02-28-2010 10:35 AM
Hi,
My requirement is to have PBR applied on VRF interface, is it possible? When I apply PBR on VRF interface I get following error:
% Policy Based Routing is NOT supported for VRF interfaces
% IP-Policy can be used ONLY for marking (set/clear DF bit) on VRF
In my case it is LAN interface where I have to apply PBR.
Please find the following config, this will help to understand the scenerio better.
******************************
ip cef
!
ip vrf VPN_C
rd 2:2
route-target export 10:10
route-target import 40:10
!
ip vrf VPN_A
rd 103:103
route-target export 20:20
route-target import 40:10
!
ip vrf LAN_VRF
rd 64513:40
route-target export 40:10
route-target import 10:10
route-target import 20:20
route-target import 30:30
!
ip vrf VPN_B
rd 102:102
route-target export 30:30
route-target import 40:10
!
interface FastEthernet0/0
ip vrf forwarding LAN_VRF
ip address 192.168.1.81 255.255.255.240
ip policy route-map PBR
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial1/0
no ip address
encapsulation frame-relay IETF
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/0.1 point-to-point
!
interface Serial1/0.2 point-to-point
description VPN_B
ip vrf forwarding VPN_B
ip address 172.31.153.214 255.255.255.252
frame-relay interface-dlci 301
!
interface Serial1/0.3 point-to-point
description VPN_C
ip vrf forwarding VPN_C
ip address 172.31.153.166 255.255.255.252
frame-relay interface-dlci 302
!
interface Serial1/0.4 point-to-point
description VPN_A
ip vrf forwarding VPN_A
ip address 172.30.253.214 255.255.255.252
frame-relay interface-dlci 303
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf LAN_VRF
redistribute connected metric 10000 100 255 1 1500
redistribute bgp 64513 metric 10000 100 255 1 1500
network 192.168.1.81 0.0.0.0
auto-summary
autonomous-system 1
exit-address-family
!
router bgp 64513
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf VPN_B
neighbor 172.31.153.213 remote-as 65000
neighbor 172.31.153.213 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf LAN_VRF
redistribute eigrp 1
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_A
neighbor 172.30.253.213 remote-as 65000
neighbor 172.30.253.213 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_C
neighbor 172.31.153.165 remote-as 65000
neighbor 172.31.153.165 activate
no synchronization
exit-address-family
!
!
!
ip http server
no ip http secure-server
!
ip access-list extended VPN_B
permit ip host 90.0.0.1 host 150.0.0.1
ip access-list extended VPN_A
permit ip host 80.0.0.1 host 150.0.0.1
!
!
route-map PBR permit 10
match ip address VPN_A
set interface Serial1/0.4
!
route-map PBR permit 20
match ip address VPN_B
set interface Serial1/0.2
!
route-map PBR permit 30
**********************************************
Please advice how can I achive my purpose in this scenrio?
03-01-2010 02:51 PM
Hello Ashish,
what device is this and what IOS image are you running on it?
it may be a question of IOS image or a problem related to this platform
Hope to help
Giuseppe
03-02-2010 06:45 AM
Hi Giuseppe,
Thanks for replying.
I am using ISRs and IOS is 15.0, security features.
Just wanted to inform you that it is working with above mentioned config. If you feel the need of improvement in above config....you are most welcome.
Thanks again
Ashish
06-15-2010 03:21 AM
Hi Ashish,
I too came across this error when configuring PBR on a VRF interface and I too found that it worked anyway. This was on a 7204VXR (NPE400) running 12.2(28)SB8.
However, I must warn you that approximately 3 months after applying the configuration it seemed to stop working without any apparent cause. This had the effect of blocking all traffic that we trying to policy route and caused an outage for one of our clients.
You are using a much more recent IOS version so you may not run into the same trouble but I thought you might be interested in this experience in case it occurs for you too. We could find no workaround at the time, even removing and reapplying the configuration made no difference and since then it has been permanently removed.
Regards
Steven
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide