Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3269
Views
0
Helpful
3
Replies

PBR over VRF interface?

ashish-nagpal
Level 1
Level 1

‎02-28-2010 10:35 AM

Hi,

My requirement is to have PBR applied on VRF interface, is it possible? When I apply PBR on VRF interface I get following error:

% Policy Based Routing is NOT supported for VRF interfaces
% IP-Policy can be used ONLY for marking (set/clear DF bit) on VRF

In my case it is LAN interface where I have to apply PBR.

Please find the following config, this will help to understand the scenerio better.

******************************
ip cef
!
ip vrf VPN_C
rd 2:2
route-target export 10:10
route-target import 40:10
!
ip vrf VPN_A
rd 103:103
route-target export 20:20
route-target import 40:10
!
ip vrf LAN_VRF
rd 64513:40
route-target export 40:10
route-target import 10:10
route-target import 20:20
route-target import 30:30
!
ip vrf VPN_B

rd 102:102
route-target export 30:30
route-target import 40:10
!
interface FastEthernet0/0
ip vrf forwarding LAN_VRF
ip address 192.168.1.81 255.255.255.240
ip policy route-map PBR
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial1/0
no ip address
encapsulation frame-relay IETF
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/0.1 point-to-point
!
interface Serial1/0.2 point-to-point
description VPN_B
ip vrf forwarding VPN_B
ip address 172.31.153.214 255.255.255.252
frame-relay interface-dlci 301
!
interface Serial1/0.3 point-to-point
description VPN_C

ip vrf forwarding VPN_C

ip address 172.31.153.166 255.255.255.252
frame-relay interface-dlci 302
!
interface Serial1/0.4 point-to-point
description VPN_A

ip vrf forwarding VPN_A

ip address 172.30.253.214 255.255.255.252
frame-relay interface-dlci 303
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf LAN_VRF
redistribute connected metric 10000 100 255 1 1500
redistribute bgp 64513 metric 10000 100 255 1 1500
network 192.168.1.81 0.0.0.0
auto-summary
autonomous-system 1
exit-address-family
!
router bgp 64513
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf VPN_B
neighbor 172.31.153.213 remote-as 65000
neighbor 172.31.153.213 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf LAN_VRF
redistribute eigrp 1
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_A

neighbor 172.30.253.213 remote-as 65000
neighbor 172.30.253.213 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_C
neighbor 172.31.153.165 remote-as 65000
neighbor 172.31.153.165 activate
no synchronization
exit-address-family
!
!
!
ip http server
no ip http secure-server
!
ip access-list extended VPN_B
permit ip host 90.0.0.1 host 150.0.0.1
ip access-list extended VPN_A
permit ip host 80.0.0.1 host 150.0.0.1
!
!
route-map PBR permit 10
match ip address VPN_A
set interface Serial1/0.4
!
route-map PBR permit 20
match ip address VPN_B

set interface Serial1/0.2
!
route-map PBR permit 30
**********************************************

Please advice how can I achive my purpose in this scenrio?

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-01-2010 02:51 PM

Hello Ashish,

what device is this and what IOS image are you running on it?

it may be a question of IOS image or a problem related to this platform

Hope to help

Giuseppe

0 Helpful

ashish-nagpal
Level 1
Level 1
In response to Giuseppe Larosa

‎03-02-2010 06:45 AM

Hi Giuseppe,

Thanks for replying.

I am using ISRs and IOS is 15.0, security features.

Just wanted to inform you that it is working with above mentioned config. If you feel the need of improvement in above config....you are most welcome.

Thanks again

Ashish

0 Helpful

netservices
Level 1
Level 1

‎06-15-2010 03:21 AM

Hi Ashish,

I too came across this error when configuring PBR on a VRF interface and I too found that it worked anyway. This was on a 7204VXR (NPE400) running 12.2(28)SB8.

However, I must warn you that approximately 3 months after applying the configuration it seemed to stop working without any apparent cause. This had the effect of blocking all traffic that we trying to policy route and caused an outage for one of our clients.

You are using a much more recent IOS version so you may not run into the same trouble but I thought you might be interested in this experience in case it occurs for you too. We could find no workaround at the time, even removing and reapplying the configuration made no difference and since then it has been permanently removed.

Regards

Steven

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents