08-25-2010 01:58 AM - edited 03-06-2019 12:38 PM
Hi all,
question about PBR:
can take precedence on connected route in any way?
I've tried putting ACL restrictive than subnet but it seems not to work.
I need to route traffic from subnet A to B towards a FW, subnet B is configured both on 6K and on FW. so i've putted ip local policy con subnet A but no results
Any idea?
08-25-2010 03:48 AM
Hi Das,
No, PBR cannot take precedence when destination is directly connected.
I am thinking of using different vrf for subnet A and subnet B might help on your case.
HTH,
Lei Tian
08-25-2010 01:06 PM
Hi Lei,
tnx a lot for answer!
I was thinking about different VRF but i need (sometimes) traffic intra-vlan. So in VRF fashion with Nexus 7000 release 4.2.X (but i'm pretty sure also in 5.X) route leaking with import-export is not possible yet.
maybe i'll split static route for hitting a longest match routing.
I also must say that will be not so bad to have e way to overcome this 'limitation' of connected route.
What's a shame!
tnx a lot.
Dan
08-25-2010 03:39 PM
Hi Dan,
Yes, the vrf import/export feature is not there yet. The work around is using pbr to do vrf leaking.
I was thinking using some static routes to leak between vrf and global routing table. Here is my configure;
ip vrf points
int vlan A
ip vrf forwarding points
ip add 10.10.24.1 255.255.255.0
int vlan B
ip add 10.10.23.1 255.255.255.0
ip route vrf points 10.10.23.0 255.255.255.0 FW_IP
*traffic from vlan A to vlan B send to FW*
ip route vrf points 10.10.23.2 255.255.255.255 10.10.23.2 global
*traffic from vlan A to specific IP in vlan B send to global*
ip route 10.10.24.0 255.255.255.0 vlan A
*return traffic from specific IP in vlan B to vlan A*
I am sure your requirement is more complex than this config, and NXOS has different syntax. Just want to throw an idea.
Regards,
Lei Tian
08-26-2010 01:01 AM
hi Lei,
tnx again.
topology is not complex, just all IFC in VRF, nothing in global
have 'u got axample of vrf leaking with PBR?
tnx and have nice day
Dan
08-26-2010 03:32 AM
Hi Dan,
feature pbr
vlan 10,20
vrf context vlanA
vrf context vlanB
ip access-list vlanA_to_vlanB
permit ip 10.10.10.0/24 10.10.20.0/24
ip access-list vlanB_to_vlanA
permit 10.10.20.0/24 10.10.10.0/24
route-map vlanA_to_vlanB
match ip address vlanA_to_vlanB
set vrf vlanB
route-map vlanB_to_vlanA
match ip address vlanB_to_vlanA
set vrf vlanA
int vlan10
vrf member vlanA
ip add 10.10.10.1/24
ip policy route-map vlanA_to_vlanB
int vlan20
vrf member vlanB
ip add 10.10.20.1/24
ip policy route-map vlanB_to_vlanA
Regards,
Lei Tian
08-26-2010 04:49 AM
Hi Lei,
tnx was helpful.
do 'u think PBR (in this particular) is done in HW or is SW based?
tnx again and have nice day
08-26-2010 06:35 AM
Hi Dan,
I believe it is in hardware, but I was not able to find that in datasheet.
Hope someone can jump in if you have the CCO link.
Regards,
Lei Tian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide