SG550XG: PBR ignored when routing through VRRP master address

ape711 · ‎01-16-2020

Hi community!

We are experiencing a problem on our SG550XG-switches where the PBR rules are not applied as soon as we route traffic through the vrrp-master address. Is this a known issue? I could not find anything related.

We allow access to the switch management interfaces from the management stations in 10.16.16.0/24 but also require packet filtering using a firewall at 10.16.20.1. This behaviour is enforced with PBR. The switch unfortunately tries to route traffic through it's oob interface if we are not forcing the next hop with PBR...

The relevant configuration snippets are these

ip access-list extended route-to-mgmt-lan
permit tcp 10.16.16.0 0.0.0.255 any 172.16.16.0 0.0.0.255 any ace-priority 20
exit

route-map route-to-mgmt-lan 10
 match ip address access-list route-to-mgmt-lan
 set ip next-hop 10.16.20.1
exit

interface vlan 2
 ip address 10.16.16.252 255.255.255.0
 ip dhcp relay enable
 vrrp 2 ip 10.16.16.250
 vrrp 2 version 3
 no vrrp 2 shutdown
 ip policy route-map route-to-mgmt-lan
!

interface oob
 ip address 172.16.16.89 255.255.255.0                
 no ip address dhcp
!

When using 10.16.16.252 as gateway with this configuration the PBR rules are applied as expected.
When using 10.16.16.250 the switch is trying to route traffic through oob interface, which doesn't work ..

Muhammad Awais Khan · ‎01-16-2020

Hi,

It seems vrrp configuration is incomplete. Can you please add below to your vrrp switches ?

Interface vlan 2

Vrrp 2 accept mode accept

Ref: https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-550x-series-stackable-managed-switches/Configuring_VRRP_Virtual_Routers_on_a_SG550XG_Switch_through_the_CLI.html

ape711 · ‎01-16-2020

Hi, thanks for your input!
We've already tried that and it has no impact on the issue described above.