Ethernet Switches & Routers

Reply
New Contributor
Posts: 2
Registered: ‎10-16-2015

PBR Is not working on a CER 2048C when it knows the local route

I am having a problem with PBR on a CER 2048C.  The PBR is configured on a Vlan interface and is working great for traffic that has no entries in the routing table.  However, I have some GRE tunnels tunnels on the same router and so static route entries to send traffic accross the tunnels.  I want the PBR to override the routing table, but when traffic comes from the server I have connected, destined for the subnets routed acroos the GRE tunnels it goes accross the GRE tunnel instead of taking the ip next hop configured in the PBR.  The relavant configs are as follows.

 

ip route 10.100.0.0/16 10.51.0.5
ip route 10.106.96.0/20 10.50.0.2
ip route 10.106.112.0/20 10.50.0.17
ip route 172.21.0.0/16 10.51.0.5


interface ve 50
 port-name NMS01_PRIVATE
 ip address 192.168.1.5/30
 ip policy route-map NMS_MAP_OUT


route-map NMS_MAP_OUT permit 10
 match ip address NMS01-OUT
 set ip next-hop 192.168.200.2


ip access-list extended NMS01-OUT
 permit ip host 192.168.1.6 10.100.0.0 0.0.255.255
 permit ip host 192.168.1.6 10.106.32.0 0.0.15.255
 permit ip host 192.168.1.6 10.106.96.0 0.0.15.255
 permit ip host 192.168.1.6 10.106.112.0 0.0.15.255
 permit ip host 192.168.1.6 172.21.0.0 0.0.255.255
 permit ip host 192.168.1.6 any

 

The server has an IP of 192.168.1.6.  10.106.32.0/20 subnet is local to the router and PBR is not working on that subnet either.  All other subnets that have no routing table entry are working perfectly.   PBR is supposed to override the routing table, but it does not seem to in this case.

 

Can anyone assist?   Has anyone else seen this problem before?

 

New Contributor
Posts: 2
Registered: ‎10-16-2015

Re: PBR Is not working on a CER 2048C when it knows the local route

I am not sure if I was clear in my first post so I am going to attempt to clarify.

I have a server that is connected to the CER 2048C using vlan 50.  The server IP address is 192.168.1.6.  I want all traffic coming from the server to be directed into an ASA that is also connected to teh same router.  The INSIDE interface of the ASA has an IP address of 192.168.200.2.   I used PBR to route the traffic into the ASA.  See the ACL, route-map, and interface config in first post.  And the next-hop ip address is DC.

SSH@cr.pvd0008.ri#show ip route 192.168.200.2
Type Codes - B:BGP D:Connected I:ISIS OSmiley SurprisedSPF R:RIP SSmiley Frustratedtatic; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 sSmiley Frustratedham Link
STATIC Codes - dSmiley Very HappyHCPv6
        Destination        Gateway         Port          Cost          Type Uptime src-vrf
1       192.168.200.0/30   DIRECT          eth 1/37      0/0           D    34d8h  -



This works perfect for subnets that have no entry in teh routing table, but does not work for the subnets that I have routed through GRE tunnels also configured on the same router.


SSH@cr.pvd0008.ri#show interface tunnel 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Tunnel source  **filtered**.**filtered**.**filtered**.**filtered**
  Tunnel destination is **filtered**.**filtered**.**filtered**.**filtered**
  Tunnel mode gre ip
  Port name is PVD0008-TUN-PHL0001
  Internet address is: 10.50.0.1/30
  Tunnel TOS 0, Tunnel TTL 255, Tunnel MTU 1476 bytes
  Keepalive is Enabled : Interval 10, No.of Retries 3
  Total Keepalive Pkts Tx: 296935, Rx: 296957

SSH@cr.pvd0008.ri#show interface tunnel 3
Tunnel3 is up, line protocol is up
  Hardware is Tunnel
  Tunnel source  **filtered**.**filtered**.**filtered**.**filtered**
  Tunnel destination is **filtered**.**filtered**.**filtered**.**filtered**
  Tunnel mode gre ip
  Port name is TUNNEL-TO-BOS0011
  Internet address is: 10.50.0.18/30
  Tunnel TOS 0, Tunnel TTL 255, Tunnel MTU 1476 bytes
  Keepalive is Enabled : Interval 10, No.of Retries 3
  Total Keepalive Pkts Tx: 296933, Rx: 296886

The traffic from the server at 192.168.1.6 destined for the subnets routed through the GRE tunnels uses the GRE tunnels and ignores the PBR.

SSH@cr.pvd0008.ri#show ip route 10.106.96.0   
Type Codes - B:BGP D:Connected I:ISIS OSmiley SurprisedSPF R:RIP SSmiley Frustratedtatic; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 sSmiley Frustratedham Link
STATIC Codes - dSmiley Very HappyHCPv6
        Destination        Gateway         Port          Cost          Type Uptime src-vrf
1       10.106.96.0/20     10.50.0.2       gre_tnl 1     1/1           S    3h41m  -

SSH@cr.pvd0008.ri#show ip route 10.106.112.0
Type Codes - B:BGP D:Connected I:ISIS OSmiley SurprisedSPF R:RIP SSmiley Frustratedtatic; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 sSmiley Frustratedham Link
STATIC Codes - dSmiley Very HappyHCPv6
        Destination        Gateway         Port          Cost          Type Uptime src-vrf
1       10.106.112.0/20    10.50.0.17      gre_tnl 3     1/1           S    16d15h -
SSH@cr.pvd0008.ri#show ip route 10.100.0.0  
Type Codes - B:BGP D:Connected I:ISIS OSmiley SurprisedSPF R:RIP SSmiley Frustratedtatic; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 sSmiley Frustratedham Link
STATIC Codes - dSmiley Very HappyHCPv6
        Destination        Gateway         Port          Cost          Type Uptime src-vrf
1       10.100.0.0/16      10.51.0.5       gre_tnl 11    1/1           S    2d0h   -
SSH@cr.pvd0008.ri#show ip route 172.21.0.0
Type Codes - B:BGP D:Connected I:ISIS OSmiley SurprisedSPF R:RIP SSmiley Frustratedtatic; Cost - Dist/Metric
BGP  Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 sSmiley Frustratedham Link
STATIC Codes - dSmiley Very HappyHCPv6
        Destination        Gateway         Port          Cost          Type Uptime src-vrf
1       172.21.0.0/16      10.51.0.5       gre_tnl 11    1/1           S    2d0h   -

Any feedback or input into why this is happening would be appreciated.

Thanks.

Brocade Moderator
Posts: 27
Registered: ‎07-18-2016

Re: PBR Is not working on a CER 2048C when it knows the local route

Hi,

 

Please see the below considerations with deploying policy based routing. Look at the last entry.

 

  • PBR is supported in the full Layer 3 code only.
  • PBR is not supported together with Ingress ACLs on the same port.
  • Global PBR is not supported when IP Follow is configured on an interface.
  • Global PBR is not supported with per-port-per-VLAN ACLs.
  • A PBR policy on an interface takes precedence over a global PBR policy.
  • You cannot apply PBR on a port if that port already has ingress ACLs, ACL-based rate limiting, DSCP-based QoS, MAC address filtering.
  • The number of route maps that you can define is limited by the available system memory, which is determined by the system configuration and how much memory other features use. When a route map is used in a PBR policy, the PBR policy uses up to six instances of a route map, up to five ACLs in a matching policy of each route map instance, and up to six next hops in a set policy of each route map instance. Note that the CLI will allow you configure more than six next hops in a route map; however, the extra next hops will not be placed in the PBR database. The route map could be used by other features like BGP or OSPF, which may use more than six next hops.
  • ACLs with the log option configured should not be used for PBR purposes.
  • PBR ignores explicit or implicit deny ip any any ACL entries, to ensure that for route maps that use multiple ACLs, the traffic is compared to all the ACLs. PBR also ignores any deny clauses in an ACL. Traffic that matches a deny clause is routed normally using Layer 3 paths.
  • PBR always selects the first next hop from the next hop list that is up. If a PBR policy's next hop goes down, the policy uses another next hop if available. If no next hops are available, the device routes the traffic in the normal way.
  • PBR is not supported for fragmented packets. If the PBR ACL filters on Layer 4 information like TCP/UDP ports, fragmented packed are routed normally.
  • You can change route maps or ACL definitions dynamically and do not need to rebind the PBR policy to an interface.
  • PBR is supported only on the default VRF.
  • PBR is not supported on tunnel interfaces.

 

Thanks

Bill

Any and all information provided by me is for entertainment value and should not be relied upon as a guaranteed solution or warranty of merchantability. All systems and all networks are different and unique. If you have a concern about data loss, or network disconnection, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, Please mark it with the button at the bottom "Accept as solution".

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.