Troubleshooting guide of PBR Not Taking Effect

Knowledgebase
Troubleshooting Guide
ACL
10-25-2024
205

Contents

Objective

Requirements

Introduction

Troubleshooting Steps

Conclusion

Objective

This article provides a general troubleshooting guide for situations where PBR is not functioning as expected.

Requirements

  • Omada Layer 3 series Switch

Introduction

PBR routes packets based on predefined conditions, redirecting network traffic to destination IP addresses and ports. If PBR is not taking effect, verifying PBR settings and ACL configurations is essential for troubleshooting.

Troubleshooting Steps

Step 1. Use the show access-list ACL_ID command to verify the PBR policy configuration. Check the following:

1. Confirm that the ACL settings match the packets that need to be redirected.

2. Ensure the IP address and mask configuration match the expected range.

3. Verify that the next-hop address is correctly configured.

Example:

SG6428X(config)#show access-list 500

IP access list 500 name: "ACL_500"

rule 1 permit logging enable sip 192.168.10.10 sip-mask 255.255.255.0 dip 192.168.30.1 dip-mask 255.255.255.0 action redirect nexthop 10.10.10.20

Step 2. Check the port binding of the policy. Use the show access-list bind command to check whether the policy is bound to the correct port.

Example:

SG6428X(config)#show access-list bind

ACL ID ACL NAME Interface/VID Direction Type

------ -------- ------------- -------- ----

500 ACL_500 Gi1/0/1 Ingress Port

Step 3. Use the show access-list status command to check whether sufficient ACL entries are available. If ACL resources are insufficient, PBR will not function properly.

Example:

SG6428X(config)#show access-list status

ACL hardware entry table status:

|ACL Entry Type |Used/Total |

|--------------------|--------------------|

|MAC ACL |0 / 300 |

|--------------------|--------------------|

|IP ACL |1 / 300 |

|--------------------|--------------------|

|IPv6 ACL |0 / 0 |

|--------------------|--------------------|

|Combined ACL |0 / 300 |

|--------------------|--------------------|

If ACL resources are insufficient, you can:

  • Remove non-essential ACL configurations to free up resources.
  • Adjust the scope of ACL applications.
  • Merge ACLs to optimize resource usage.

Step 4. Check ARP table entries. Use the show arp A.B.C.D command to check if the ARP table contains the entry for the next-hop IP address. If the switch has no ARP entry for the next-hop IP, it will trigger ARP learning. If ARP learning fails, packets will be forwarded along the default path, and redirection will not take effect.

Example:

SG6428X(config)#show arp 10.10.10.20

Interface Address Hardware Addr Type

Gi1/0/3 10.10.10.20 40:ae:30:e0:22:ef DYNAMIC

If no ARP entry exists for the next-hop IP, check the following:

1. If the switch and the next-hop device are connected through a Layer 2 network, check for potential link failures that may prevent the switch from receiving ARP replies. Perform multiple ping tests to pinpoint and diagnose the issue.

2. Ensure that the number of Static ARP entries is not significantly lower than the Dynamic ARP entries, as excessive ARP table entries may prevent the switch from continuing ARP learning.

Conclusion

By following the steps above, you can troubleshoot issues related to PBR not taking effect. If the problem persists after trying these methods, please contact TP-Link technical support for further assistance.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Please Rate this Document

Related Documents