09-26-2012 07:17 AM - edited 03-04-2019 05:40 PM
Hello Experts,
I am looking for somehelp in configuring PBR in Nexus. The current setup in IOS is :
interface Vlan10
ip address 172.27.206.1 255.255.255.0
ip address 172.27.208.1 255.255.254.0 secondary
ip policy route-map Vlan_10_to_Corp
route-map Vlan_10_to_Corp permit 10
match ip address Vlan_10_to_Corp
set ip next-hop 172.27.209.250
!
route-map Vlan_305_to_EFH permit 30
ip access-list extended Vlan_10_to_Corp
deny ip 172.27.206.0 0.0.0.255 172.27.206.0 0.0.0.255
deny ip 172.27.206.0 0.0.0.255 172.27.208.0 0.0.1.255
deny ip 172.27.208.0 0.0.1.255 172.27.206.0 0.0.0.255
deny ip host 172.27.206.10 any
deny ip host 172.27.206.2 any
deny ip host 172.27.206.126 any
deny ip host 172.27.208.7 172.27.37.48 0.0.0.15
deny ip host 172.27.208.7 172.27.37.64 0.0.0.15
deny ip host 172.27.208.7 host 172.27.166.55
deny ip host 172.27.208.7 172.27.37.64 0.0.0.15
deny ip host 172.27.208.7 host 172.27.166.55
permit ip 172.27.206.0 0.0.0.255 any
permit ip 172.27.208.0 0.0.1.255 any
But, Nexus PBR will not work with deny statements init. Now, what options do I have ?
Any help would be greatly appreciated.
Thanks
Josh
Solved! Go to Solution.
10-08-2012 03:18 AM
I think you can try this template :
!Create access-list for traffic which will be denied
ip access-list ACL_DENY
permit ip x.x.x.x/32 y.y.y.y/32
!Create access-list for traffic which will be permited
ip access-list ACL_PERMIT
permit ip x.x.x.x/32 any
!Create PBR for denied traffic
route-map PBR deny 10
match ip address ACL_DENY
!Create PBR for permited traffic
route-map PBR permit 20
match ip address ACL_PERMIT
set ip next-hop "your IP next hop to redirect traffic from x.x.x.x to any"
!Apply to interface
interface Eth1/1
ip policy route-map PBR
It's seems tricky, but should be tried.
Regards,
Rp
09-27-2012 01:47 PM
In an access list only permit what you *need* and everything else will be denied.
Also, here is a link for ACL's in the 7k. I linked directly to the PBR piece.
10-08-2012 03:18 AM
I think you can try this template :
!Create access-list for traffic which will be denied
ip access-list ACL_DENY
permit ip x.x.x.x/32 y.y.y.y/32
!Create access-list for traffic which will be permited
ip access-list ACL_PERMIT
permit ip x.x.x.x/32 any
!Create PBR for denied traffic
route-map PBR deny 10
match ip address ACL_DENY
!Create PBR for permited traffic
route-map PBR permit 20
match ip address ACL_PERMIT
set ip next-hop "your IP next hop to redirect traffic from x.x.x.x to any"
!Apply to interface
interface Eth1/1
ip policy route-map PBR
It's seems tricky, but should be tried.
Regards,
Rp
03-26-2019 05:40 AM
Thank-you. That was a good tip. Pretty straight forward :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide