PBR over VRF interface?

ashish-nagpal · ‎02-28-2010

Hi,

My requirement is to have PBR applied on VRF interface, is it possible? When I apply PBR on VRF interface I get following error:

% Policy Based Routing is NOT supported for VRF interfaces
% IP-Policy can be used ONLY for marking (set/clear DF bit) on VRF

In my case it is LAN interface where I have to apply PBR.

Please find the following config, this will help to understand the scenerio better.

******************************
ip cef
!
ip vrf VPN_C
rd 2:2
route-target export 10:10
route-target import 40:10
!
ip vrf VPN_A
rd 103:103
route-target export 20:20
route-target import 40:10
!
ip vrf LAN_VRF
rd 64513:40
route-target export 40:10
route-target import 10:10
route-target import 20:20
route-target import 30:30
!
ip vrf VPN_B

rd 102:102
route-target export 30:30
route-target import 40:10
!
interface FastEthernet0/0
ip vrf forwarding LAN_VRF
ip address 192.168.1.81 255.255.255.240
ip policy route-map PBR
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial1/0
no ip address
encapsulation frame-relay IETF
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/0.1 point-to-point
!
interface Serial1/0.2 point-to-point
description VPN_B
ip vrf forwarding VPN_B
ip address 172.31.153.214 255.255.255.252
frame-relay interface-dlci 301
!
interface Serial1/0.3 point-to-point
description VPN_C

ip vrf forwarding VPN_C

ip address 172.31.153.166 255.255.255.252
frame-relay interface-dlci 302
!
interface Serial1/0.4 point-to-point
description VPN_A

ip vrf forwarding VPN_A

ip address 172.30.253.214 255.255.255.252
frame-relay interface-dlci 303
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf LAN_VRF
redistribute connected metric 10000 100 255 1 1500
redistribute bgp 64513 metric 10000 100 255 1 1500
network 192.168.1.81 0.0.0.0
auto-summary
autonomous-system 1
exit-address-family
!
router bgp 64513
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf VPN_B
neighbor 172.31.153.213 remote-as 65000
neighbor 172.31.153.213 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf LAN_VRF
redistribute eigrp 1
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_A

neighbor 172.30.253.213 remote-as 65000
neighbor 172.30.253.213 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_C
neighbor 172.31.153.165 remote-as 65000
neighbor 172.31.153.165 activate
no synchronization
exit-address-family
!
!
!
ip http server
no ip http secure-server
!
ip access-list extended VPN_B
permit ip host 90.0.0.1 host 150.0.0.1
ip access-list extended VPN_A
permit ip host 80.0.0.1 host 150.0.0.1
!
!
route-map PBR permit 10
match ip address VPN_A
set interface Serial1/0.4
!
route-map PBR permit 20
match ip address VPN_B

set interface Serial1/0.2
!
route-map PBR permit 30
**********************************************

Please advice how can I achive my purpose in this scenrio?

Reza Sharifi · ‎02-28-2010

Hello Ashish,

I don't know what version of IOS you are running but it is supported in 12.4(24)T and 12.2(33)SXH.

Have a look at this document for more info on how to configure it:

http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_mltvrf_slct_pbr.html#wp1105776

HTH

Reza

ashish-nagpal · ‎02-28-2010

Thanks Reza, it is working...I have tested it.

Actually I have ISR with IOS ver 15.1. It is works on it also.

Ashish