hop address is ignored.

route-map

impulse permit 10
match ip address intranet
!
route-map impulse permit 20
match ip address impulse_block
set ip next-hop 139.67.61.228

intranet acl

Extended IP access list intranet
    10 permit ip any host 139.67.60.245 (302 matches)
    20 permit ip any host 139.67.61.245 (401 matches)
    30 permit ip any host 139.67.14.190 (283 matches)
    40 permit ip any host 139.67.14.191 (332 matches)
    50 permit ip any host 139.67.14.192 (3929 matches)
    60 permit ip any host 139.67.14.193 (325 matches)
    70 permit ip any host 139.67.9.250
    80 permit ip any host 139.67.8.39
    90 permit ip any host 139.67.9.96
    100 permit ip any 69.25.20.0 0.0.0.255
    110 permit ip any 74.201.74.0 0.0.0.255
    120 permit ip any 64.94.18.0 0.0.0.255 (71 matches)
    130 permit ip any host 139.67.14.32
    140 permit ip any host 139.67.208.206
    150 permit ip any host 139.67.208.207
    160 permit ip any host 139.67.208.208
    170 permit ip any host 10.201.90.1 (12467 matches)

impulse_block acl

Extended IP access list impulse_block
    10 deny udp any any eq domain (9 matches)
    20 deny udp any any eq bootpc
    30 permit ip any host 198.31.193.211 (56 matches)
    40 permit ip host 1.1.1.1 any
    50 permit ip host 139.67.95.53 any (108 matches)
    60 permit ip host 139.67.83.206 any
    70 permit ip host 139.67.95.73 any (146 matches)

Vlan interface applied to

interface Vlan92
description STP Primary Root Switch and HSRP Primary for VLAN LUMP_WLHS_092 in Lumpkin Distribution
ip address x.x.x.x x.x.x.x

ip helper-address x.x.x.x
ip helper-address x.x.x.x
ip route-cache flow
ip policy route-map impulse
standby 1 ip x.x.x.x
standby 1 priority 105
standby 1 preempt delay minimum 180
standby 1 track TenGigabitEthernet9/1 10
standby 1 track TenGigabitEthernet9/2 10
standby 1 track TenGigabitEthernet9/3 10

kwanm63my · ‎08-06-2010

you didn't mention it but but you verify that 139.67.61.228 is in existence and in your routing table ?

Randy Ethridge · ‎08-06-2010

Yes, 139.67.61.228 is currently is use by the other 6513 and the network is in the route table.

kwanm63my · ‎08-06-2010

show route-map xxxx shows matches ? you may have to run a debug ip policy to perhaps get some clues...

Randy Ethridge · ‎08-06-2010

Thanks for the reply, I will try debug on off hours as not to effect our users.

Sebastian Helmer · ‎08-06-2010

Maybe this helps ?

Not sure if that matches, just for your information..

Enabling Local PBR

Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by using the following command in global configuration mode:


Command	Purpose
Router(config)# ip local policy route-map map-tag	Identifies the route map to use for local PBR.

All packets originating on the router will then be subject to local PBR.

Use the show ip local policy command to display the route map used for local PBR, if one exists.

Jon Marshall · ‎08-06-2010

Randy

route-map

impulse permit 10
match ip address intranet
!
route-map impulse permit 20
match ip address impulse_block
set ip next-hop 139.67.61.228

What is the permit 10 statement meant to be doing ? ie. there is no set clause. You only need to match traffic you want to policy route so there is no need for the permit 10 statement unless you missed out a set statement. Can you remove and retest.

Jon

Randy Ethridge · ‎08-06-2010

Thanks for your reply. The permit 10 allows servers that we want accessed before

authentication. Removing it changed nothing.

Jon Marshall · ‎08-06-2010

Randy

Okay. You have blanked out the addressing on vlan 92 so it's a bit hard to tell the addressing.

1) Is the source address definitely in vlan 92

2) you are running HSRP on this 6500. Is this definitely the active vlan interface at the moment and if not have you applied the route-map to vlan 92 on the other 6500.

Jon

Randy Ethridge · ‎08-06-2010

Yes, source address is vlan 92 and this vlan is active and the policy statement is on the hsrp standby interface also.

Jon Marshall · ‎08-06-2010

Sorry for all the questions -

is the next-hop IP only one hop away from this 6500 ?

Jon

Randy Ethridge · ‎08-06-2010

No need for sorry, appreciate the help. Its directly attached through vlan61.

Jon Marshall · ‎08-06-2010

Looks like debugging is needed then.

Just to clarify, when you said source address is vlan 92 you meant a client in vlan 92 and not the vlan 92 SVI ip address itself ?

Jon

Randy Ethridge · ‎08-06-2010

correct. Source is a laptop on the 92 vlan.

Jon Marshall · ‎08-06-2010

Can you check that the next-hop IP has been resolved correctly in the arp table ?

Jon