PBR and connected route

Unanswered Question
Aug 25th, 2010
User Badges:

Hi all,


question about PBR:


can take precedence on connected route in any way?


I've tried putting ACL restrictive than subnet but it seems not to work.


I need to route traffic from subnet A to B towards a FW, subnet B is configured both on 6K and on FW. so i've putted ip local policy con subnet A but no results




Any idea?

tnx
Das
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (4 ratings)
Loading.
Lei Tian Wed, 08/25/2010 - 03:48
User Badges:
  • Cisco Employee,

Hi Das,


No, PBR cannot take precedence when destination is directly connected.


I am thinking of using different vrf for subnet A and subnet B might help on your case.


HTH,


Lei Tian

danilodicesare Wed, 08/25/2010 - 13:06
User Badges:

Hi Lei,


tnx a lot for answer!


I was thinking about different VRF but i need (sometimes) traffic intra-vlan. So in VRF fashion with Nexus 7000 release 4.2.X (but i'm pretty sure also in 5.X) route leaking with import-export is not possible yet.


maybe i'll split static route for hitting a longest match routing.


I also must say that will be not so bad to have e way to overcome this 'limitation' of connected route.


What's a shame!


tnx a lot.


Dan

Lei Tian Wed, 08/25/2010 - 15:39
User Badges:
  • Cisco Employee,

Hi Dan,


Yes, the vrf import/export feature is not there yet. The work around is using pbr to do vrf leaking.


I was thinking using some static routes to leak between vrf and global routing table. Here is my configure;


ip vrf points


int vlan A

ip vrf forwarding points

ip add 10.10.24.1 255.255.255.0


int vlan B

ip add 10.10.23.1 255.255.255.0


ip route vrf points 10.10.23.0 255.255.255.0 FW_IP

*traffic from vlan A to vlan B send to FW*


ip route vrf points 10.10.23.2 255.255.255.255 10.10.23.2 global

*traffic from vlan A to specific IP in vlan B send to global*


ip route 10.10.24.0 255.255.255.0 vlan A

*return traffic from specific IP in vlan B to vlan A*


I am sure your requirement is more complex than this config, and NXOS has different syntax. Just want to throw an idea.


Regards,


Lei Tian

danilodicesare Thu, 08/26/2010 - 01:01
User Badges:

hi Lei,


tnx again.


topology is not complex, just all IFC in VRF, nothing in global 


have 'u got axample of vrf leaking with PBR?



tnx and have nice day

Dan

Lei Tian Thu, 08/26/2010 - 03:32
User Badges:
  • Cisco Employee,

Hi Dan,



feature pbr


vlan 10,20


vrf context vlanA
vrf context vlanB


ip access-list vlanA_to_vlanB
permit ip 10.10.10.0/24 10.10.20.0/24
ip access-list vlanB_to_vlanA
permit 10.10.20.0/24 10.10.10.0/24


route-map vlanA_to_vlanB
match ip address vlanA_to_vlanB
set vrf vlanB
route-map vlanB_to_vlanA
match ip address vlanB_to_vlanA
set vrf vlanA


int vlan10
vrf member vlanA
ip add 10.10.10.1/24
ip policy route-map vlanA_to_vlanB


int vlan20
vrf member vlanB
ip add 10.10.20.1/24
ip policy route-map vlanB_to_vlanA


Regards,

Lei Tian

danilodicesare Thu, 08/26/2010 - 04:49
User Badges:

Hi Lei,


tnx was helpful.


do 'u think PBR (in this particular) is done in HW or is SW based?



tnx again and have nice day

Lei Tian Thu, 08/26/2010 - 06:35
User Badges:
  • Cisco Employee,

Hi Dan,


I believe it is in hardware, but I was not able to find that in datasheet.


Hope someone can jump in if you have the CCO link.


Regards,


Lei Tian

Actions

This Discussion