2 Replies Latest reply on Oct 14, 2014 5:12 PM by kb9mfd

    Cannot get PBR to work

    kb9mfd New Member

      Not sure what I am doing wrong but I cannot get vlan 100 to use the second internet eth 0/2 (ATT-Map). Nothing is matching my policy, any idea? - Jeremy

       

      !

      !

      ! ADTRAN, Inc. OS version R10.6.0.E

      ! Boot ROM version 13.03.00.SB

      ! Platform: NetVanta 3448, part number 1200821E1

      ! Serial number LBADTN1340AR595

      !

      !

      hostname "NV3448-MAIN"

      !

      clock timezone -6-Central-Time

      clock no-auto-correct-DST

      !

      ip subnet-zero

      ip classless

      ip default-gateway 66.66.66.177

      ip routing

      ipv6 unicast-routing

      !

      !

      domain-name "c.local"

      name-server 4.2.2.2 8.8.8.8

      !

      ip local policy route-map ATT-Map

      !

      no auto-config

      !

      event-history on

      no logging forwarding

      logging forwarding priority-level info

      no logging email

      !

      no service password-encryption

      !

      username "admin" password "password"

      !

      banner motd #

       

      #

      !

      !

      ip firewall

      no ip firewall alg msn

      no ip firewall alg mszone

      no ip firewall alg h323

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      no dot11ap access-point-control

      !

      !

      !

      !

      !

      !

      ip dhcp database local

      ip dhcp excluded-address 172.16.0.1 172.16.0.49

      ip dhcp excluded-address 192.168.0.1 192.168.0.199

      !

      ip dhcp pool "Voice"

        network 172.16.0.0 255.255.255.0

        dns-server 4.2.2.2 8.8.8.8

        default-router 172.16.0.2

        option 43 hex 010F544F534849424120495065646765000204AC10000F03010104016E050100060164

      !

      !

      !

      !

      !

      !

      ip crypto

      !

      crypto ike policy 100

        initiate main

        respond anymode

        local-id address 66.66.66.178

        peer 71.71.71.166

        attribute 1

          encryption 3des

          hash md5

          authentication pre-share

      !

      crypto ike remote-id address 71.71.71.166 preshared-key p0o9i8u7y6 ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      !

      crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

        mode tunnel

      !

      crypto map VPN 10 ipsec-ike

        description Broadhead

        match address VPN-10-vpn-selectors1

        set peer 71.71.71.166

        set transform-set esp-3des-esp-md5-hmac

        ike-policy 100

      !

      !

      !

      !

      vlan 1

        name "Default"

      !

      vlan 100

        name "Data"

      !

      vlan 110

        name "Voice"

      !

      !

      !

      no ethernet cfm

      !

      interface eth 0/1

        description Earthlink WAN

        ip address  66.66.66.178  255.255.255.248

        ip mtu 1500

        ip access-policy Public

        crypto map VPN

        no awcp

        no shutdown

      !

      !

      interface eth 0/2

        description ATT WAN

        ip address  99.99.99.99  255.255.255.248

        ip mtu 1500

        ip access-policy ATT

        no awcp

        no shutdown

      !

      !

      !

      interface switchport 0/1

        description Link to Switch

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/2

        spanning-tree edgeport

        no shutdown

        switchport access vlan 110

      !

      interface switchport 0/3

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/4

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/5

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/6

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/7

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      interface switchport 0/8

        spanning-tree edgeport

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 100

      !

      !

      !

      interface vlan 1

        no ip address

        shutdown

      !

      interface vlan 100

        description Data

        ip address  192.168.0.2  255.255.255.0

        ip mtu 1500

        ip access-policy Private

        no rtp quality-monitoring

        no awcp

        no shutdown

      !

      interface vlan 110

        description Voice

        ip address  172.16.0.2  255.255.255.0

        ip mtu 1500

        ip access-policy Voice

        no rtp quality-monitoring

        no awcp

        no shutdown

      !

      !

      !

      !

      route-map ATT-Map permit 10

        match ip address AttInt

        set ip next-hop 99.99.99.97

        set interface eth 0/2

      !

      !

      !

