Yes  , we have a few VLANS  , in fact  close to 300 layer 3  VLANs.

We need to redirect the traffic from all these VLANS going to a specific destination ( for which we don’t have a specific route) to the GRE tunnel.  We have two options here   , either configure the specific PBR under all these VLANs or configure the PBR on the firewall VLAN where the traffic will be hitting since the default route is pointed towards the firewall.

Kindly let us know whether this makes sense ?

Regards

Akhil

  Yes  , we have a few VLANS  , in fact  close to 300 layer 3  VLANs.

We need to redirect the traffic from all these VLANS going to a specific destination ( for which we don’t have a specific route) to the GRE tunnel.  We have two options here   , either configure the specific PBR under all these VLANs or configure the PBR on the firewall VLAN where the traffic will be hitting since the default route is pointed towards the firewall.

Kindly let us know whether this makes sense ?

it's worth remember that:

– The PFC does not provides hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/features.html

Riccardo

Riccardo,

Good point - I forgot to check those caveats...

Hi,

The question here is whether the PBR will work or not for the mentioned scenario  and not whether it is hardware switched or software switched ! 

Regards

Akhil

Hi Akhil P Jose,

well... if you say that it is not working I take it for granted that it does not work.

Regarding the fact whether this is supposed to be working or not I have the impression that you did not do your homeworks on PBR requirements in general.

Latchum put you on the right track but it is not clear if you followed his advise.

Since your destination is not known you gotta use 'set ip default next-hop' since:

"The set ip default next-hop command verifies the existence of the destination IP address in the routing table, and…

• if the destination IP address exists, the command does not policy route the packet, but forwards the packet based on the routing table.
• if the destination IP address does not exist, the command policy routes the packet by sending it to the specified next hop.

The set ip next-hop command verifies the existence of the next hop specified, and…

• if the next hop exists in the routing table, then the command policy routes the packet to the next hop.
• if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet."

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

You are in the second bullet of the first scenario, hence you have to use set ip defaul next-hop. Have you tried that?

After you configure it you have to check the tcam programming for the interface where you applied the PBR

show tcam interface vlan 100 acl in ip

and

show tcam interface vlan 100 acl in ip detail

You should see see your acl there with the 'punt' operator (or the 'redirect' operator if you have copp on) since, as we said, your configuration is not supported in hardware.

Let me add that since you are handling a platform that is designed to switch traffic in hardware the fact that your configuration forces it to software switch the traffic is not a mere detail as you are implying from the previous post.

Having a PBR on a 6500 configured in software is extremely risky and I would not do it; but if this is your choice even though your are aware of the risks your are taking I will not comment on it further. Just be ready to open a TAC case as soon as the CPU jumps to the sky and you see lots of drops incase of high volume traffic going through that PBR

Riccardo

Hi Akhil,

From the above posts and your argue, I understand this..

You have default route from all vlans pointed to vlan100, is this correct?
You have a GRE tunnel configured in the 6509.
Now you want send some specific traffic (You knows the destination) through GRE tunnel interface, is this correct?

So configuring PBR under all vlans will he tuff and what about the unknown traffic if you apply the PBR to vlan interface?
I am presuming your GRE tunnel configured on your 6509, is this correct?

Here what I would suggest is define a PBR (Note: you knows the destination traffic .... permit ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.0.255) and apply to the interface (vlan100) whcih currently routing the default route.

Let me know if you have any question on above also update.

Please rate the helpfull posts.
Regards,
Naidu.