I have setup several PBFs to force traffic to use a specific egress interface for monitoring that particular path. I then setup a ping monitor on one of the servers, Source Address 192.168.200.15, to ping several different Destination Addresses (DA). The SA is the same for each 'monitor' but the DA is different. The PBF is then setup to forward this traffic based on the source and destination addresses to the interface I want to monitor.
The rules look something like this:
Rule1. PBF_Egress-1 SA:192.168.200.15 DA:126.96.36.199 Action:Forward Egress-I/F:Eth1/1 Next Hop:192.168.0.1
Rule2. PBF_Egress-2 SA:192.168.200.15 DA:188.8.131.52 Action:Forward Egress-I/F:Eth1/2 Next Hop:192.168.1.1
Rule3. PBF_Egress-3 SA:192.168.200.15 DA:184.108.40.206 Action:Forward Egress-I/F:Eth1/3 Next Hop:192.168.2.1
Rule4. PBF_Egress-4 SA:192.168.200.15 DA:220.127.116.11 Action:Forward Egress-I/F:Eth1/4 Next Hop:192.168.3.1
Rule5. PBF_Egress-Block SA:192.168.200.15 DA:<all of the above DAs> Action:discard
Rule 5 is in place to make sure that if the traffic gets past those monitor PBF rules 1-4 it is discarded so that it can't use the default routes. I just setup a new rule and the interface is still not active so I would expect that the traffic to not be forwarded because it should still be handled by the new rule, rule 4 or at the very least rule 5, but even though the route is not yet valid but it seems to be making it past all of these rules to the default route rule and getting forwarded. When I verify the traffic via Trace Route from the above SA to 18.104.22.168 I can see that the new traffic is bouncing around the other interfaces and that tells me it's making it to the default routing rules that are a load balanced SD-WAN interface. Those default routing rules are much lower in the stack.
Anyone have any ideas why this is happening and how to make sure the PBF rules are honored?
This problem still exists. I even checked the PBF with the Test Policy Match and according to the test results it is working as expected but when I run a trace route traffic is still passing from the server to the DA that should not be reachable since that path is down. So I can't explain what is causing this and before I turn up that path I'd like to understand what's happening. I've compared the rules to each other and all of the options are the same. The only differences are the DA, Egress Interface, and Next Hop.
I should also mention that Rule 5 is only a safety net rule. As long as that rule has been in place it has never received any hits under the Hit Counter. I realize that it's not really needed but at the same time it's not hurting anything either.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!