cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kb9mfd
New Contributor III

Cannot get PBR to work

Jump to solution

Not sure what I am doing wrong but I cannot get vlan 100 to use the second internet eth 0/2 (ATT-Map). Nothing is matching my policy, any idea? - Jeremy

!

!

! ADTRAN, Inc. OS version R10.6.0.E

! Boot ROM version 13.03.00.SB

! Platform: NetVanta 3448, part number 1200821E1

! Serial number LBADTN1340AR595

!

!

hostname "NV3448-MAIN"

!

clock timezone -6-Central-Time

clock no-auto-correct-DST

!

ip subnet-zero

ip classless

ip default-gateway 66.66.66.177

ip routing

ipv6 unicast-routing

!

!

domain-name "c.local"

name-server 4.2.2.2 8.8.8.8

!

ip local policy route-map ATT-Map

!

no auto-config

!

event-history on

no logging forwarding

logging forwarding priority-level info

no logging email

!

no service password-encryption

!

username "admin" password "password"

!

banner motd #

#

!

!

ip firewall

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

!

!

!

!

!

!

!

!

!

no dot11ap access-point-control

!

!

!

!

!

!

ip dhcp database local

ip dhcp excluded-address 172.16.0.1 172.16.0.49

ip dhcp excluded-address 192.168.0.1 192.168.0.199

!

ip dhcp pool "Voice"

  network 172.16.0.0 255.255.255.0

  dns-server 4.2.2.2 8.8.8.8

  default-router 172.16.0.2

  option 43 hex 010F544F534849424120495065646765000204AC10000F03010104016E050100060164

!

!

!

!

!

!

ip crypto

!

crypto ike policy 100

  initiate main

  respond anymode

  local-id address 66.66.66.178

  peer 71.71.71.166

  attribute 1

    encryption 3des

    hash md5

    authentication pre-share

!

crypto ike remote-id address 71.71.71.166 preshared-key p0o9i8u7y6 ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

!

crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac

  mode tunnel

!

crypto map VPN 10 ipsec-ike

  description Broadhead

  match address VPN-10-vpn-selectors1

  set peer 71.71.71.166

  set transform-set esp-3des-esp-md5-hmac

  ike-policy 100

!

!

!

!

vlan 1

  name "Default"

!

vlan 100

  name "Data"

!

vlan 110

  name "Voice"

!

!

!

no ethernet cfm

!

interface eth 0/1

  description Earthlink WAN

  ip address  66.66.66.178  255.255.255.248

  ip mtu 1500

  ip access-policy Public

  crypto map VPN

  no awcp

  no shutdown

!

!

interface eth 0/2

  description ATT WAN

  ip address  99.99.99.99  255.255.255.248

  ip mtu 1500

  ip access-policy ATT

  no awcp

  no shutdown

!

!

!

interface switchport 0/1

  description Link to Switch

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/2

  spanning-tree edgeport

  no shutdown

  switchport access vlan 110

!

interface switchport 0/3

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/4

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/5

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/6

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/7

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

interface switchport 0/8

  spanning-tree edgeport

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 100

!

!

!

interface vlan 1

  no ip address

  shutdown

!

interface vlan 100

  description Data

  ip address  192.168.0.2  255.255.255.0

  ip mtu 1500

  ip access-policy Private

  no rtp quality-monitoring

  no awcp

  no shutdown

!

interface vlan 110

  description Voice

  ip address  172.16.0.2  255.255.255.0

  ip mtu 1500

  ip access-policy Voice

  no rtp quality-monitoring

  no awcp

  no shutdown

!

!

!

!

route-map ATT-Map permit 10

  match ip address AttInt

  set ip next-hop 99.99.99.97

  set interface eth 0/2

!

!

!

!

ip access-list extended AttInt

  deny   ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.255.255     log

  deny   ip 192.168.0.0 0.0.0.255  172.16.0.0 0.0.255.255     log

  deny   ip 172.16.0.0 0.0.0.255  any     log

  permit ip any  any     log

!

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended VPN-10-vpn-selectors1

  permit ip 172.16.0.0 0.0.0.255  172.16.10.0 0.0.0.255   

!

ip access-list extended web-acl-10

  remark NAT ATT

  ! Implicit permit (only for empty ACLs)

!

ip access-list extended web-acl-11

  remark NAT ATT

  permit ip any  any     log

!

ip access-list extended web-acl-6

  remark Data

  permit ip any  any   

!

ip access-list extended web-acl-7

  remark NAT Earthlink

  ! Implicit permit (only for empty ACLs)

!

ip access-list extended web-acl-8

  remark Voice

  permit ip any  any   

!

ip access-list extended web-acl-9

  remark Phone System

  permit tcp any  host 66.66.66.178 eq 8080   log

  permit tcp any  host 66.66.66.178 eq 9443   log

  permit tcp any  host 66.66.66.178 eq 10000   log

  permit tcp any  host 66.66.66.178 eq 90   log

  permit tcp any  host 66.66.66.178 eq 8768   log

  permit tcp any  host 66.66.66.178 eq ftp-data   log

  permit tcp any  host 66.66.66.178 eq ftp   log

  permit tcp any  host 66.66.66.178 eq 2944   log

  permit udp any  host 66.66.66.178 eq 1718    log

  permit udp any  host 66.66.66.178 eq 1719    log

  permit udp any  host 66.66.66.178 eq 21000    log

!

ip access-list extended wizard-pfwd-1

  remark Server Forwards

  permit tcp any  host 66.66.66.178 eq https   log

  permit tcp any  host 66.66.66.178 eq smtp   log

  permit tcp any  host 66.66.66.178 eq 1723   log

  permit tcp any  host 66.66.66.178 eq 47   log

  permit tcp any  host 66.66.66.178 eq www   log

!

!

!

!

ip policy-class ATT

  nat destination list wizard-pfwd-1 address 192.168.0.1

!

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list web-acl-8 policy Voice

  allow list self self

  nat source list web-acl-11 interface eth 0/2 overload policy ATT

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors1 stateless

  nat destination list wizard-pfwd-1 address 192.168.0.1

  nat destination list web-acl-9 address 172.16.0.15

!

ip policy-class Voice

  allow list web-acl-6 policy Private

  nat source list web-acl-7 interface eth 0/1 overload policy Public

  nat source list web-acl-10 interface eth 0/2 overload policy ATT

!

!

!

ip route 0.0.0.0 0.0.0.0 66.66.66.177

ip route 0.0.0.0 0.0.0.0 99.99.99.97 5

!

no tftp server

no tftp server overwrite

http server

http secure-server

no snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

!

!

!

!

!

!

!

ip sip udp 5060

ip sip tcp 5060

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

line con 0

  login

!

line telnet 0 4

  login

  password password

  no shutdown

line ssh 0 4

  login local-userlist

  no shutdown

!

sntp server time.nist.gov

!

!

!

!

!

!

end

Labels (3)
0 Kudos
1 Solution

Accepted Solutions
cj_
Valued Contributor
Valued Contributor

Re: Cannot get PBR to work

Jump to solution

Hi kb9mfd:

Thanks for posting your question in the Support Community.  The route-map must be applied to an IP interface where it should analyze ingress traffic.  Like this:


!


interface vlan 100


  description Data


  ip address  192.168.0.2  255.255.255.0


  ip mtu 1500


  ip policy route-map ATT-Map


  ip access-policy Private


  no rtp quality-monitoring


  no awcp


  no shutdown


!


!


route-map ATT-Map permit 10


  match ip address AttInt


  set ip next-hop 99.99.99.97


  set interface eth 0/2  (don't need this)


!


!


!


ip access-list extended AttInt


  deny  ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.255.255    log


  deny  ip 192.168.0.0 0.0.0.255  172.16.0.0 0.0.255.255    log


  deny  ip 172.16.0.0 0.0.0.255  any    log  (don't need this as nothing sourced from 172.16 network ingress to interface vlan 100)


  permit ip any  any    log


!







You'll probably want to look at web-acl-7 and web-acl-10 as they're currently empty (which is considered 'permit any' and will match all traffic).  To use them in a NAT overload policy, consider:


!


ip access-list extended ACL-name-here


   permit ip any  any


!



Best,

Chris

View solution in original post

0 Kudos
2 Replies
cj_
Valued Contributor
Valued Contributor

Re: Cannot get PBR to work

Jump to solution

Hi kb9mfd:

Thanks for posting your question in the Support Community.  The route-map must be applied to an IP interface where it should analyze ingress traffic.  Like this:


!


interface vlan 100


  description Data


  ip address  192.168.0.2  255.255.255.0


  ip mtu 1500


  ip policy route-map ATT-Map


  ip access-policy Private


  no rtp quality-monitoring


  no awcp


  no shutdown


!


!


route-map ATT-Map permit 10


  match ip address AttInt


  set ip next-hop 99.99.99.97


  set interface eth 0/2  (don't need this)


!


!


!


ip access-list extended AttInt


  deny  ip 192.168.0.0 0.0.0.255  192.168.0.0 0.0.255.255    log


  deny  ip 192.168.0.0 0.0.0.255  172.16.0.0 0.0.255.255    log


  deny  ip 172.16.0.0 0.0.0.255  any    log  (don't need this as nothing sourced from 172.16 network ingress to interface vlan 100)


  permit ip any  any    log


!







You'll probably want to look at web-acl-7 and web-acl-10 as they're currently empty (which is considered 'permit any' and will match all traffic).  To use them in a NAT overload policy, consider:


!


ip access-list extended ACL-name-here


   permit ip any  any


!



Best,

Chris

View solution in original post

0 Kudos
kb9mfd
New Contributor III

Re: Cannot get PBR to work

Jump to solution

Thank you, I had done this before and I must of forgot to add that to my notes. As for the extra ACL's those where added by the GUI and I just need to clean them up. Thanks! - Jeremy