I configured policy-based routing for an SVI in a Nexus 9K. The goal was to route internet-destined traffic for this VLAN to a different firewall, allowing normal routing for all internal destinations. Here's what I configured:
ip access-list PA_PILOT_DENY
permit ip any 192.168.0.0/16
permit ip any 10.0.0.0/8
permit ip any 172.16.0.0/12
permit ip any 198.18.0.0/15
ip access-list PA_PILOT_PERMIT
permit ip host 192.168.100.10 any
route-map PA_PILOT_RM deny 10
match ip address PA_PILOT_DENY
route-map PA_PILOT_RM permit 20
match ip address PA_PILOT_PERMIT
set ip next-hop 10.10.10.4
int vlan 100
vrf member RED
ip address 192.168.100.1/24
ip policy route-map PA_PILOT_RM
The route-map doesn't work. I think the problem is that VLAN 100 is in VRF RED, while the next-hop IP is in VRF BLUE even though the VRFs leak all their routes to one another.
Any thoughts on how to make this work with the interfaces in separate VRFs? Thanks for your help!