cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
194
Views
0
Helpful
0
Replies
Highlighted
Beginner

PBR - ip next-hop to address in different, route-leaked VRF

I configured policy-based routing for an SVI in a Nexus 9K. The goal was to route internet-destined traffic for this VLAN to a different firewall, allowing normal routing for all internal destinations. Here's what I configured:

 

ip access-list PA_PILOT_DENY
permit ip any 192.168.0.0/16
permit ip any 10.0.0.0/8
permit ip any 172.16.0.0/12
permit ip any 198.18.0.0/15

 

ip access-list PA_PILOT_PERMIT
permit ip host 192.168.100.10 any

 

route-map PA_PILOT_RM deny 10
match ip address PA_PILOT_DENY

route-map PA_PILOT_RM permit 20
match ip address PA_PILOT_PERMIT
set ip next-hop 10.10.10.4

 

int vlan 100

vrf member RED

ip address 192.168.100.1/24
ip policy route-map PA_PILOT_RM

 

The route-map doesn't work. I think the problem is that VLAN 100 is in VRF RED, while the next-hop IP is in VRF BLUE even though the VRFs leak all their routes to one another.

 

Any thoughts on how to make this work with the interfaces in separate VRFs? Thanks for your help!

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey