Policy based routing in a vrf

Any of you guys have experience with this? I'm driving myself nuts trying to do this on an SVI and it keeps failing. I've done the same PBR setup outside of a vrf and it works like a charm in the global table.

basic configs...sanitized for the web. The next hop in this scenario is reachable and in vrf A. The network I am trying to reach (we will say 172.16.20.0/24) isn't in the routing table of the router performing the PBR, but it is in the routing table of the router specified as the next-hop. I am using a laptop addressed as 172.16.10.2 on vlan 10 with a gateway of 172.16.10.1 to test this.

access-list 10 permit 172.16.10.0 0.0.0.255

route-map TEST permit 10
 match ip address 10
 set ip vrf A next-hop 1.1.1.2

interface Vlan10
 ip vrf forwarding A
 ip address 172.16.10.1 255.255.255.0
 ip tcp adjust-mss 1400
 ip policy route-map TEST
end

Working on this with TAC and they are stumped as well...any ideas?

Find more posts tagged with

Comments

Forsaken_GA

what is the reason it's actually failing? does debug ip packet detail show it being forwarded and it's dying at the next hop, or is the switch itself ***** about the packet being unroutable, or destination unknown, or what?

networker050184

Have you verified this is supported in your version of IOS? Have you tried another version?

Forsaken_GA

And actually I'm a tad bit confused.... the IP in your access list would match the IP you have on Vlan10...so you're trying to policy route anything destined for the local interfaces subnet to somewhere else, or is there a typo in the sanitization?

vinbuck

@networker

According to TAC, it is supposed to be supported in the IOS and it's actually even supported in the hardware since it's going on a 7609. I haven't tried another IOS yet because it would have to be done in a maintenance window - not out of the question, just exploring other options.

@Forsaken

Debugs (sanitized also) of ip policy routing from host 172.16.10.2 trying to ping 172.16.20.1 which is only available on the next hop router I am trying to PBR to.

2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy match
2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, PBR Counted
2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy rejected - normal forwarding
2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy match
2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, PBR Counted
2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy rejected - normal forwarding
2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy match
2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, PBR Counted
2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy rejected - normal forwarding

As to your other question, yes i'm trying to PBR that subnet away from the default gateway in the vrf to another router (1.1.1.2)

ColbyG

Have you tried an extended ACL?

vinbuck

ColbyG wrote: »

Have you tried an extended ACL?

Unfortunately we have with the same debug output as above. We also tried putting in 'set vrf A' before the 'set ip vrf next-hop' command and that spit out some interesting errors - the router did not like that

vinbuck

So TAC comes back and says the problem is that we aren't doing a set ip vrf A next-hop recursive 1.1.1.2

According to them, when using PBR, the next hop must be directly connected or it requires a recursive lookup in order to forward. The command isn't even in our IOS image and given that MPLS/BGP runs on top of loopbacks, it doesn't seem logical or possible that you would have to specify the underlying IGP next-hop outside of the VRF. Am I just totally missing something here?

Any of you guys have a lot of experience with recursive routing?

networker050184

Now that I think about it I've never done PBR in a VRF that didn't go to a directly connected next hop. What does TAC have to say about the command not being there? Sounds like you are out of luck without upgrading if that's the case.

Scales

Is there a route for the 1.1.1.2 ip address in vrf a?

Recursive routing:
Think about the BGP routing table. There is a destination and then a next-hop.
The router will route a packet it knows via BGP to the next-hop.
To get to that next hop it does a recursive lookup in its routing table to find the NRLI of the next hop.

hope that helps.