This topic is to discuss the following lesson:
I tried to do the above lab; however been getting policy-rejected error.Below is the output
R1#ping 22.214.171.124 re 1 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 126.96.36.199, timeout is 2 seconds: ! Success rate is 100 percent (1/1), round-trip min/avg/max = 36/36/36 ms R1# *Mar 1 08:33:13.437: IP: s=192.168.12.1 (local), d=188.8.131.52, len 100, policy match *Mar 1 08:33:13.441: IP: route map PBR, item 10, permit *Mar 1 08:33:13.441: IP: s=192.168.12.1 (local), d=184.108.40.206, len 100, policy rejected -- normal forwarding R1#sh route-map route-map PBR, permit, sequence 10 Match clauses: ip address (access-lists): PBR Set clauses: ip next-hop 192.168.13.3 Policy routing matches: 5 packets, 500 bytes R1#sh ip acces R1#sh ip access-lists Extended IP access list PBR 10 permit ip any 220.127.116.11 0.0.0.255 (1 match) R1#
Your configuration looks ok, the strange thing is that the first packet matches but the second one doesn’t? What hardware are you using for this?
Here’s an example when I configure and debug it:
P: s=192.168.12.1 (FastEthernet0/0), d=18.104.22.168, len 100, FIB policy match IP: s=192.168.12.1 (FastEthernet0/0), d=22.214.171.124, len 100, PBR Counted IP: s=192.168.12.1 (FastEthernet0/0), d=126.96.36.199, len 100, policy match IP: route map PBR, item 10, permit IP: s=192.168.12.1 (FastEthernet0/0), d=188.8.131.52 (FastEthernet0/1), len 100, policy routed IP: FastEthernet0/0 to FastEthernet0/1 192.168.23.100 IP: s=192.168.12.1 (FastEthernet0/0), d=184.108.40.206, len 100, FIB policy match IP: s=192.168.12.1 (FastEthernet0/0), d=220.127.116.11, len 100, PBR Counted IP: s=192.168.12.1 (FastEthernet0/0), d=18.104.22.168, len 100, policy match IP: route map PBR, item 10, permit IP: s=192.168.12.1 (FastEthernet0/0), d=22.214.171.124 (FastEthernet0/1), len 100, policy routed
All packets are matched & policy routed.
Hi Rene - I’ am on C2691-adventerprisek9-mz.124-25c let me know if you suggest for any other IOS.
Hmm that is one of the latest IOS images for that platform I think. You might want to try it on a 3725 in GNS3, that works for sure.
I have a question and it’s not in any of the subjects, maybe you can answer it.
I have a router with 2 interfaces:
G0/1–> ip address 172.16.254.6/30, G0/2–> 172.16.254.2/30, running OSPF. G0/1 Connects to my MASTER firewall with ip add 172.16.254.1/30 and G0/2 connects to my SECONDARY firewall with ip address 172.16.254.1, the firewalls are configure HA. If I try to configure G0/2 with an ip add of 172.16.254.3 it gives me an error. How can I make this scenario work with the 2 interfaces and the firewalls? or Do I need to get a switch module with 2 interfaces and configure a vlan?
The interfaces on a router are “routed ports”, each interface requires an IP address in a unique subnet. 172.16.254.3/30 is in the same subnet as your first interface and it’s also a broadcast address. You’ll have to use a larger subnet, /30 only offers you two IP addresses. A /29 would work.
Somehow you need to add the interfaces of the two firewalls and the router in a single broadcast domain. You can’t turn the routed ports into switchports so a switch module is not a bad idea…or create a VLAN on a switch and connect the firewall + router interfaces to it.
Technically you might be able to bridge the two router interfaces and use a BVI interface but that’s not something I would recommend:
bridge irb brige 1 protocol ieee int gi0/1 bridge-group 1 int gi0/2 bridge-group 1 interface bvi 1 ip address 172.16.254.1 255.255.255.248
This bridges the two gigabit interfaces together, the BVI interface is the “routed” port.
Hope this helps…
thank you for this Rene! i just duplicate your topology and the command
“ip local policy route-map PBR” and under the interface “ip policy route-map PBR” i knew the difference of this one and it’s clear now!
i tried the ip local policy and found out that on the debug that the source address is the gateway of the 2 computers behind router Nancy, so based on access list, it doesnt match, and the next hop command didnt work (unless i match the access-list on the gateway).
Then i tried the ip policy route-map (under the interface), and on the debug, the source address shows the ip of the computer/phone. so it matches the access list if its the phone.
thanks for this! its all clear to me now!
Good to hear it was useful
I did the Policy Base Routing before, it will occupied a lot of CPU resource whenever there’s a lot of traffic load or a lot of traffic matches in the access-list. Any way to tune the minimise the CPU load for this?
PBR is good to route specific source IP to destination, but if lets say the router between Nancy and Anna is not directly connected link (like Metro-E), then it could be issue as the next hop always available as the directly connected interface show up, so in this case i suggest to use IP SLA to track the next hop.
CEF supports PBR since IOS 12.x so it should not increase your CPU load. Did you set an interface as the next hop or an IP address? That could make a difference.
Okie. I think the PBR i did in the CAT4506 core switches and set the next Hop IP address.
This might be a good read for you:
It depends on the supervisor if can use CEF for PBR.
Ok. Thanks Rene.
Please help to verify my configuration, it seem like round robin. I combine with route-on-stick.
interface GigabitEthernet1/0.1 encapsulation dot1Q 10 ip address 192.168.1.1 255.255.255.0 ip policy route-map T1 ! interface GigabitEthernet1/0.2 encapsulation dot1Q 20 ip address 192.168.2.1 255.255.255.0 ip policy route-map T1 ! interface GigabitEthernet2/0 ip address 10.10.10.2 255.255.255.0 negotiation auto ! interface GigabitEthernet3/0 ip address 126.96.36.199 255.255.255.0 negotiation auto ! interface GigabitEthernet4/0 no ip address shutdown negotiation auto ! ip classless ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/0 ip route 0.0.0.0 0.0.0.0 GigabitEthernet3/0 5 no ip http server ! ! ! access-list 110 deny ip any 192.168.2.0 0.0.0.255 log access-list 110 permit ip 192.168.1.0 0.0.0.255 any log access-list 120 deny ip any 192.168.1.0 0.0.0.255 log access-list 120 permit ip 192.168.2.0 0.0.0.255 any log no cdp log mismatch duplex ! route-map T1 permit 10 match ip address 110 set ip next-hop 10.10.10.1 ! route-map T1 permit 20 match ip address 120 set ip next-hop 188.8.131.52
What exactly would you like to know about this config?
I found the solution already. I think maybe bug on my IOS. When I disable IP CEF. It work. When I change IOS to other one, and also Enable IP CEF. It works too.
For activating PBR using method 2, we it is enable on the Fa 0/0? Since this is the next hop for 184.108.40.206 from the routing table?
Can we enable policy based routing using the two methods on the same router? Will this work for both types of traffic?
Yes that is no problem.