Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 11
Registered: ‎01-25-2011

PBR - Multiple Route Maps for an Interface?

I have the need for more than one ACL to apply to my PBR on the 10.69.169.0/24 ve..  Here's the first ACL:

access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.166.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.167.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.168.0 0.0.0.255
...blah a whole bunch of internal subnets
...blah a whole bunch more internal subnets
access-list 101 deny ip 10.69.169.0 0.0.0.255 172.17.188.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.70.169.0 0.0.0.255
access-list 101 permit ip 10.69.169.0 0.0.0.255 any
The above is to route "non-internal" traffic through a load balancer (web traffic, so I can turn off SNAT).  All of the networks in the deny statements are headed to the ve's gateway address on the switch.

....and here's the second:

access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.166.0 0.0.0.255
access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.167.0 0.0.0.255
access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.168.0 0.0.0.255

That one is to route all inter-vlan traffic on the switch through a "back-end" firewall.  I want the internal traffic not picked up by ACL 101 (166, 167, and 169) to use this and go through the firewall.

Now, the the problem is, I can't get both to work.  The first ACL works, but the second doesn't trigger.  Here's the route-map I'm trying (with comments I added for the purpose of this thread):

route-map  VLAN100toLB permit  101
match ip address  101
set ip next-hop 10.69.169.5 (this is the LB interface)
route-map  VLAN100toLB permit  110
match ip address  110
set ip next-hop 10.69.169.4 (this is the firewall interface I want the internal traffic to go to, as outlined in ACL 110)

What am I missing?

I did notice that the config guide for 7202 mentions the following:

"PBR also ignores any deny clauses in an ACL. Traffic that matches a deny clause is routed normally using Layer 3 paths."

as well as:

"If you are configuring the ACL for use in a route map, always specify permit. Otherwise, the Brocade device will ignore deny clauses and packets that match deny clauses are routed normally."

However, the deny lines I have in the first ACL (101) work like a charm....Go figure....

Thanks in advance!!

Occasional Contributor
Posts: 7
Registered: ‎01-22-2011

Re: PBR - Multiple Route Maps for an Interface?

cmaier wrote:

I did notice that the config guide for 7202 mentions the following:

"PBR also ignores any deny clauses in an ACL. Traffic that matches a deny clause is routed normally using Layer 3 paths."

as well as:

"If you are configuring the ACL for use in a route map, always specify permit. Otherwise, the Brocade device will ignore deny clauses and packets that match deny clauses are routed normally."

However, the deny lines I have in the first ACL (101) work like a charm....Go figure....

Thanks in advance!!

The lengthy explanation of this is that the permit/deny in the first line of the route-map clause is the

action that will be taken on the match in an ACL. The permit/deny within the ACL acts more as an

"evaluate/don't evaluate" tag. In your example in your original post all of the deny lines of your ACL

would be ignored by the route-map itself in the first clause just as if you left them out of the ACL altogether.

Here's the first ACL:
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.166.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.167.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.168.0 0.0.0.255
...blah a whole bunch of internal subnets
...blah a whole bunch more internal subnets
access-list 101 deny ip 10.69.169.0 0.0.0.255 172.17.188.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.70.169.0 0.0.0.255
access-list 101 permit ip 10.69.169.0 0.0.0.255 any

The permit statement will be the only one evaluated and acted upon by the route-map.

access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.166.0 0.0.0.255 access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.167.0 0.0.0.255 access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.168.0 0.0.0.255

The permit statement you have in ACL101 matches all 3 of these so it may make more sense to put the clause that contains this
rule first in the route-map.
Always go More specific > Less specific.

If you have deny statements in an ACL being evaluated by the route-map, then you might be hitting a bug.

Ken Penttinen

Limelight Networks

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.