      !

      ip access-list extended AttInt

        deny   ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.255.255     log

        deny   ip 192.168.0.0 0.0.0.255  172.16.0.0 0.0.255.255     log

        deny   ip 172.16.0.0 0.0.0.255  any     log

        permit ip any  any     log

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any  any     log

      !

      ip access-list extended VPN-10-vpn-selectors1

        permit ip 172.16.0.0 0.0.0.255  172.16.10.0 0.0.0.255   

      !

      ip access-list extended web-acl-10

        remark NAT ATT

        ! Implicit permit (only for empty ACLs)

      !

      ip access-list extended web-acl-11

        remark NAT ATT

        permit ip any  any     log

      !

      ip access-list extended web-acl-6

        remark Data

        permit ip any  any   

      !

      ip access-list extended web-acl-7

        remark NAT Earthlink

        ! Implicit permit (only for empty ACLs)

      !

      ip access-list extended web-acl-8

        remark Voice

        permit ip any  any   

      !

      ip access-list extended web-acl-9

        remark Phone System

        permit tcp any  host 66.66.66.178 eq 8080   log

        permit tcp any  host 66.66.66.178 eq 9443   log

        permit tcp any  host 66.66.66.178 eq 10000   log

        permit tcp any  host 66.66.66.178 eq 90   log

        permit tcp any  host 66.66.66.178 eq 8768   log

        permit tcp any  host 66.66.66.178 eq ftp-data   log

        permit tcp any  host 66.66.66.178 eq ftp   log

        permit tcp any  host 66.66.66.178 eq 2944   log

        permit udp any  host 66.66.66.178 eq 1718    log

        permit udp any  host 66.66.66.178 eq 1719    log

        permit udp any  host 66.66.66.178 eq 21000    log

      !

      ip access-list extended wizard-pfwd-1

        remark Server Forwards

        permit tcp any  host 66.66.66.178 eq https   log

        permit tcp any  host 66.66.66.178 eq smtp   log

        permit tcp any  host 66.66.66.178 eq 1723   log

        permit tcp any  host 66.66.66.178 eq 47   log

        permit tcp any  host 66.66.66.178 eq www   log

      !

      !

      !

      !

      ip policy-class ATT

        nat destination list wizard-pfwd-1 address 192.168.0.1

      !

      ip policy-class Private

        allow list VPN-10-vpn-selectors1 stateless

        allow list web-acl-8 policy Voice

        allow list self self

        nat source list web-acl-11 interface eth 0/2 overload policy ATT

      !

      ip policy-class Public

        allow reverse list VPN-10-vpn-selectors1 stateless

        nat destination list wizard-pfwd-1 address 192.168.0.1

        nat destination list web-acl-9 address 172.16.0.15

      !

      ip policy-class Voice

        allow list web-acl-6 policy Private

        nat source list web-acl-7 interface eth 0/1 overload policy Public

        nat source list web-acl-10 interface eth 0/2 overload policy ATT

      !

      !

      !

      ip route 0.0.0.0 0.0.0.0 66.66.66.177

      ip route 0.0.0.0 0.0.0.0 99.99.99.97 5

      !

      no tftp server

      no tftp server overwrite

      http server

      http secure-server

      no snmp agent

      no ip ftp server

      ip ftp server default-filesystem flash

      no ip scp server

      no ip sntp server

      !

      !

      !

      !

      !

      !

      !

      !

      !

      ip sip udp 5060

      ip sip tcp 5060

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      line con 0

        login

      !

      line telnet 0 4

        login

        password password

        no shutdown

      line ssh 0 4

        login local-userlist

        no shutdown

      !

      sntp server time.nist.gov

      !

      !

      !

      !

      !

      !

      end

        • Re: Cannot get PBR to work
          cj! Beta_User

          Hi kb9mfd:

           

          Thanks for posting your question in the Support Community.  The route-map must be applied to an IP interface where it should analyze ingress traffic.  Like this:

          !

          interface vlan 100

            description Data

            ip address  192.168.0.2  255.255.255.0

            ip mtu 1500

            ip policy route-map ATT-Map

            ip access-policy Private

            no rtp quality-monitoring

            no awcp

            no shutdown

          !

          !

          route-map ATT-Map permit 10

            match ip address AttInt

            set ip next-hop 99.99.99.97

            set interface eth 0/2  (don't need this)

          !

          !

          !

          ip access-list extended AttInt

            deny  ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.255.255    log

            deny  ip 192.168.0.0 0.0.0.255  172.16.0.0 0.0.255.255    log

            deny  ip 172.16.0.0 0.0.0.255  any    log  (don't need this as nothing sourced from 172.16 network ingress to interface vlan 100)

            permit ip any  any    log

          !

          You'll probably want to look at web-acl-7 and web-acl-10 as they're currently empty (which is considered 'permit any' and will match all traffic).  To use them in a NAT overload policy, consider:

          !

          ip access-list extended ACL-name-here

             permit ip any  any

          !

          Best,

          Chris