Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2389
Views
5
Helpful
10
Replies

Nexus 9k Policy based routing

Go to solution
clive.hodgetts
Level 1
Level 1

‎01-24-2022 04:39 AM - edited ‎06-21-2024 01:54 AM

 

 

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to clive.hodgetts

‎01-24-2022 11:56 AM - last edited on ‎01-26-2022 08:04 AM by Community Manager

First let us clarify the differences in the first 2 commands:

set {ip | ipv6} next-hop address1 [address2...] [load-share]

This command acts on any IP packet that is a match for the acl used in the match statement (or acts on all traffic if there is not a match command) and forwards the packet to the next hop address(es) specified.

set {ip | ipv6} default next-hop address1 [address2...] [load-share]

This command acts on any IP packet that is a match for the acl used in the match statement (or acts on all traffic if there is not a match command) and which packet would have been forwarded using the default route.

The significant difference is that the second command acts only on traffic which would use the default route. If a packet does match the acl but there is a route in the routing table for the destination then normal routing is used and not PBR.

The third command is a variation of the first command which would be used in situations where the router was using vrf to separate traffic.

If set ip default is not supported on this platform then I would suggest that what you need to do is to modify the acl used for PBR. The early lines in the revised acl would deny any traffic from that source to destinations that are local. Then you would have the line that does permit the source to any destination.

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to clive.hodgetts

‎01-26-2022 08:17 AM

Thanks for the update. Glad that you have it working. I am surprised about the restriction of not allowing deny in an acl for PBR. But if it is not allowed then your solution is certainly appropriate.

Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

View solution in original post

10 Replies 10

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-24-2022 05:05 AM

I have not tested myself,  how about deny rest of the traffic and allow only IP address you like to do PBR ?

 

check below example : (just trying to help you- may this not you looking ?)

 

https://www.letsconfig.com/how-to-configure-pbr-in-cisco-nexus-switches/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎01-24-2022 05:21 AM

Hello,

 

the default route is *via 172.16.1.69, Vlan60, but are there are any more specific routes in the routing table ? Where is the other traffic from Vlan162 supposed to go to ?

 

Post the output of:

 

show ip route

0 Helpful

Go to solution
clive.hodgetts
Level 1
Level 1
In response to Georg Pauwen

‎01-24-2022 05:31 AM - edited ‎06-21-2024 01:55 AM

a

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to clive.hodgetts

‎01-24-2022 05:36 AM - last edited on ‎01-25-2022 11:13 AM by Community Manager

Hello,

 

post the full running config of your Nexus, as well as the output of

'show ip route'

The PBR config looks by the book. so there probably is something else missing...

0 Helpful

Go to solution
clive.hodgetts
Level 1
Level 1

‎01-24-2022 06:32 AM - edited ‎06-21-2024 01:56 AM

 

a

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to clive.hodgetts

‎01-24-2022 11:56 AM - last edited on ‎01-26-2022 08:04 AM by Community Manager

First let us clarify the differences in the first 2 commands:

set {ip | ipv6} next-hop address1 [address2...] [load-share]

This command acts on any IP packet that is a match for the acl used in the match statement (or acts on all traffic if there is not a match command) and forwards the packet to the next hop address(es) specified.

set {ip | ipv6} default next-hop address1 [address2...] [load-share]

This command acts on any IP packet that is a match for the acl used in the match statement (or acts on all traffic if there is not a match command) and which packet would have been forwarded using the default route.

The significant difference is that the second command acts only on traffic which would use the default route. If a packet does match the acl but there is a route in the routing table for the destination then normal routing is used and not PBR.

The third command is a variation of the first command which would be used in situations where the router was using vrf to separate traffic.

If set ip default is not supported on this platform then I would suggest that what you need to do is to modify the acl used for PBR. The early lines in the revised acl would deny any traffic from that source to destinations that are local. Then you would have the line that does permit the source to any destination.

HTH

Rick
0 Helpful

Go to solution
clive.hodgetts
Level 1
Level 1
In response to Richard Burts

‎01-25-2022 12:32 AM - last edited on ‎01-26-2022 08:05 AM by Community Manager

Thanks Rick, this is as I thought, but it seems very messy to have to list non contiguous networks, especially when there are so many of them. Luckily this work is related to a migration so is only temporary. I have logged a TAC case with Cisco to try to understand why this platform of Nexus doesn't support the

default next-hop

option whereby it seems most others do!

 

Thanks, again and I will mark your answer as correct.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to clive.hodgetts

‎01-26-2022 02:39 AM

First let us acknowledge that getting full feature parity as Cisco introduces new platforms (like the 9K) is a challenge. As they write the code for the new platform do they wait to support a feature until they have all aspects of that feature or do they go ahead and support a feature (like PBR) when they have the most important aspects and try to get other aspects in later releases. Clearly Cisco said partial PBR is good enough. If you have opened a case with TAC about PBR support that certainly gives Cisco feedback that set ip default is part of the feature that they should work on.

Then let me suggest that it may not be as messy as you think. Assuming that the networks for which you want normal routing to work are in the Private address space you may be able to accomplish what you want with 3 additional statements in your acl: deny if the destination network/subnet is in 10.0.0.0, deny if the destination network/subnet is in  appropriate parts of 172.16.0.0, deny if the destination network/subnet is in 192.168.0.0,

 

HTH

Rick
0 Helpful

Go to solution
clive.hodgetts
Level 1
Level 1
In response to Richard Burts

‎01-26-2022 03:11 AM

Hi Rick,

 

We have amended the ACL's to cover the private address space but we have quite a number of services which do not fall under the private space which still need to take the routes in the routing table. These have been added to the ACL too. We did hit one issue with this and that is that 'deny' is not supported on ACL's being used by PBR. To accomplish what we needed to do, we created an ACL with permit statements for the private addresses and the destination subnets not covered by those statements. This ACL formed the first match in our route-map but we left the 'set' option blank so those would follow the local routing table. We then created an ACL with the single rule permit any and that formed the second match in our route-map with the set next-hop address configured. All has been implemented and tested successfully. As mentioned, it is only a temporary solution to cover the migration of services from one DC to another. 

Thanks for your input and hopefully we will see the full feature set of PBR contained in new versions of 9k code.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to clive.hodgetts

‎01-26-2022 08:17 AM

Thanks for the update. Glad that you have it working. I am surprised about the restriction of not allowing deny in an acl for PBR. But if it is not allowed then your solution is certainly appropriate.

Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card