PBR lead to the impassability between VLAN

Publication Date:  2012-11-05 Views:  229 Downloads:  0
Issue Description
Description: customers in the equipment switch interface divide three VLAN, but can't make communication between VLAN to each other.
Alarm Information
none
Handling Process
Process:
After know the reason, deny each IP network segment between vlan each other in ACL table matching PRB, let each segment communication do not match the PBR. So can make the communication between each vlan after change. Modification is as follows

acl number 3010
rule 4 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
rule 10 permit ip source 192.168.2.0 0.0.0.255
acl number 3011
rule 4 deny ip source 10.0.0.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 5 deny ip source 10.0.0.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 10 permit ip source 10.0.0.0 0.0.0.255
rule 15 permit ip source 10.0.2.0 0.0.0.255
acl number 3030
rule 4 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 5 deny ip source 192.168.3.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
rule 10 permit ip source 192.168.3.0 0.0.0.255
#
route-policy 1 permit node 1
if-match acl 3010                      
apply output-interface Dialer1
route-policy 2 permit node 1
if-match acl 3011
apply output-interface Dialer2
route-policy 4 permit node 1
if-match acl 3030
apply output-interface Dialer2
route-policy 3 permit node 1
if-match acl 3030
apply output-interface Dialer1
#
interface Vlanif10
description to_lan
ip address 192.168.2.1 255.255.255.0
ip policy route-policy 1
#
interface Vlanif20
description to_server
ip address 10.0.0.1 255.255.255.0
ip policy route-policy 2
#                                       
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
ip policy route-policy 3
#
Root Cause
Cause analysis:
1. configuration problem
2. Version problem
In the inspection configuration process, do not find the configuration problem. When PING, check ICMP session, the source address is translated into public IP. Find the customer make PBR for each VLAN interface in the configuration, so when PING between VLAN, first matching PBR (PBR PRI is higher to other routing), leading to VLAN room impassability.
Suggestions
Conclusion: after modify the ACL table, problem is solved. Appear this problem, need carefully check the configuration and use display check all kinds of entry.

END