When a router receives a packet, it would check the routing table to forward the packet to the egress(outgoing) interface based on the destination IP address. If we need to forward packet based on other field, like source IP etc, we need to use PBR rules to override the routing table entry. The issue is, after configuration PBR, the packets are not routed to the firewall as in the PBR rule rather forwarded based on the routing table.
- PBR was configured to route packets to a firewall instead of taking the normal route as in Routing table.
- But it seemed the packets were taking the routing table next-hop instead of configured PBR.
- For PBR to work, the incoming packet should match anyone of the PBR rule configured and the next-hop IP address in that PBR entry should be resolved. ie: The next-hop should have an ARP entry in the ARP table. Unmatched packets would hit the routing table.
- Checked the ARP entry for PBR next-hop and it was resolved.
- “show ip redirect-list” showed the ARP was resolved and the PBR configuration was correct and applied on right interface. yet, traceroute showed the packets were not taking our preferred PBR next-hop.
- Checked the syslog output from the router and noticed some logs like ‘Userflow entry was full’.
- Checked the CAM table (hardware entry) and it seemed no memory was allocated for PBR by default.
- Changed the memory partition(CAM Profile), saved the configuration, reloaded the router. PBR was working fine and firewall received packets from router.