Troubleshooting guide of PBR Not Taking Effect
Contents
Objective
This article provides a general troubleshooting guide for situations where PBR is not functioning as expected.
Requirements
- Omada Layer 3 series Switch
Introduction
PBR routes packets based on predefined conditions, redirecting network traffic to destination IP addresses and ports. If PBR is not taking effect, verifying PBR settings and ACL configurations is essential for troubleshooting.
Troubleshooting Steps
Step 1. Use the show access-list ACL_ID command to verify the PBR policy configuration. Check the following:
1. Confirm that the ACL settings match the packets that need to be redirected.
2. Ensure the IP address and mask configuration match the expected range.
3. Verify that the next-hop address is correctly configured.
Example:
SG6428X(config)#show access-list 500
IP access list 500 name: "ACL_500"
rule 1 permit logging enable sip 192.168.10.10 sip-mask 255.255.255.0 dip 192.168.30.1 dip-mask 255.255.255.0 action redirect nexthop 10.10.10.20
Step 2. Check the port binding of the policy. Use the show access-list bind command to check whether the policy is bound to the correct port.
Example:
SG6428X(config)#show access-list bind
ACL ID ACL NAME Interface/VID Direction Type
------ -------- ------------- -------- ----
500 ACL_500 Gi1/0/1 Ingress Port
Step 3. Use the show access-list status command to check whether sufficient ACL entries are available. If ACL resources are insufficient, PBR will not function properly.
Example:
SG6428X(config)#show access-list status
ACL hardware entry table status:
|ACL Entry Type |Used/Total |
|--------------------|--------------------|
|MAC ACL |0 / 300 |
|--------------------|--------------------|
|IP ACL |1 / 300 |
|--------------------|--------------------|
|IPv6 ACL |0 / 0 |
|--------------------|--------------------|
|Combined ACL |0 / 300 |
|--------------------|--------------------|
If ACL resources are insufficient, you can:
- Remove non-essential ACL configurations to free up resources.
- Adjust the scope of ACL applications.
- Merge ACLs to optimize resource usage.
Step 4. Check ARP table entries. Use the show arp A.B.C.D command to check if the ARP table contains the entry for the next-hop IP address. If the switch has no ARP entry for the next-hop IP, it will trigger ARP learning. If ARP learning fails, packets will be forwarded along the default path, and redirection will not take effect.
Example:
SG6428X(config)#show arp 10.10.10.20
Interface Address Hardware Addr Type
Gi1/0/3 10.10.10.20 40:ae:30:e0:22:ef DYNAMIC
If no ARP entry exists for the next-hop IP, check the following:
1. If the switch and the next-hop device are connected through a Layer 2 network, check for potential link failures that may prevent the switch from receiving ARP replies. Perform multiple ping tests to pinpoint and diagnose the issue.
2. Ensure that the number of Static ARP entries is not significantly lower than the Dynamic ARP entries, as excessive ARP table entries may prevent the switch from continuing ARP learning.
Conclusion
By following the steps above, you can troubleshoot issues related to PBR not taking effect. If the problem persists after trying these methods, please contact TP-Link technical support for further assistance.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.