Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PBR and source address

Status
Not open for further replies.
JayNEC

JayNEC

IS-IT--Management
Jun 5, 2002
942
US
I've got policy based routing configured as follows, and it's matching just fine. However, with test pings the source address is always the Fa0/0 interface and that's where the response comes back. Outbound packets that match ARE correctly leaving the fa0/1 interface. I can force the source address to be the Fa0/1's address and things are OK.
I want packets that match to leave and come back in on the Fa0/1 interface.

----------------------------------
interface FastEthernet0/0
description LAN Connection
ip address w.x.y.z 255.255.255.192
ip route-cache policy
ip policy route-map HTTP

interface FastEthernet0/1
ip address 192.168.252.2 255.255.255.0


access-list 1 permit a.b.c.d

route-map HTTP permit 10
match ip address 1
set ip next-hop 192.168.252.1



 
Sort by date Sort by votes
I should have mentioned that there is an S0/1 with a T1 attached that is the default gateway. The Fa0/0 faces inward and the FA0/1 is connected to a DSL modem for a second outbound pipe.
 
Upvote 0 Downvote
Let me make sure I understand. You're pinging a.b.c.d from a device on the LAN connected to Fa0/0. The packet correctly leaves the Fa0/1 interface but it has the Fa0/0 IP address as its source address instead of the device that actually initiated the ping?
 
Upvote 0 Downvote
I'm initiating the ping from the router itself.

 
Upvote 0 Downvote
when the packet is leaving Fa0/1, it's being Natted to a different address via the DSL modem. So, responses should be coming back over that interface as well.
 
Upvote 0 Downvote
You have PBR applied to the Fa0/1 interface. That will have no effect on packets initiated from the router. If you want the policy to apply to packets generated by the router then you need to turn that feature on. However, your source-based ACL would no longer apply and the traffic wouldn't match on it.

If you want to test PBR as it is currently configured, you need to ping from a device on the Fa0/1 LAN.
 
Upvote 0 Downvote
the feature to affect locally generated packets is on and working. I have created a destination based ACL for testing, and it is working. However the source address is showing up as eth0/0
 
Upvote 0 Downvote
I've concluded that something like this really needs to be done at the firewall rather than a router beyond it.
 
Upvote 0 Downvote
Heck, I was still trying to figure out what you were trying to accomplish.
 
Upvote 0 Downvote
He's trying to accomplish one thing and has shown us the configuration for such. However, it's his testing that is actually broken. I don't know if the posted configuration is working as intended or not for traffic coming from the LAN connected to Fa0/0.
 
Upvote 0 Downvote
ip local policy route-map POLICY_NAME
will make the pbr work on locally generated traffic...

other then that what seems to be the problem?
the config is basic and looks ok..

as it is set up anything that matches access-list 1 will be forwarded out fa0/1... anything that doesnt match will not be policy routed and will go to the routers routing table which will follow your default route through the T1 interface.

what is it that is not working for you?
 
Upvote 0 Downvote
The packets coming back come in over the T1. We want to take load off the T1, and send common web browsing over the DSL. Outbound requests go over the DSL (768k), but the inbound of the DSL is receiving nothing.
The firewall is sending all packets to this router, but the source will always be that of the firewall so the response will always come back over the T1 interface (which is the subnet that the firewall is addressed with) The only way to do this is going to be to put the DSL in the firewall instead on a spare ethernet port, and have the firewall do some policy based routing. If it will.


IP local policy is enabled...
 
Upvote 0 Downvote
that makes no sense.. if the packets are going out the dsl then they are being natted and they will have no choice but to come back in that dsl..

do you have a common subnet and bgp running on both these links?

are you sure your packets arent going out the t1 still?
 
Upvote 0 Downvote
The only reason traffic would come back over the T1 is if you have NAT misconfigured. You want to configure your network such that packets going out the DSL pipe do not have the same source addresses as packets going out over the T1. It sounds like your packets are being sourced with addresses from the pool provided by your T1 provider. If that's the case, return traffic will come back on the T1.

It sounds like you've already figured that out, since I basically just rephrased what you just said...I think. :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
278
CPM86
CPM86
Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
388
Lccarter
Lccarter
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
249
dmourghen
dmourghen
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
214
NavinNet
NavinNet
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
239
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top