Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1683
Views
5
Helpful
7
Replies

Can't apply PBR on Nexus 9300

Go to solution
AK59
Level 1
Level 1

‎12-12-2021 02:12 PM - last edited on ‎12-14-2021 04:41 AM by Community Manager

Dear all, 

 

I'm actually stuck implementing PBR on a N9K.

I have 4 x C93180LC-EX, 1 cluster of 2 in one site, the other cluster of 2 in another site. 

Both are connected via vPC, the configurations seems  pretty similars.

Both sites have FEX members

 

 

I have to implement PBR.

The "route-map" is based on an ACL permitting packets coming from one subnet to public destination, the action is to route it a "next-hop" which is a remote firewall. 

 

The problem is that I have been able to implement it only on one cluster...when I tried to implement on both members of the other cluster, I get this message 

 

% Could not apply PBR route-map - Redirect not supported for one of a configured next-hop

 

Can someone know how to deal with it ? 

 

Thanks in advance,               

1 Accepted Solution

Accepted Solutions

Go to solution
AK59
Level 1
Level 1
In response to Georg Pauwen

‎12-14-2021 12:34 AM - last edited on ‎12-14-2021 04:42 AM by Community Manager

Little update, we finally found the cause of the problem. 

 

With Nexus 9300 EX series, you can't do PBR with interfaces on FEX. 

Our "next-hop" was on FEX interfaces , that's why it didn't work. 

 

As soon as we changed it and put the next hop on another core router, it worked. 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎12-12-2021 03:26 PM

follow

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎12-13-2021 04:15 AM

Hello,

 

can you post the route map, as well as a drawing of your topology ?

0 Helpful

Go to solution
AK59
Level 1
Level 1

‎12-13-2021 04:31 AM

Hello,

 

You'll find attached the scheme.

The policy route map say that if the flow comes from sources server to a specified destination, then set the next hop to VIP 1 .

 

Preview file
67 KB
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to AK59

‎12-13-2021 04:45 AM

Hello,

 

I can only see what you post. What does the other route map look like, and what is the difference between the next hops specified in both route maps ?

 

Post the content of both route maps.

0 Helpful

Go to solution
AK59
Level 1
Level 1

‎12-13-2021 06:18 AM

Here is the summary 

 

 

Creating the access-list 

N9K# configure terminal

N9K(config)# ip access-list ACL

N9K(config-acl)# permit ip 10.1.1.0 0.0.0.255  11.0.0.0 0.255.255.255



Creating the route-map policy



N9K# configure terminal

N9K(config)# route-map PBR

N9K(config-route-map)#  match ip address ACL

N9K(config-route-map)#  set ip next-hop 10.2.2.2 (that's my VIP )



Applying the route-map

 

N9K# configure terminal

N9K(config)#  int vlan 5

N9K(config-if)#  ip policy route-map PBR

 

I do the exact same configuration on the 4 Nexus...

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to AK59

‎12-13-2021 07:19 AM - last edited on ‎12-14-2021 04:25 AM by Community Manager

Hello,

 

what if you add the "load-share" option:

 

set ip next-hop 10.2.2.2 load-share

 

0 Helpful

Go to solution
AK59
Level 1
Level 1
In response to Georg Pauwen

‎12-14-2021 12:34 AM - last edited on ‎12-14-2021 04:42 AM by Community Manager

Little update, we finally found the cause of the problem. 

 

With Nexus 9300 EX series, you can't do PBR with interfaces on FEX. 

Our "next-hop" was on FEX interfaces , that's why it didn't work. 

 

As soon as we changed it and put the next hop on another core router, it worked. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card