How to configure Policy Based Routing

(Rene Molenaar) #1

This topic is to discuss the following lesson:

(Pramod G) #2

Hi Rene,

I tried to do the above lab; however been getting policy-rejected error.Below is the output

R1#ping 4.4.4.4 re 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 36/36/36 ms
R1#
*Mar  1 08:33:13.437: IP: s=192.168.12.1 (local), d=4.4.4.4, len 100, policy match
*Mar  1 08:33:13.441: IP: route map PBR, item 10, permit
*Mar  1 08:33:13.441: IP: s=192.168.12.1 (local), d=4.4.4.4, len 100, policy rejected -- normal forwarding
R1#sh route-map
route-map PBR, permit, sequence 10
  Match clauses:
    ip address (access-lists): PBR
  Set clauses:
    ip next-hop 192.168.13.3
  Policy routing matches: 5 packets, 500 bytes
R1#sh ip acces
R1#sh ip access-lists
Extended IP access list PBR
    10 permit ip any 4.4.4.0 0.0.0.255 (1 match)
R1#
(Rene Molenaar) #3

Hi Pramod,

Your configuration looks ok, the strange thing is that the first packet matches but the second one doesn’t? What hardware are you using for this?

Here’s an example when I configure and debug it:

P: s=192.168.12.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
IP: s=192.168.12.1 (FastEthernet0/0), d=4.4.4.4, len 100, PBR Counted
IP: s=192.168.12.1 (FastEthernet0/0), d=4.4.4.4, len 100, policy match
IP: route map PBR, item 10, permit
IP: s=192.168.12.1 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), len 100, policy routed
IP: FastEthernet0/0 to FastEthernet0/1 192.168.23.100
IP: s=192.168.12.1 (FastEthernet0/0), d=4.4.4.4, len 100, FIB policy match
IP: s=192.168.12.1 (FastEthernet0/0), d=4.4.4.4, len 100, PBR Counted
IP: s=192.168.12.1 (FastEthernet0/0), d=4.4.4.4, len 100, policy match
IP: route map PBR, item 10, permit
IP: s=192.168.12.1 (FastEthernet0/0), d=4.4.4.4 (FastEthernet0/1), len 100, policy routed

All packets are matched & policy routed.

Rene

(Pramod G) #4

Hi Rene - I’ am on C2691-adventerprisek9-mz.124-25c let me know if you suggest for any other IOS.

(Rene Molenaar) #5

Hmm that is one of the latest IOS images for that platform I think. You might want to try it on a 3725 in GNS3, that works for sure.

(ALFREDO V) #6

Hi Rene,

I have a question and it’s not in any of the subjects, maybe you can answer it.
I have a router with 2 interfaces:
G0/1–> ip address 172.16.254.6/30, G0/2–> 172.16.254.2/30, running OSPF. G0/1 Connects to my MASTER firewall with ip add 172.16.254.1/30 and G0/2 connects to my SECONDARY firewall with ip address 172.16.254.1, the firewalls are configure HA. If I try to configure G0/2 with an ip add of 172.16.254.3 it gives me an error. How can I make this scenario work with the 2 interfaces and the firewalls? or Do I need to get a switch module with 2 interfaces and configure a vlan?
Please advise

(Rene Molenaar) #7

Hi Alfredo,

The interfaces on a router are “routed ports”, each interface requires an IP address in a unique subnet. 172.16.254.3/30 is in the same subnet as your first interface and it’s also a broadcast address. You’ll have to use a larger subnet, /30 only offers you two IP addresses. A /29 would work.

Somehow you need to add the interfaces of the two firewalls and the router in a single broadcast domain. You can’t turn the routed ports into switchports so a switch module is not a bad idea…or create a VLAN on a switch and connect the firewall + router interfaces to it.

Technically you might be able to bridge the two router interfaces and use a BVI interface but that’s not something I would recommend:

bridge irb
brige 1 protocol ieee
int gi0/1
bridge-group 1

int gi0/2
bridge-group 1

interface bvi 1
ip address 172.16.254.1 255.255.255.248

This bridges the two gigabit interfaces together, the BVI interface is the “routed” port.

Hope this helps…

Rene

(Frades) #8

thank you for this Rene! i just duplicate your topology and the command
“ip local policy route-map PBR” and under the interface “ip policy route-map PBR” i knew the difference of this one and it’s clear now!

i tried the ip local policy and found out that on the debug that the source address is the gateway of the 2 computers behind router Nancy, so based on access list, it doesnt match, and the next hop command didnt work (unless i match the access-list on the gateway).

Then i tried the ip policy route-map (under the interface), and on the debug, the source address shows the ip of the computer/phone. so it matches the access list if its the phone.

thanks for this! its all clear to me now!

(Rene Molenaar) #9

Good to hear it was useful :slight_smile:

(Davis W) #10

Hi Rene,

I did the Policy Base Routing before, it will occupied a lot of CPU resource whenever there’s a lot of traffic load or a lot of traffic matches in the access-list. Any way to tune the minimise the CPU load for this?

PBR is good to route specific source IP to destination, but if lets say the router between Nancy and Anna is not directly connected link (like Metro-E), then it could be issue as the next hop always available as the directly connected interface show up, so in this case i suggest to use IP SLA to track the next hop. :slight_smile:

Davis

(Rene Molenaar) #11

Hi Davis,

CEF supports PBR since IOS 12.x so it should not increase your CPU load. Did you set an interface as the next hop or an IP address? That could make a difference.

Rene

(Davis W) #12

Hi Rene,

Okie. I think the PBR i did in the CAT4506 core switches and set the next Hop IP address.

Davis

(Rene Molenaar) #13

Hi Davis,

This might be a good read for you:

Cisco Catalyst 4500 PBR

It depends on the supervisor if can use CEF for PBR.

Rene

(Davis W) #14

Ok. Thanks Rene.

Davis

(Chheang C) #15

Hi Rene,

Please help to verify my configuration, it seem like round robin. I combine with route-on-stick.

interface GigabitEthernet1/0.1
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.0
 ip policy route-map T1
!
interface GigabitEthernet1/0.2
 encapsulation dot1Q 20
 ip address 192.168.2.1 255.255.255.0
 ip policy route-map T1
!
interface GigabitEthernet2/0
 ip address 10.10.10.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3/0
 ip address 11.10.10.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet4/0
 no ip address
 shutdown
 negotiation auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet3/0 5
no ip http server
!
!
!
access-list 110 deny   ip any 192.168.2.0 0.0.0.255 log
access-list 110 permit ip 192.168.1.0 0.0.0.255 any log
access-list 120 deny   ip any 192.168.1.0 0.0.0.255 log
access-list 120 permit ip 192.168.2.0 0.0.0.255 any log
no cdp log mismatch duplex
!
route-map T1 permit 10
 match ip address 110
 set ip next-hop 10.10.10.1
!
route-map T1 permit 20
 match ip address 120
 set ip next-hop 11.10.10.1
(Rene Molenaar) #16

Hi Chheang,

What exactly would you like to know about this config?

Rene

1 Like
(Chheang C) #17

Hi Rane,

I found the solution already. I think maybe bug on my IOS. When I disable IP CEF. It work. When I change IOS to other one, and also Enable IP CEF. It works too.

(PALANIAPPAN M) #18

Hi Rene

For activating PBR using method 2, we it is enable on the Fa 0/0? Since this is the next hop for 4.4.4.0 from the routing table?

Thanks
Palani

(PALANIAPPAN M) #19

Hi Rene

Can we enable policy based routing using the two methods on the same router? Will this work for both types of traffic?

Thanks
Palani

(Rene Molenaar) #20

Hi Palani,

Yes that is no problem.

Rene