11-29-2020 11:15 PM - edited 11-30-2020 07:49 AM
PBR Not working in cisco nexus C9372TX -Core switch
I have an issue with PBR in my core switch.
Network diagram is given below.
========================LAN Traffic to firewall-1 Working without any issue =========================
Below listed networks internet traffic is going to firewall-1
and remote offices network going to WAN-RTR (192.168.10.253) without PBR and using default route and static route.
192.168.10.0/24
192.168.11.0/24
ip route 0.0.0.0/0 192.168.10.250 name LAN-to-Firewall-01
ip route 192.168.0.0/16 192.168.10.253 name LAN-WAN-RTR-for------INTRANET
=========================LAN Traffic to firewall-2 using PBR not working ========================
Below listed networks internet traffic has goes to firewall-2 (192.168.10.254)
and remote offices can able to access via WAN-RTR (192.168.10.253)
192.168.17.0/24
Currently two default routes are running in core switch for firewall 1&2
ip route 0.0.0.0/0 192.168.10.250 name LAN-to-Firewall-01
ip route 0.0.0.0/0 192.168.10.254 10 LAN-to-Firewall-02
For 192.168.17.0/24 network internet traffic i have configured a PBR in core switch and routed to firewall-2
and 192.168.17.0/24 network can able to reach internet in icmp only. url;s not working because internal dns not resolving in the applied
PBR in interface vlan10.
traceroute from testing pc vlan10 network 192,168.17.0/24
C:\Users\TEMP>tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.17.251
2 <1 ms <1 ms <1 ms 192.168.10.254-----traffic hitting to firewall and exiting from wan port
3 1 ms 1 ms 1 ms 115.254.37.118
4 19 ms 19 ms 19 ms 74.125.51.2
5 19 ms 19 ms 19 ms 74.125.242.145
6 20 ms 20 ms 19 ms 216.239.42.215
7 20 ms 19 ms 19 ms 8.8.8.8---- traffic reaches to destination public ip
same time internet ( browsing not working due to some internal dns i think so pbr is blocking the dns resolving dns ip is 192.168.10.136 )not getting in testing pc vlan10
And 192.168.17.0/24 network cant able to reach remote office network also.
Can someone help me to resolve the PBR issue.
=======configurations ======
interface Vlan10
ip address 192.168.17.251/24
ip policy route-map PBR_IT_Internet_17_NW
hsrp version 2
hsrp 10
preempt
priority 150 forwarding-threshold lower 80 upper 90
ip 192.168.17.252
ip dhcp relay address 192.168.10.235
no shutdown
=================
SBSTJ_CORE-SW1# show route-map PBR_IT_Internet_17_NW
route-map PBR_IT_Internet_17_NW, permit, sequence 10
Match clauses:
ip address (access-lists): IT_Internet_17_NW
Set clauses:
ip next-hop 192.168.10.254
SBSTJ_CORE-SW1#
SBSTJ_CORE-SW1#
SBSTJ_CORE-SW1#
SBSTJ_CORE-SW1# show acc
access-lists accounting
SBSTJ_CORE-SW1# show access-lists IT_Internet_17_NW
IP access list IT_Internet_17_NW
10 permit ip 192.168.17.0/24 any
SBSTJ_CORE-SW1#
====================
Solved! Go to Solution.
11-30-2020 11:50 PM
Hello
local pbr will only work if you want to policy route traffic initiated from the rtr
as for inter-vlan communication then what is required is a extra acces-list added to the pbr stanza 99 to deny pbr between vlan10 and the other vlans on your lan
example:
ip access-list extended nopbr
deny ip any <vlan x>
dent ip any <vlan y>
etc...
permit ip any any
12-01-2020 12:15 AM - edited 12-01-2020 12:16 AM
Hi Paul,
======================
Existing PBR status
======================
I can reach remote office via 192.168.10.253
I can reach internet via firewall -2 (192.168.10.254) without dns resolution.. ( need to fix this issue by using intervlan communication for vlan10 to vlan1,vlan2,vlan3 etc)
can you please explain how i can modify the existing acl /pbr for intervlan communication.
vlan 10 ( 192.168.17.0/24) need to access vlan1(192.168.10.0/24) , vlan2,vlan3,vlan4
-----------------Current PBR & ACL -------------------
ip access extended IT_Internet_17_NW
permit ip any 192.168.40.0 0.0.0.255
permit ip any 192.168.50.0 0.0.0.255
permit ip any 192.168.60.0 0.0.0.255
route-map PBR_IT_Internet_17_NW permit 10
match ip address IT_Internet_17_NW
set ip next hop 192.168.10.253
route-map PBR_IT_Internet_17_NW permit 99
set ip next hop 192.168.10.254
--------------------------------------------------
12-01-2020 04:01 AM - edited 12-01-2020 04:01 AM
Hello
As stated in my last post you need to create an additional access-list to deny policy-based routing between vlan 10 and the other vlans on your network and then append it to the exisint route-map
ip access-list extended nopbr
deny ip any <vlan x>
deny ip any <vlan y>
etc..
permit ip any any
PBR_IT_Internet_17_NW permit 99
match ip address nopbr
set ip next hop 192.168.10.254
12-01-2020 04:15 AM - edited 12-01-2020 04:29 AM
Hi Paul,
I have tried to add new acl but PBR not supporting deny ACL
SBSTJ_CORE-SW1(config)# route-map ?
PBR_IT_Internet_17_NW (no abbrev) Known route-map name
WORD Route-map name (Max Size 63)
SBSTJ_CORE-SW1(config)# route-map PBR_IT_Internet_17_NW permit 99
SBSTJ_CORE-SW1(config-route-map)#
SBSTJ_CORE-SW1(config-route-map)#
SBSTJ_CORE-SW1(config-route-map)# match ip
ip ipv6
SBSTJ_CORE-SW1(config-route-map)# match ip address NO_PBR
% Command failed - Deny is not supported on PBR. Please check your configuration.
SBSTJ_CORE-SW1(config-route-map)#
Please help me to resolve the issue
12-01-2020 05:38 AM
Hello
Okay lets try it another way-
no ip access-list extended nopbr
ip access-list extended nopbr
pemit ip any <vlan x>
permit ip any <vlan y>
route-map PBR_IT_Internet_17_NW deny 20
match ip address nopbr
12-01-2020 10:48 AM
Hi Paul,
Finally all my issues resolved. Thanks for your precious time spend with me to resolve all barriers.
C:\Users\TEMP.xxxxx>nslookup
Server: xxx.xxxx.com
Address: 192.168.10.236
>
>
> facebook.com
Server: xxx.xxxx.com
Address: 192.168.10.236
Non-authoritative answer:
Name: facebook.com
Addresses: 2a03:2880:f142:182:face:b00c:0:25de
157.240.196.35
12-01-2020 03:32 PM
Hello
Glad to hear it - that’s what these forums are for!
Thanks for the feedback much appreciated.
12-02-2020 12:02 AM
Hello Paul,
For a testing purpose i have applied the PBR in vlan 10 only ,I have to apply pbr in some other vlans also.
Can I use the same pbr for other interface vlans ??
interface Vlan10
ip address 192.168.17.251/24
ip policy route-map PBR_IT_Internet_17_NW
hsrp version 2
12-02-2020 12:29 AM
Hello
Yes you can but obviously you’ll need to tweak the extended nopbr access-list for each SVI you apply it to
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide