PBR and connected route

danilodicesare · ‎08-25-2010

Hi all,

question about PBR:

can take precedence on connected route in any way?

I've tried putting ACL restrictive than subnet but it seems not to work.

I need to route traffic from subnet A to B towards a FW, subnet B is configured both on 6K and on FW. so i've putted ip local policy con subnet A but no results

Any idea?

tnx

Das

Lei Tian · ‎08-25-2010

Hi Das,

No, PBR cannot take precedence when destination is directly connected.

I am thinking of using different vrf for subnet A and subnet B might help on your case.

HTH,

Lei Tian

danilodicesare · ‎08-25-2010

Hi Lei,

tnx a lot for answer!

I was thinking about different VRF but i need (sometimes) traffic intra-vlan. So in VRF fashion with Nexus 7000 release 4.2.X (but i'm pretty sure also in 5.X) route leaking with import-export is not possible yet.

maybe i'll split static route for hitting a longest match routing.

I also must say that will be not so bad to have e way to overcome this 'limitation' of connected route.

What's a shame!

tnx a lot.

Dan

Lei Tian · ‎08-25-2010

Hi Dan,

Yes, the vrf import/export feature is not there yet. The work around is using pbr to do vrf leaking.

I was thinking using some static routes to leak between vrf and global routing table. Here is my configure;

ip vrf points

int vlan A

ip vrf forwarding points

ip add 10.10.24.1 255.255.255.0

int vlan B

ip add 10.10.23.1 255.255.255.0

ip route vrf points 10.10.23.0 255.255.255.0 FW_IP

*traffic from vlan A to vlan B send to FW*

ip route vrf points 10.10.23.2 255.255.255.255 10.10.23.2 global

*traffic from vlan A to specific IP in vlan B send to global*

ip route 10.10.24.0 255.255.255.0 vlan A

*return traffic from specific IP in vlan B to vlan A*

I am sure your requirement is more complex than this config, and NXOS has different syntax. Just want to throw an idea.

Regards,

Lei Tian

danilodicesare · ‎08-26-2010

hi Lei,

tnx again.

topology is not complex, just all IFC in VRF, nothing in global

have 'u got axample of vrf leaking with PBR?

tnx and have nice day

Dan

Lei Tian · ‎08-26-2010

Hi Dan,

feature pbr

vlan 10,20

vrf context vlanA
vrf context vlanB

ip access-list vlanA_to_vlanB
permit ip 10.10.10.0/24 10.10.20.0/24
ip access-list vlanB_to_vlanA
permit 10.10.20.0/24 10.10.10.0/24

route-map vlanA_to_vlanB
match ip address vlanA_to_vlanB
set vrf vlanB
route-map vlanB_to_vlanA
match ip address vlanB_to_vlanA
set vrf vlanA

int vlan10
vrf member vlanA
ip add 10.10.10.1/24
ip policy route-map vlanA_to_vlanB

int vlan20
vrf member vlanB
ip add 10.10.20.1/24
ip policy route-map vlanB_to_vlanA

Regards,

Lei Tian

danilodicesare · ‎08-26-2010

Hi Lei,

tnx was helpful.

do 'u think PBR (in this particular) is done in HW or is SW based?

tnx again and have nice day

Lei Tian · ‎08-26-2010

Hi Dan,

I believe it is in hardware, but I was not able to find that in datasheet.

Hope someone can jump in if you have the CCO link.

Regards,

Lei Tian