Possibility to use both Time Range ACL and PBR.

mhiyoshi · ‎02-04-2014

Hello

I would like to find out the attached requirement.

If there is any related information we greatly appreciate it.

Actually I have already configure on Cisco1812J by using the following command.

however the ACL status still shows "inactive" and the PBR does not function.

--------------------------------------------------------------------------------------------

*Configuration on R1

time-range PBR-TIME

periodic weekdays 15:40 to 15:41

!

ip access-list extended PBR-TIME

permit ip host 10.0.30.11 host 1.1.1.1 time-range PBR-TIME

!

route-map PBR-TIME permit 10

match ip address PBR-TIME

set ip next-hop 10.0.20.3

!

interface Vlan1

ip address 10.0.30.1 255.255.255.0

ip policy route-map PBR-TIME

--------------------------------------------------------------------------------------------

*Verification

R1#sh ip access-lists

Extended IP access list PBR-TIME

10 permit ip host 10.0.30.11 host 1.1.1.1 time-range PBR-TIME (inactive)

!

R1#sh route-map

route-map PBR-TIME, permit, sequence 10

Match clauses:

ip address (access-lists): PBR-TIME

Set clauses:

ip next-hop 10.0.20.3

Policy routing matches: 0 packets, 0 bytes

--------------------------------------------------------------------------------------------

*Traceroute from SW1

SW1#traceroute 1.1.1.1

Type escape sequence to abort.

Tracing the route to 1.1.1.1

VRF info: (vrf in name/id, vrf out name/id)

1 10.0.30.1 0 msec 0 msec 9 msec

2 10.0.10.2 0 msec 0 msec 17 msec

3 10.0.11.254 0 msec * 0 msec

--------------------------------------------------------------------------------------------

Pierluigi Torriani · ‎02-05-2014

Hi,

in my opinion the config you posted is correct. Try to remove and re-apply on vlan1

ip policy route-map PBR-TIME, but if in this case will work is not correct, because the PBR doesn't need to remove and re-apply.

The second thing is to try to do a clear arp because the time-range is very short...

Third, check the time on switch with sh clock or sh ntp association to check if clock is synchronized or correct. But i think that you already checked.

Bye

cadet alain · ‎02-05-2014

Hi,

Inactive means that you are not in the correct time-range so verify your clock and set it to correct time then it will go active and the PBR will be working.

Regards

Alain

Don't forget to rate helpful posts.

mhiyoshi · ‎02-05-2014

Oh that is incredible!!

It has been functioning correctly like this.

Thank you for quick and precious advise.

Regards,

Masanobu Hiyoshi

------------------------------------------------------------------------------------------

R1#sh ip access-lists
Extended IP access list PBR-TIME
10 permit ip host 10.0.30.11 host 1.1.1.1 time-range PBR-TIME (active) (45 matches)
(omit)
R1#sh ip access-lists
Extended IP access list PBR-TIME
10 permit ip host 10.0.30.11 host 1.1.1.1 time-range PBR-TIME (inactive) (45 matches)
R1#

-------------------------------------------------------------

SW1#traceroute 1.1.1.1
Type escape sequence to abort.
Tracing the route to 1.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.30.1 0 msec 0 msec 0 msec
2 10.0.20.3 0 msec 0 msec 9 msec
3 10.0.21.254 0 msec * 0 msec

SW1#traceroute 1.1.1.1
Type escape sequence to abort.
Tracing the route to 1.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.30.1 0 msec 9 msec 0 msec
2 10.0.10.2 0 msec 0 msec 8 msec
3 10.0.11.254 0 msec * 0 msec