Solved: Re: PBR based on SVi primary on secondary address

Breathing · ‎08-12-2024

Hi Everyone,

Is there a way to define a PBR match clause if the client gateway is a specific SVI address?

Giuseppe Larosa · ‎08-12-2024

the only case where an end host PC exposes its default gateway settings is when the PC makes an ARP request for its default gateway. But this is not IP traffic but ARP traffic.

Once the default gateway is resolved packets with a destination outside the local subnet are sent in an ethernet frame with destination = SVI MAC address.

To be noted , as far as I know you can change the MAC address of an SVI but not only for the IP address secondary.

In other wiords in a SVI both the primary IP address and the secondary IP address are resolved to the same MAC address that can be the burned in address (BIA) or it can be configured.

PBR can process IP packets received on the SVI interface but it uses OSI L3 and above criteria.

But even if it could examine the OSI 2 MAC layer as I have explained above it could not discriminate packets sent to the primary address from packets sent to the secondary address as both share the same MAC address.

So it is not possible to make PBR able to check default gateway settings in the end user PC.

Possible suggestions are :

think of using a different IP subnet for the secondary IP address ( to be noted this is the normal use of secondary addresses, your use case is a corner case).

To make users able to use a different destination MAC address you could use HSRP or VRRP instead of a secondary IP address in the same subnet. In this last case the HSRP/VRRP VIP will respond to a virtual MAC protocol dependent.

However, I'm not aware of an option to check the destination MAC address in a route-map used for PBR.

Edit:

I have checked the following configuration guide in PBR on a Cat9300 the only possible match are match address or match length that checks the size of the packet.

see

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-8/configuration_guide/rtng/b_168_rtng_9300_cg/b_168_rtng_9300_cg_chapter_01011.html?dtid=osscdc000283#ID8123

Hope to help

Giuseppe

View solution in original post

MHM Cisco World · ‎08-12-2024

Sorry can you more elaborate

MHM

Breathing · ‎08-12-2024

I have a vlan with 2 SVI addresses (primary and secondary). I'm trying to route certain traffic from the vlan based on which SVI address the client use as their subnet gateway.

Giuseppe Larosa · ‎08-12-2024

Hello @Breathing ,

you can do PBR based on source address if source address belongs to the secondary subnet you set a specific next-hop or outgoing interface.

The default gateway used by the client must be in the same subnet as the client's IP address, so it is enough to check to what subnet the source address is associated to.

Hope to help

Giuseppe

Breathing · ‎08-12-2024

Hi @Giuseppe Larosa,

There is only one subnet in the vlan, the secondary SVI IP is in the same subnet as the primary SVI IP.

I know I can configure access-list to target specific hosts/subnets, I was looking for a way the PBR can get applied without involving the network team. If I can apply PBR based on the address the traffic was received I can train the windows admins to change default gateway on any machine they want should use the other route.

Thanks for your help.

Giuseppe Larosa · ‎08-12-2024

Hello @Breathing .

the only case where an end host PC exposes its default gateway settings is when the PC makes an ARP request for its default gateway. But this is not IP traffic but ARP traffic.

Once the default gateway is resolved packets with a destination outside the local subnet are sent in an ethernet frame with destination = SVI MAC address.

To be noted , as far as I know you can change the MAC address of an SVI but not only for the IP address secondary.

In other wiords in a SVI both the primary IP address and the secondary IP address are resolved to the same MAC address that can be the burned in address (BIA) or it can be configured.

PBR can process IP packets received on the SVI interface but it uses OSI L3 and above criteria.

But even if it could examine the OSI 2 MAC layer as I have explained above it could not discriminate packets sent to the primary address from packets sent to the secondary address as both share the same MAC address.

So it is not possible to make PBR able to check default gateway settings in the end user PC.

Possible suggestions are :

think of using a different IP subnet for the secondary IP address ( to be noted this is the normal use of secondary addresses, your use case is a corner case).

To make users able to use a different destination MAC address you could use HSRP or VRRP instead of a secondary IP address in the same subnet. In this last case the HSRP/VRRP VIP will respond to a virtual MAC protocol dependent.

However, I'm not aware of an option to check the destination MAC address in a route-map used for PBR.

Edit:

I have checked the following configuration guide in PBR on a Cat9300 the only possible match are match address or match length that checks the size of the packet.

see

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-8/configuration_guide/rtng/b_168_rtng_9300_cg/b_168_rtng_9300_cg_chapter_01011.html?dtid=osscdc000283#ID8123

Hope to help

Giuseppe

Breathing · ‎08-14-2024

@Giuseppe Larosa Thank you for pointing me to my error so nicely.

I'll do some research on HSRP/VRRP to see if it's possible to implement them using a single router. I was also thinking if it's possible to achieve this using VRFs - I'm doing some research on this as well.

Thanks again for your clear and concise answer.