cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
475
Views
0
Helpful
1
Replies
Highlighted

Nexus9000 deny ACLs in PBR

Dear.

 

I have a cisco 4500x and i need migrate to nexus 9504, but i see the Nexus 9K is not support sentences deny in the ACL within PBR, somebody have a alternative?.

 

The message output is:

SW-CORE(config-if)# e2015 Aug 16 09:27:31 SW-CORE %$ VDC-1 %$ %RPM-2-PPF_SES_VERIFY:  rpm [5948]  PPF session verify failed in client (Line card  2/VDC  NONE/UUID  366) with an error 0x4104005f(Deny is not supported on PBR. Please check your configuration.)


% Could not apply PBR route-map - Deny is not supported on PBR. Please check your configuration.
SW-CORE(config-if)# 2015 Aug 16 09:36:21 SW-CORE %$ VDC-1 %$ %RPM-2-PPF_SES_VERIFY:  rpm [5948]  PPF session verify failed in client (Line card  2/VDC  NONE/UUID  366) with an error 0x4104005f(Deny is not supported on PBR. Please check your configuration.)

 

Thank.

Everyone's tags (1)
1 REPLY 1
Beginner

Re: Nexus9000 deny ACLs in PBR

First create two "permit" ACLs.  One for the traffic not using PBR and the other to permit the traffic to use PBR.  Then use a deny statement under your route-map referencing the IP addresses you would like to deny.  Second route-map statement would have the permit.  Example below.

 

IP access list PBR_DENY
 10 permit ip any 10.0.0.0/8
 20 permit ip any 192.168.0.0/24
IP access list PBR_PERMIT
 10 permit tcp 10.2.2.2 any eq www
 20 permit tcp 10.2.2.2 any eq 443

route-map PBR_TO_WEB_PROXY deny 10
 match ip address PBR_DENY
route-map PBR_TO_WEB_PROXY permit 100
match ip address PBR_PERMIT
set ip next-hop 10.255.255.1

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards