Solved: Nexus 9K PBR

TheGoob · ‎02-08-2024

Hello.

I have a Nexus 9K

I have 6 vlans;

Vlan1 - 192.168.1.0

Vlan2 - 192.168.2.0

Vlan3 - 192.168.3.0

Vlan4 - 192.168.4.0

Vlan5 - 192.168.5.0

Vlan6 - 192.168.6.0

I have 2 L3 Interfaces;

GE 1/1 192.168.11.2

GE 1/49 192.168.12.2

I want 2 create 2 PBR’ [2 Interfaces, 6 rules]

access-list 101 permit ip 192.168.1.0 0.0.0.0 any

access-list 102 permit ip 192.168.2.0 0.0.0.0 any

access-list 103 permit ip 192.168.3.0 0.0.0.0 any

access-list 104 permit ip 192.168.4.0 0.0.0.0 any

access-list 105 permit ip 192.168.5.0 0.0.0.0 any

access-list 106 permit ip 192.168.6.0 0.0.0.0 any

route-map ToISR permit 10

match ip address 101

set ip next-hop 192.168.11.1

route-map ToISR permit 20

match IP address 102

set ip next-hop 192.168.11.1

route-map ToISR permit 30

match ip address 103

set ip next-hop 192.168.11.1

route-map ToFPR permit 40

match ip address 104

set ip next-hop 192.168.12.1

route-map ToFPR permit 50

match ip address 105

set ip next-hop 192.168.12.1

route-map ToFPR permit 60

match ip address 106

set ip next-hop 192.168.12.1

interface vlan 1

ip policy route-map ToISR

interface vlan 2

ip policy route-map ToISR

interface vlan 3

ip policy route-map ToISR

interface vlan 4

ip policy route-map ToFPR

interface vlan 5

ip policy route-map ToFPR

interface vlan 6

ip policy route-map ToFPR

balaji.bandi · ‎02-18-2024

apologies there is some confusion here.

I was more focusing and advising on nexus switch side (and in assumption ISR have all NAT in place working)

if you do not have any default route - then lets introduce PBR and test it : (check the syntax IP's before applying the config)

ip access-list vlan4ip
10 permit ip 192.168.3.0 0.0.0.255 any (bare in mind this matches every network any ?) - later we may add some deny for Intra VLAN traffic not to use this next hop)

route-map vlan2map permit 10
match ip address vlan2ip
set ip next-hop 10.0.0.1

interface Vlan4
no shutdown
ip address 192.168.3.1/24
ip dhcp relay address 10.0.0.1
ip policy route-map vlan2map

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎02-08-2024

we see the config here - what is the issue ? what nexus code running ?

some reference :

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/unicast-routing-configuration/cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-release-103x/m_configuring_policy-based_routing_101x.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎02-08-2024

No issue, just wanted to start off if I had the correct format. After looking at that guide, I still do not feel any more confident. Where do my vlans come in? Can I change the examples specific ip to a network range?

balaji.bandi · ‎02-09-2024

You can have specific range of IP subnet in One ACL and to go path 1 and otehr ACL for Path2

you do not need each subnet different ACL - but that can also works if you wish to use.

still not able to understand what is not working ?

what is the outcome of your Orginal Post config and test ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎02-09-2024

I apologize, my initial thread/comment was only asking if that would work.. Though naturally I forgot to ask that. It was nothing about it not working, only if it would work if I implemented it.

balaji.bandi · ‎02-09-2024

Sure that should work - if any issue post back her what was the issue, so we can handle correctly.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎02-08-2024

So after going over that guide several times, not finding exactly what answers I think I need, I modified to what I think would be correct. Below I am picking 2 of the 6 vlans as example, 1 vlan from each PBR and this is what I think is correct to create 2 PBR’s on Nexus. In the Cisco example, it specifies host ip [specific] and host ip [specific]

permit tcp host 10.1.1.2 host 192.168.2.2 eq 80

But being I am wanting everything in said NETWORK, I changed mine to fit, but not sure if it can be? Anyway here it is.

feature pbr
ip access-list vlan1
  permit ip 192.168.1.0 0.0.0.0 any
ip access-list vlan4
  permit ip 192.168.4.0 0.0.0.0 any
! 
route-map vlan-access-ISR permit 10
match ip address vlan1
set ip next-hop 192.168.11.2
route-map vlan-access-FPR permit 20
match ip address vlan4
set ip next-hop 192.168.12.2
!
route-map vlan-access-ISR pbr-statistics
route-map vlan-access-FPR pbr-statistics

interface gigabitethernet 1/1 
  ip policy route-map vlan-access-ISR
interface gigbitethernet 1/49
  ip policy route-map vlan-access-FPR

TheGoob · ‎02-13-2024

I am about to implement this scenario. Would my 1st post or the post prior to this be a more accurate PBR configuration for the Nexus. My 1st has me applying the policies to each vlan, but my more recent was applying them to the actual interfaces that route back to the routers. Would I apply these policy route-maps to the vlans or the interfaces?

balaji.bandi · ‎02-14-2024

you need to apply on Layer 3 interface

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa · ‎02-14-2024

Hello @TheGoob ,

PBR acts on incoming traffic only so you need to apply it on Layer3 interfaces that receive the traffic you want to divert.

So in your case the most appropriate point of application are the SVI interfaces

You may need to review your ACLs taking in account the PBR application point ( inbound on the SVI interface)

note : interface eth1/1 and th1/49 Nexus call all interfaces ethx/y regardless of their speed.

these two are probably the exit interfaces for your traffic so you cannot apply PBR on them.

Hope to help

Giuseppe

TheGoob · ‎02-14-2024

Thank you both. Interesting.. I have ACL’s on the FPR for incoming [wan to lan] services such as email and web server. I’ll see if I need to modify that.

Hmm, 1/1 on Nexus is how it [vlan 1-3] receives data from Internet to ISR to Nexus and 1/49 on Nexus is how it [vlan 4-6] receives data from Internet to FPR to Nexus. You mention can’t use those for PBR due to them being exit interfaces, but they are also incoming as well. Hmm.
Really just wanted the PBR cause 3 vlans have NAT etc on ISR and 3 have NAT on FTD, and I didn’t want them to exit on any generic wan ip. The vlan 4-6 need their specific outgoing wan ups.

TheGoob · ‎02-14-2024

Oh man it just occurred to me that I had changed my configuration prior to this question. So, Nexus 1/1 and 1/49 are still “the links” /1 to ISR and /49 to FTD and both are TRUNK Ports, 1/1 Trunks vlan 2-4, 1/49 vlan 5-7.
ISR is DHCP Server for vlan 2-4, and Nexus vlan Interfaces for those vlans has an IP from each vlan. FTD is DHCP Server for vlans 5-7, and Nexus has vlan Interfaces for those vlans as well.
So, vlan 2 - 6 all have an vlan Interface w/ IP part of their network. Vlan 2-6 communicates to and from via TRUNK 1/1 to ISR and Vlan 5-7 communicates to and from via TRUNK 1/49 to FTD.
This raises the question what would the

set ip next-hop <ip>

Because now like I said they are actually TRUNK connections not L3 interface connections. I need to go do some research. Ugh I need to see if I can PBR through a trunk.

TheGoob · ‎02-14-2024

Because I am just unsure, I’m just gonna make another link from FTD to Nexus for route back and ISR to Nexus route back. I’ll create SVI’s etc and do it that way.

hmm I guess in this regard the TRUNKS are L2 and really the SVI’s are the L3, so I’ll just use the vlan interface ip on ISR vlan 2 as the nexus 2-4 route back and the vlan interface ip on the FTD vlan 5 as the nexus 5-7 route back.

TheGoob · ‎02-15-2024

Bump

TheGoob · ‎02-16-2024

Hi friends.

So I tried to slim this down to better explain.

On the Nexus, I have 10 vlans.
1 : default and not using
2-3 : Receiving their DHCP Pool via FPR on Ethernet 1/49 TRUNK
: I set up my PBR on Ethernet 1/96 [Nexus 192.168.11.2 connected to FPR 192.168.11.1]
4-7 : Receiving their DHCP Pool via ISR on Ethernet 1/1 TRUNK
: I set up my PBR on Ethernet 1/95 [Nexus 192.168.9.2 connected to ISR 192.168.9.1]

#1 Either my PBR Rules are wrong [next-hop incorrect] or simply implemented wrong because vlan 4-7
can not reach the Internet unless I have a 'ip route 0.0.0.0 0.0.0.0 192.168.5.2' [or any vlan ip
on ISR].
#2 Currently do NOT have an ACL for 192.168.9.0 [my pbr] on Nexus OR ISR. I did try to add one, but
again I appeared to have put it wrong. I am to assume the PBR has nothing to do with NAT and hope
not because vlan 4-7 have their own WAN IP, and they use it with the 0.0.0.0 0.0.0.0 default route
so I am hoping the PBR for 4-7 will also translate correctly on ISR... On ISR I did a STANDARD ACL
'10 permit 192.168.9.0 0.0.0.255 any' [not verbatum [used GUI like all my other working ACL's]
but that is the idea. And it did not work.
#3 vlan 2-3 are in same boat, but currently not worried about them as I am having FPR issues, but I
assume if I get 4-7 working, I will follow suit with their PBR and then when FPR is resolved, they
will work.

Any help is GREATLY APPRECIATED.

version 9.3(10) Bios:version 07.69

feature telnet
feature pbr
feature interface-vlan

ip access-list vlan2
  10 permit ip 192.168.1.0/32 any
ip access-list vlan3
  10 permit ip 192.168.2.0/32 any
ip access-list vlan4
  10 permit ip 192.168.3.0/32 any
ip access-list vlan5
  10 permit ip 192.168.4.0/32 any
ip access-list vlan6
  10 permit ip 192.168.6.0/32 any
ip access-list vlan7
  10 permit ip 192.168.5.0/32 any


vlan 1-7,9-11

route-map vlan-access-ISR pbr-statistics
route-map vlan-access-ISR permit 10
  match ip address vlan4
  set ip next-hop 192.168.9.1
route-map vlan-access-ISR permit 20
  match ip address vlan5
  set ip next-hop 192.168.9.1
route-map vlan-access-ISR permit 30
  match ip address vlan6
  set ip next-hop 192.168.9.1
route-map vlan-access-ISR permit 40
  match ip address vlan7
  set ip next-hop 192.168.9.1
route-map vlan-access-ftd pbr-statistics
route-map vlan-access-ftd permit 10
  match ip address vlan2
  set ip next-hop 192.168.11.1
route-map vlan-access-ftd permit 20
  match ip address vlan3
  set ip next-hop 192.168.11.1
vrf context management


interface Vlan1
  no shutdown
  ip address 192.168.10.3/24

interface Vlan2
  no shutdown
  ip address 192.168.1.1/24

interface Vlan3
  no shutdown
  ip address 192.168.2.1/24

interface Vlan4
  no shutdown
  ip address 192.168.3.1/24

interface Vlan5
  no shutdown
  ip address 192.168.4.1/24

interface Vlan6
  no shutdown
  ip address 192.168.6.1/24

interface Vlan7
  no shutdown
  ip address 192.168.5.1/24

interface Vlan9
  no shutdown
  ip address 192.168.9.2/24
  ip policy route-map vlan-access-ISR

interface Vlan10
  no shutdown
  ip address 192.168.11.2/24
  ip policy route-map vlan-access-ftd

interface Ethernet1/1
  switchport mode trunk
  switchport trunk native vlan 7
  switchport trunk allowed vlan 4-7

interface Ethernet1/49
  switchport mode trunk
  switchport trunk allowed vlan 2-3


interface Ethernet1/95
  switchport access vlan 9
  spanning-tree port type edge

interface Ethernet1/96
  switchport access vlan 10
  spanning-tree port type edge