Policy based routing in a vrf

vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
Any of you guys have experience with this? I'm driving myself nuts trying to do this on an SVI and it keeps failing. I've done the same PBR setup outside of a vrf and it works like a charm in the global table.

basic configs...sanitized for the web. The next hop in this scenario is reachable and in vrf A. The network I am trying to reach (we will say 172.16.20.0/24) isn't in the routing table of the router performing the PBR, but it is in the routing table of the router specified as the next-hop. I am using a laptop addressed as 172.16.10.2 on vlan 10 with a gateway of 172.16.10.1 to test this.
access-list 10 permit 172.16.10.0 0.0.0.255
route-map TEST permit 10
 match ip address 10
 set ip vrf A next-hop 1.1.1.2
interface Vlan10
 ip vrf forwarding A
 ip address 172.16.10.1 255.255.255.0
 ip tcp adjust-mss 1400
 ip policy route-map TEST
end

Working on this with TAC and they are stumped as well...any ideas?
Cisco was my first networking love, but my "other" router is a Mikrotik...

Comments

  • Forsaken_GAForsaken_GA Member Posts: 4,024
    what is the reason it's actually failing? does debug ip packet detail show it being forwarded and it's dying at the next hop, or is the switch itself ***** about the packet being unroutable, or destination unknown, or what?
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Have you verified this is supported in your version of IOS? Have you tried another version?
    An expert is a man who has made all the mistakes which can be made.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    And actually I'm a tad bit confused.... the IP in your access list would match the IP you have on Vlan10...so you're trying to policy route anything destined for the local interfaces subnet to somewhere else, or is there a typo in the sanitization?
  • vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    @networker

    According to TAC, it is supposed to be supported in the IOS and it's actually even supported in the hardware since it's going on a 7609. I haven't tried another IOS yet because it would have to be done in a maintenance window - not out of the question, just exploring other options.

    @Forsaken

    Debugs (sanitized also) of ip policy routing from host 172.16.10.2 trying to ping 172.16.20.1 which is only available on the next hop router I am trying to PBR to.
    2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy match
    2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, PBR Counted
    2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy rejected - normal forwarding
    2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy match
    2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, PBR Counted
    2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy rejected - normal forwarding
    2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy match
    2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, PBR Counted
    2d23h: IP: s=172.16.10.2 (Vlan10), d=172.16.20.1, len 60, FIB policy rejected - normal forwarding
    

    As to your other question, yes i'm trying to PBR that subnet away from the default gateway in the vrf to another router (1.1.1.2)
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • ColbyGColbyG Member Posts: 1,264
  • vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    ColbyG wrote: »
    Have you tried an extended ACL?


    Unfortunately we have with the same debug output as above. We also tried putting in 'set vrf A' before the 'set ip vrf next-hop' command and that spit out some interesting errors - the router did not like that icon_smile.gif
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    So TAC comes back and says the problem is that we aren't doing a set ip vrf A next-hop recursive 1.1.1.2

    According to them, when using PBR, the next hop must be directly connected or it requires a recursive lookup in order to forward. The command isn't even in our IOS image and given that MPLS/BGP runs on top of loopbacks, it doesn't seem logical or possible that you would have to specify the underlying IGP next-hop outside of the VRF. Am I just totally missing something here?

    Any of you guys have a lot of experience with recursive routing?
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Now that I think about it I've never done PBR in a VRF that didn't go to a directly connected next hop. What does TAC have to say about the command not being there? Sounds like you are out of luck without upgrading if that's the case.
    An expert is a man who has made all the mistakes which can be made.
  • ScalesScales Member Posts: 95 ■■□□□□□□□□
    Is there a route for the 1.1.1.2 ip address in vrf a?

    Recursive routing:
    Think about the BGP routing table. There is a destination and then a next-hop.
    The router will route a packet it knows via BGP to the next-hop.
    To get to that next hop it does a recursive lookup in its routing table to find the NRLI of the next hop.

    hope that helps.
Sign In or Register to comment.