HPE Community
Switches, Hubs, and Modems
1753481 Members
4167 Online
108794 Solutions
New Discussion юеВ

Re: PBR Question

 
Ryan_G
Frequent Advisor

тАО06-10-2008 05:23 PM

тАО06-10-2008 05:23 PM

PBR Question

HI All

I've searched the forums and can't find a good example of PBR.

All I want to do is create a simple Policy where traffic from VLAN3 (subnet 192.168.2.0) goes out WAN2 (ppp 2 or atm 2.1).

I have

created a standard access list

ip access-list standard Student
permit 192.168.2.0 0.0.0.255
!

and created a route-map

route-map Student_Staff permit 10
match ip address Student
set interface ppp 2


ProCurveSR7102dl#show route-map
route-map Student_Staff, permit, sequence 10
Match clauses:
ip address (access-lists): Student
Set clauses:
interface: ppp 2
BGP Filtering matches: 0 routes
Policy routing matches: 0 packets 0 bytes
Redistribution Filtering matches: 0 routes


However, this doesnt work.

Anybody help?

Thanks in Advance.
0 Kudos
5 REPLIES 5
Ryan_G
Frequent Advisor

тАО06-10-2008 06:23 PM

тАО06-10-2008 06:23 PM

Re: PBR Question

I found something in the 9300 guide.

It was to add ip policy route-map Student_Staff to the ehternet interface (which makes sense).

I have done this. And have traffic flowing (Good news). However, it is still going out the wrong internet connection.?

WEhat is the set interface meant to be? Is it ppp or atm or do i use the WAN's static IP address?
0 Kudos
Ryan_G
Frequent Advisor

тАО06-11-2008 05:05 PM

тАО06-11-2008 05:05 PM

Re: PBR Question

HI All Again.

Still having no luck on this.

If I remove the match command all traffic is still flowing out ppp 1. I think it must come back to the Private access policy on ethernet 1.

There is really no guides for PBR anywhere or good examples. Can anyone help.

The useful bits of the config are pasted below:

!
ip subnet-zero
ip classless
ip domain-proxy
ip routing
!
!
!
!
interface eth 0/1
ip address 192.168.10.254 255.255.255.0
ip policy route-map Student_Staff
access-policy Private
no shutdown
!
!
interface eth 0/2
no ip address
shutdown
!
!
!
interface adsl 1/1
description "ATCGC"
no shutdown
interface adsl 2/1
description "Webshield"
no shutdown
!
!
interface atm 1 point-to-point
description OnTheNet
no shutdown
bind 1 adsl 1/1 atm 1
!
interface atm 1.1 point-to-point
no shutdown
pvc 8/35
no ip address
!
!
interface atm 2 point-to-point
description WebShield
no shutdown
bind 3 adsl 2/1 atm 2
!
interface atm 2.1 point-to-point
no shutdown
pvc 8/35
no ip address
!
interface ppp 1
ip address negotiated
access-policy Public
crypto map VPN
no fair-queue
ppp chap hostname @dsl.onthenet.net
ppp chap password
no shutdown
bind 2 atm 1.1 ppp 1
!
interface ppp 2
description Webshield
ip address negotiated no-default
access-policy Student_Staff
no fair-queue
ppp pap sent-username @dsl.webshield.net.au password
no shutdown
bind 4 atm 2.1 ppp 2
!
!
!
!
!
route-map Student_Staff permit 10
description "Staff to WAN1 and Students to WAN2"
match ip address Student
set interface atm 2
!
!
!
!
ip access-list standard Student
permit 192.168.2.0 0.0.0.255
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to ProCurve SR
permit ip any any log
!
ip access-list extended VPN-10-vpn-selectors
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
!
ip access-list extended web-acl-13
permit ip any any
!
ip access-list extended web-acl-9
remark DC01 RDP
permit tcp any host 121.50.211.62 eq 5022 log
!
ip access-list extended wizard-pfwd-1
remark Mail IN
permit tcp any host 121.50.211.62 eq smtp log
!
ip access-list extended wizard-pfwd-2
remark Webmail
permit tcp any host 121.50.211.62 eq www log
!
ip access-list extended wizard-pfwd-3
remark tassws01 RDP
permit tcp any host 121.50.211.62 eq 5020 log
!
ip access-list extended wizard-pfwd-4
remark tassds01 RDP
permit tcp any host 121.50.211.62 eq 5021 log
!
ip policy-class Private
allow list VPN-10-vpn-selectors stateless
allow list self self
nat source list wizard-ics interface ppp 1 overload
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors stateless
nat destination list wizard-pfwd-1 address 192.168.11.23
nat destination list wizard-pfwd-2 address 192.168.11.23
nat destination list wizard-pfwd-3 address 192.168.11.27 port 3389
nat destination list wizard-pfwd-4 address 192.168.11.28 port 3389
nat destination list web-acl-9 address 192.168.11.21 port 3389
!
ip policy-class "Student Public"
! Implicit discard

!
ip policy-class Student_Staff
allow list web-acl-13
!
!
!
ip route 192.168.1.0 255.255.255.0 192.168.10.1
ip route 192.168.2.0 255.255.255.0 192.168.10.1
ip route 192.168.11.0 255.255.255.0 192.168.10.1
!
0 Kudos
Matt Hobbs
Honored Contributor

тАО06-12-2008 03:48 AM

тАО06-12-2008 03:48 AM

Re: PBR Question

I wonder if you can simplify this by just using your existing Private policy and adding an extra nat statement:

!
ip policy-class Private
allow list VPN-10-vpn-selectors stateless
allow list self self
nat source list Student interface ppp 2 overload
nat source list wizard-ics interface ppp 1 overload
!
The ordering is important, it will match the more specific Student ACL first, then anything else will be sent out via ppp 1.

If this doesn't work, with the route maps it looks like you might need to use the 'set default interface ppp 2' option. I've haven't needed to use PBR myself yet.

If you're still not having any luck, can you attach a copy of the 'show tech'? Make sure to remove any username/passwords first.
0 Kudos
Ryan_G
Frequent Advisor

тАО06-13-2008 10:52 PM

тАО06-13-2008 10:52 PM

Re: PBR Question

I think that the issue may actually be with the connection.


If I just use a 'normal' config (without trying to split the connection) and I change the nat to ppp 2 it doesn't work. If its pp 1 it does.

Is there someway from inside the router to select a ppp interface and specifically test. I.e. pinging out through ppp 2 etc

Thanks
0 Kudos
Matt Hobbs
Honored Contributor

тАО06-13-2008 11:29 PM

тАО06-13-2008 11:29 PM

Re: PBR Question

In your config under ppp2 you have:

ip address negotiated no-default

Try removing the no-default part. I'm not sure if will only let you do that for one connection though. Otherwise add a static default route, ip route 0.0.0.0/0 . You might also need to put a distance on that route.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.