cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10440
Views
10
Helpful
3
Replies

Nexus 7k configuration commands for PBR

josh94950
Level 1
Level 1

Hello Experts,

I am looking for somehelp in configuring PBR in Nexus. The current setup in IOS is :

interface Vlan10

ip address 172.27.206.1 255.255.255.0

ip address 172.27.208.1 255.255.254.0 secondary

ip policy route-map Vlan_10_to_Corp

route-map Vlan_10_to_Corp permit 10
match ip address Vlan_10_to_Corp

set ip next-hop 172.27.209.250
!
route-map Vlan_305_to_EFH permit 30

ip access-list extended Vlan_10_to_Corp

deny   ip 172.27.206.0 0.0.0.255 172.27.206.0 0.0.0.255
deny   ip 172.27.206.0 0.0.0.255 172.27.208.0 0.0.1.255
deny   ip 172.27.208.0 0.0.1.255 172.27.206.0 0.0.0.255
deny   ip host 172.27.206.10 any
deny   ip host 172.27.206.2 any
deny   ip host 172.27.206.126 any
deny   ip host 172.27.208.7 172.27.37.48 0.0.0.15
deny   ip host 172.27.208.7 172.27.37.64 0.0.0.15
deny   ip host 172.27.208.7 host 172.27.166.55

deny   ip host 172.27.208.7 172.27.37.64 0.0.0.15
deny   ip host 172.27.208.7 host 172.27.166.55
permit ip 172.27.206.0 0.0.0.255 any
permit ip 172.27.208.0 0.0.1.255 any

But, Nexus PBR will not work with deny statements init. Now, what options do I have ?

Any help would be greatly appreciated.

Thanks

Josh

1 Accepted Solution

Accepted Solutions

I think you can try this template :

!Create access-list for traffic which will be denied

ip access-list ACL_DENY

permit ip x.x.x.x/32 y.y.y.y/32

!Create access-list for traffic which will be permited

ip access-list ACL_PERMIT

permit ip x.x.x.x/32 any

!Create PBR for denied traffic

route-map PBR deny 10

match ip address ACL_DENY

!Create PBR for permited traffic

route-map PBR permit 20

match ip address ACL_PERMIT

set ip next-hop "your IP next hop to redirect traffic from x.x.x.x to any"

!Apply to interface

interface Eth1/1

ip policy route-map PBR

It's seems tricky, but should be tried.

Regards,

Rp

View solution in original post

3 Replies 3

Rick Morris
Level 6
Level 6

In an access list only permit what you *need* and everything else will be denied.

Also, here is a link for ACL's in the 7k.  I linked directly to the PBR piece.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_ipacls.html#wp1583246

I think you can try this template :

!Create access-list for traffic which will be denied

ip access-list ACL_DENY

permit ip x.x.x.x/32 y.y.y.y/32

!Create access-list for traffic which will be permited

ip access-list ACL_PERMIT

permit ip x.x.x.x/32 any

!Create PBR for denied traffic

route-map PBR deny 10

match ip address ACL_DENY

!Create PBR for permited traffic

route-map PBR permit 20

match ip address ACL_PERMIT

set ip next-hop "your IP next hop to redirect traffic from x.x.x.x to any"

!Apply to interface

interface Eth1/1

ip policy route-map PBR

It's seems tricky, but should be tried.

Regards,

Rp

Thank-you. That was a good tip. Pretty straight forward :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: