Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1740
Views
0
Helpful
5
Replies

Route-map in PBR not working

networker99
Level 1
Level 1

‎04-09-2010 12:50 PM - edited ‎03-06-2019 10:33 AM

I am trying to route all traffic from a PC to an alternative

firewall for all internet traffic but the policy does not appear to be working

The PC sits in VLAN 100 and has an IP address of 1.1.1.1

Both internet firewalls sit in VLAN 200, the primary is 2.2.2.1 and the secondary is 2.2.2.2.

The GLR on the switch points to 2.2.2.1 but all internet traffic from the PC (traffic entering VLAN 100) should be sent to the secondary device (2.2.2.2)

I have created an access list to define the traffic, created the route map and applied it

access-list 30 permit 1.1.1.1

ip route-map REROUTE permit 10

#match ip address 30

#set ip next-hop  2.2.2.2

interface vlan 1000

(config-if)# ip policy route-map REROUTE

What am I missing>???

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-09-2010 12:59 PM

Hi,

Is the machine being routed to 2.2.2.1?

It wasa typo that you enter the policy route-map on interface vlan 1000?

Can you get to 2.2.2.2 from VLAN 100? Does the Firewall on 2.2.2.2 has a route knowing how to return your traffic?

Federico.

0 Helpful

networker99
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-09-2010 01:07 PM

1. The machine is being routed to the GLR (2.2.2.1) but the route-map should redirect to 2.2.2.2

2. Yes, 1000 was a typo

3. Yes, traffic can route between VLANs

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to networker99

‎04-09-2010 01:14 PM

When you have the configuration in place for the route-map and you send traffic from 1.1.1.1 to the secondary Firewall,

you said is being routed to the primary Firewall. The route-map is not taking effect.

There are no access-lists denying the communcation between the PC and the secondary Firewall?

Federico.

0 Helpful

networker99
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-09-2010 01:21 PM

there are no access-lists denying access.. the traffic is being sent to the GLR with all the other traffic instead of being re-routed.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to networker99

‎04-09-2010 01:35 PM

Just for testing purposes, if you create a static route to the second firewall does it work?

For example,

ip route network_behind_second_firewall mask 2.2.2.2

This will route all traffic to 2.2.2.2 (not only from 1.1.1.1) that's why I say that is a test just to see if the problem is only the route-map.

If it works,

does the route-map shows as active?

sh route-map all

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card