Re: Issues with a PBR on Nexus 9504

TRACY HARTMANN · ‎06-12-2019

I am trying to use a PBR on a Nexus 9504. First problem is you can't have deny statements, so I think I have that fixed but it doesn't seem to be using the PBR.

I have several layer 2 switches connecting to the Nexus. All the vlan interfaces are on the Nexus so I place the PBR on the Vlan I wanted and it doesn't seem to be doing the PBR.

Here is the route-map etc I am trying to get anything internet to take the next hop

ip access-list zscaler_deny
10 permit ip any 10.0.0.0 0.255.255.255
20 permit ip any 172.16.0.0 0.15.255.255
30 permit ip any 192.168.0.0 0.0.255.255
40 permit ip any 224.0.0.0 15.255.255.255

ip access-list zscaler_permit
5 permit ip any any

route-map zscaler_deny deny 10
match ip address zscaler_deny
route-map zscaler_deny permit 20
match ip address zscaler_permit
set ip next-hop x.x.x.x

then apply the Policy to the Vlan interface:

Vlan interace 12

IP address 10.0.0.1 255.255.255.0

ip policy route-map zscaler_deny

Then I ran a trace to 8.8.8.8 source from 10.0.0.1 and it doesn't go to the next hop. So at this time I don't know of the PBR is working or I have it placed in the wrong spot.

Hector Gustavo Serrano Gutierrez · ‎06-12-2019

Hi @TRACY HARTMANN,

The config looks ok to me.

- How does the traceroute looks like? (You can modify your IP addressing for confidentiality).

- Do you have a single Nexus or two in vPC cluster?

Cheers.

TRACY HARTMANN · ‎06-12-2019

The tracert looks like it would if the PBR was not on, it doesn't go to the next hop at all. There is no difference and there should be.

TRACY HARTMANN · ‎06-12-2019

Sorry we have two Nexus forgot to mention that and the tracert looks the same before and after I apply the Policy

Hector Gustavo Serrano Gutierrez · ‎06-12-2019

Additionally, the PBR won't take action for traffic generated by the Nexus itself.

You need to run the traceroute from a Hosts which uses this Nexus as Default Gateway (based on your config, the host is on Vlan12).

The first hop shown in that traceroute should be 10.0.0.1 (I mention this in case you have two Nexus Switches in vPC cluster. In that case, there is a possibility traffic is hashed to the other Nexus where you may not have the PBR in place).

TRACY HARTMANN · ‎06-12-2019

yes a tracert from a PC with that as the default gateway doesn't look any different before or after the PBR is applied to the interface vlans.

Hector Gustavo Serrano Gutierrez · ‎06-12-2019

Is the traceroute showing 10.0.0.1 as first hop? Do you have vPC?

What is the NX-OS version running on your Nexus?

TRACY HARTMANN · ‎06-12-2019

yes the tracert from the PC comes to the Nexus IP address and then continues on without doing the next hop in the route-map.

Hector Gustavo Serrano Gutierrez · ‎06-12-2019

I need:

1. Traceroute output

2. show ip route 8.8.8.8

3. show ip route x.x.x.x (where x.x.x.x is from 'set ip next-hop x.x.x.x')

4. show ip arp <PC_IP>

5. show mac address-table address <PC_MAC>

6. show run interface vlan12