Solved: Re: PBR Not working in cisco nexus C9372TX -Core switch - Page 2

sangeethsan · ‎11-29-2020

PBR Not working in cisco nexus C9372TX -Core switch

I have an issue with PBR in my core switch.
Network diagram is given below.

========================LAN Traffic to firewall-1 Working without any issue =========================
Below listed networks internet traffic is going to firewall-1
and remote offices network going to WAN-RTR (192.168.10.253) without PBR and using default route and static route.
192.168.10.0/24
192.168.11.0/24

ip route 0.0.0.0/0 192.168.10.250 name LAN-to-Firewall-01
ip route 192.168.0.0/16 192.168.10.253 name LAN-WAN-RTR-for------INTRANET

=========================LAN Traffic to firewall-2 using PBR not working ========================

Below listed networks internet traffic has goes to firewall-2 (192.168.10.254)
and remote offices can able to access via WAN-RTR (192.168.10.253)
192.168.17.0/24

Currently two default routes are running in core switch for firewall 1&2

ip route 0.0.0.0/0 192.168.10.250 name LAN-to-Firewall-01

ip route 0.0.0.0/0 192.168.10.254 10 LAN-to-Firewall-02

For 192.168.17.0/24 network internet traffic i have configured a PBR in core switch and routed to firewall-2
and 192.168.17.0/24 network can able to reach internet in icmp only. url;s not working because internal dns not resolving in the applied
PBR in interface vlan10.

traceroute from testing pc vlan10 network 192,168.17.0/24

C:\Users\TEMP>tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 192.168.17.251
2 <1 ms <1 ms <1 ms 192.168.10.254-----traffic hitting to firewall and exiting from wan port
3 1 ms 1 ms 1 ms 115.254.37.118
4 19 ms 19 ms 19 ms 74.125.51.2
5 19 ms 19 ms 19 ms 74.125.242.145
6 20 ms 20 ms 19 ms 216.239.42.215
7 20 ms 19 ms 19 ms 8.8.8.8---- traffic reaches to destination public ip

same time internet ( browsing not working due to some internal dns i think so pbr is blocking the dns resolving dns ip is 192.168.10.136 )not getting in testing pc vlan10

And 192.168.17.0/24 network cant able to reach remote office network also.

Can someone help me to resolve the PBR issue.

=======configurations ======

interface Vlan10
ip address 192.168.17.251/24
ip policy route-map PBR_IT_Internet_17_NW
hsrp version 2
hsrp 10
preempt
priority 150 forwarding-threshold lower 80 upper 90
ip 192.168.17.252
ip dhcp relay address 192.168.10.235
no shutdown

=================

SBSTJ_CORE-SW1# show route-map PBR_IT_Internet_17_NW
route-map PBR_IT_Internet_17_NW, permit, sequence 10
Match clauses:
ip address (access-lists): IT_Internet_17_NW
Set clauses:
ip next-hop 192.168.10.254
SBSTJ_CORE-SW1#
SBSTJ_CORE-SW1#
SBSTJ_CORE-SW1#
SBSTJ_CORE-SW1# show acc
access-lists accounting
SBSTJ_CORE-SW1# show access-lists IT_Internet_17_NW

IP access list IT_Internet_17_NW
10 permit ip 192.168.17.0/24 any
SBSTJ_CORE-SW1#

====================

paul driver · ‎11-30-2020

Hello

local pbr will only work if you want to policy route traffic initiated from the rtr

as for inter-vlan communication then what is required is a extra acces-list added to the pbr stanza 99 to deny pbr between vlan10 and the other vlans on your lan

example:

ip access-list extended nopbr

deny ip any <vlan x>
dent ip any <vlan y>
etc...

permit ip any any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sangeethsan · ‎12-01-2020

Hi Paul,

======================
Existing PBR status
======================

I can reach remote office via 192.168.10.253
I can reach internet via firewall -2 (192.168.10.254) without dns resolution.. ( need to fix this issue by using intervlan communication for vlan10 to vlan1,vlan2,vlan3 etc)

can you please explain how i can modify the existing acl /pbr for intervlan communication.

vlan 10 ( 192.168.17.0/24) need to access vlan1(192.168.10.0/24) , vlan2,vlan3,vlan4

-----------------Current PBR & ACL -------------------
ip access extended IT_Internet_17_NW
permit ip any 192.168.40.0 0.0.0.255
permit ip any 192.168.50.0 0.0.0.255
permit ip any 192.168.60.0 0.0.0.255

route-map PBR_IT_Internet_17_NW permit 10
match ip address IT_Internet_17_NW
set ip next hop 192.168.10.253

route-map PBR_IT_Internet_17_NW permit 99
set ip next hop 192.168.10.254

--------------------------------------------------

paul driver · ‎12-01-2020

Hello

As stated in my last post you need to create an additional access-list to deny policy-based routing between vlan 10 and the other vlans on your network and then append it to the exisint route-map

ip access-list extended nopbr
deny ip any <vlan x>
deny ip any <vlan y>
etc..
permit ip any any

PBR_IT_Internet_17_NW permit 99
match ip address nopbr
set ip next hop 192.168.10.254

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sangeethsan · ‎12-01-2020

Hi Paul,

I have tried to add new acl but PBR not supporting deny ACL

SBSTJ_CORE-SW1(config)# route-map ?
PBR_IT_Internet_17_NW (no abbrev) Known route-map name
WORD Route-map name (Max Size 63)
SBSTJ_CORE-SW1(config)# route-map PBR_IT_Internet_17_NW permit 99
SBSTJ_CORE-SW1(config-route-map)#
SBSTJ_CORE-SW1(config-route-map)#
SBSTJ_CORE-SW1(config-route-map)# match ip
ip ipv6
SBSTJ_CORE-SW1(config-route-map)# match ip address NO_PBR
% Command failed - Deny is not supported on PBR. Please check your configuration.
SBSTJ_CORE-SW1(config-route-map)#

Please help me to resolve the issue

paul driver · ‎12-01-2020

Hello

Okay lets try it another way-

no ip access-list extended nopbr
ip access-list extended nopbr
pemit ip any <vlan x>
permit ip any <vlan y>

route-map PBR_IT_Internet_17_NW deny 20

match ip address nopbr

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sangeethsan · ‎12-01-2020

Hi Paul,

Finally all my issues resolved. Thanks for your precious time spend with me to resolve all barriers.

C:\Users\TEMP.xxxxx>nslookup
Server: xxx.xxxx.com
Address: 192.168.10.236

>
>
> facebook.com
Server: xxx.xxxx.com
Address: 192.168.10.236

Non-authoritative answer:
Name: facebook.com
Addresses: 2a03:2880:f142:182:face:b00c:0:25de
157.240.196.35

paul driver · ‎12-01-2020

Hello

Glad to hear it - that’s what these forums are for!

Thanks for the feedback much appreciated.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sangeethsan · ‎12-02-2020

Hello Paul,

For a testing purpose i have applied the PBR in vlan 10 only ,I have to apply pbr in some other vlans also.

Can I use the same pbr for other interface vlans ??

interface Vlan10
ip address 192.168.17.251/24
ip policy route-map PBR_IT_Internet_17_NW
hsrp version 2

paul driver · ‎12-02-2020

Hello

Yes you can but obviously you’ll need to tweak the extended nopbr access-list for each SVI you apply it to

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul