RE: SVI PBR

From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Tue Aug 29 2006 - 22:50:30 ART

Hi Tim

I do not see any problem at all, Can you be more specific if your topology
and what you are trying to accomplish

Thanks
Victor

Sw2#show sdm prefer
 The current template is the default extended-match template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1K VLANs.

 number of unicast mac addresses: 5K
 number of igmp groups: 1K
 number of qos aces: 1K
 number of security aces: 1K
 number of unicast routes: 4K
 number of multicast routes: 1K
 
Sw2#show run int vlan 31
Building configuration...

Current configuration : 85 bytes
!
interface Vlan31
 ip address 150.1.28.8 255.255.255.0
 ip policy route-map PO
end

Sw2#show route-map PO
route-map PO, permit, sequence 10
  Match clauses:
    ip address (access-lists): tu
  Set clauses:
    ip next-hop 6.6.6.3
Nexthop tracking current: 6.6.6.3
6.6.6.3, fib_nh:1AEC290,oce:1A35700,status:1

  Policy routing matches: 21 packets, 1806 bytes
Sw2#
Sw2#show access-list tu
Extended IP access list tu
    10 permit ip host 150.1.28.30 host 150.1.3.3 (21 matches)

I have this topology

            ----------------Tu--------------
Host ----- Sw2 -------- R1 ----- R2 ------ R3

If I do a trace to a Router3 Lo0 in the Network
At the host I receive this

[root@xunil ~]# traceroute 3.3.3.3
traceroute to 3.3.3.3 (3.3.3.3), 30 hops max, 40 byte packets
 1 150.1.28.8 (150.1.28.8) 5.684 ms 3.304 ms 1.151 ms
 2 6.6.6.3 (6.6.6.3) 109.947 ms * *

At the Switch I have this output from the Debug.

 --More-- p PO, item 10, permit
00:08:10: IP: s=150.1.28.30 (Vlan31), d=150.1.3.3 (Tunnel0), len 68, policy
routed
00:08:10: IP: Vlan31 to Tunnel0 6.6.6.3
00:08:10: IP: s=150.1.28.30 (Vlan31), d=150.1.3.3, len 68, policy match
00:08:10: IP: route map PO, item 10, permit
00:08:10: IP: s=150.1.28.30 (Vlan31), d=150.1.3.3 (Tunnel0), len 68, policy
routed
00:08:10: IP: Vlan31 to Tunnel0 6.6.6.3
00:08:10: IP: s=150.1.28.30 (Vlan31), d=150.1.3.3, len 68, policy match
00:08:10: IP: route map PO, item 10, permit
00:08:10: IP: Vlan31 to Tunnel0 6.6.6.3
00:08:10: IP: s=150.1.28.30 (Vlan31), d=150.1.3.3, len 68, policy match
00:08:10: IP: route map PO, item 10, permit
00:08:10: IP: s=150.1.28.30 (Vlan31), d=150.1.3.3 (Tunnel0), len 68, policy
routed
00:08:10: IP: Vlan31 to Tunnel0 6.6.6.3

if I do a traceroute to R2 lo0

At the Sw2#
00:19:05: IP: s=150.1.28.30 (Vlan31), d=3.3.2.2, len 68, policy rejected --
normal forwarding
00:19:05: IP: s=150.1.28.30 (Vlan31), d=3.3.2.2, len 68, policy rejected --
normal forwarding
00:19:05: IP: s=150.1.28.30 (Vlan31), d=3.3.2.2, len 68, policy rejected --
normal forwarding

At the host
[root@xunil ~]# traceroute 150.1.2.2
traceroute to 150.1.2.2 (150.1.2.2), 30 hops max, 40 byte packets
 1 150.1.28.8 (150.1.28.8) 2.466 ms 1.619 ms 0.730 ms
 2 150.1.81.1 (150.1.81.1) 1.287 ms 0.993 ms 1.132 ms
 3 150.1.12.2 (150.1.12.2) 38.377 ms * *

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de
Venkatesh Venkatesh
Enviado el: Martes, 29 de Agosto de 2006 09:20 p.m.
Para: Tim Gregory
CC: Sean C.; ccielab@groupstudy.com
Asunto: Re: SVI PBR

Hi Tim,
Try specific source and destination IP addresses ...rather than any or
any/any. if you wish send us the full config.

- Venkatesh

On 8/30/06, Tim Gregory <tgregory@lincoln.ac.uk> wrote:
>
> tried any any
>
> honestly, i can;t work it out....
>
> the only thing which gets policy routed is broadcast traffic.... I can;t
> work it out..
>
>
>
> ________________________________
>
> From: Sean C. [mailto:Upp_and_Upp@hotmail.com]
> Sent: Wed 30/08/2006 01:24
> To: Tim Gregory; ccielab@groupstudy.com
> Subject: Re: SVI PBR
>
>
>
> Hi Tim,
>
> For grins, change the ACLs to:
> ip access-list extended route2blue
> permit icmp any any
> permit ip any any
>
> and see if they get PBR'd. If 'any any' doesn't work, something strange
> going on....
>
> HTH,
> Sean
> ----- Original Message -----
> From: "Tim Gregory" <tgregory@lincoln.ac.uk>
> To: <ccielab@groupstudy.com>
> Sent: Tuesday, August 29, 2006 1:51 PM
> Subject: RE: SVI PBR
>
>
> For some reason, the only traffic which gets policy routed is broadcast
> traffic originating from the matched subnet... Everything else is routed
> normally.. Very confused..
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tim Gregory
> Sent: 29 August 2006 15:57
> To: ccielab@groupstudy.com
> Subject: SVI PBR
>
> Hi Guys..
>
> When you configure PBR on a SVI, does it behave normally?
>
> Basically I've got a scenario where I need to take some traffic coming
> from a particular subnet and force it down a gre tunnel, so I've
> configured the interface like this..
>
> interface Vlan24
> ip address 10.1.24.129 255.255.255.128
> ip helper-address 194.80.56.107
> ip route-cache policy
> ip policy route-map force-tunnel
>
> route-map force-tunnel permit 10
> match ip address route2blue
> set ip next-hop 10.254.253.1
>
> ip access-list extended route2blue
> permit icmp 10.1.24.128 0.0.0.127 any
> permit ip 10.1.24.128 0.0.0.127 any
>
>
>
>
> But traffic still follows the normal ip routing table path, I can't for
> the life of my figure out why its not being routed down the next hop of
> 10.254.253.1.... Im sure its something very basic :[
>
> Thanks...
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:59 ART