PBR and connected route

Unanswered Question
Aug 25th, 2010
User Badges:

Hi all,

question about PBR:

can take precedence on connected route in any way?

I've tried putting ACL restrictive than subnet but it seems not to work.

I need to route traffic from subnet A to B towards a FW, subnet B is configured both on 6K and on FW. so i've putted ip local policy con subnet A but no results

Any idea?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (4 ratings)
Lei Tian Wed, 08/25/2010 - 03:48
User Badges:
  • Cisco Employee,

Hi Das,

No, PBR cannot take precedence when destination is directly connected.

I am thinking of using different vrf for subnet A and subnet B might help on your case.


Lei Tian

danilodicesare Wed, 08/25/2010 - 13:06
User Badges:

Hi Lei,

tnx a lot for answer!

I was thinking about different VRF but i need (sometimes) traffic intra-vlan. So in VRF fashion with Nexus 7000 release 4.2.X (but i'm pretty sure also in 5.X) route leaking with import-export is not possible yet.

maybe i'll split static route for hitting a longest match routing.

I also must say that will be not so bad to have e way to overcome this 'limitation' of connected route.

What's a shame!

tnx a lot.


Lei Tian Wed, 08/25/2010 - 15:39
User Badges:
  • Cisco Employee,

Hi Dan,

Yes, the vrf import/export feature is not there yet. The work around is using pbr to do vrf leaking.

I was thinking using some static routes to leak between vrf and global routing table. Here is my configure;

ip vrf points

int vlan A

ip vrf forwarding points

ip add

int vlan B

ip add

ip route vrf points FW_IP

*traffic from vlan A to vlan B send to FW*

ip route vrf points global

*traffic from vlan A to specific IP in vlan B send to global*

ip route vlan A

*return traffic from specific IP in vlan B to vlan A*

I am sure your requirement is more complex than this config, and NXOS has different syntax. Just want to throw an idea.


Lei Tian

danilodicesare Thu, 08/26/2010 - 01:01
User Badges:

hi Lei,

tnx again.

topology is not complex, just all IFC in VRF, nothing in global 

have 'u got axample of vrf leaking with PBR?

tnx and have nice day


Lei Tian Thu, 08/26/2010 - 03:32
User Badges:
  • Cisco Employee,

Hi Dan,

feature pbr

vlan 10,20

vrf context vlanA
vrf context vlanB

ip access-list vlanA_to_vlanB
permit ip
ip access-list vlanB_to_vlanA

route-map vlanA_to_vlanB
match ip address vlanA_to_vlanB
set vrf vlanB
route-map vlanB_to_vlanA
match ip address vlanB_to_vlanA
set vrf vlanA

int vlan10
vrf member vlanA
ip add
ip policy route-map vlanA_to_vlanB

int vlan20
vrf member vlanB
ip add
ip policy route-map vlanB_to_vlanA


Lei Tian

danilodicesare Thu, 08/26/2010 - 04:49
User Badges:

Hi Lei,

tnx was helpful.

do 'u think PBR (in this particular) is done in HW or is SW based?

tnx again and have nice day

Lei Tian Thu, 08/26/2010 - 06:35
User Badges:
  • Cisco Employee,

Hi Dan,

I believe it is in hardware, but I was not able to find that in datasheet.

Hope someone can jump in if you have the CCO link.


Lei Tian


This Discussion