Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 11
Registered: ‎01-25-2011

PBR - Multiple Route Maps for an Interface?

I have the need for more than one ACL to apply to my PBR on the 10.69.169.0/24 ve..  Here's the first ACL:

access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.166.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.167.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.168.0 0.0.0.255
...blah a whole bunch of internal subnets
...blah a whole bunch more internal subnets
access-list 101 deny ip 10.69.169.0 0.0.0.255 172.17.188.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.70.169.0 0.0.0.255
access-list 101 permit ip 10.69.169.0 0.0.0.255 any
The above is to route "non-internal" traffic through a load balancer (web traffic, so I can turn off SNAT).  All of the networks in the deny statements are headed to the ve's gateway address on the switch.

....and here's the second:

access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.166.0 0.0.0.255
access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.167.0 0.0.0.255
access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.168.0 0.0.0.255

That one is to route all inter-vlan traffic on the switch through a "back-end" firewall.  I want the internal traffic not picked up by ACL 101 (166, 167, and 169) to use this and go through the firewall.

Now, the the problem is, I can't get both to work.  The first ACL works, but the second doesn't trigger.  Here's the route-map I'm trying (with comments I added for the purpose of this thread):

route-map  VLAN100toLB permit  101
match ip address  101
set ip next-hop 10.69.169.5 (this is the LB interface)
route-map  VLAN100toLB permit  110
match ip address  110
set ip next-hop 10.69.169.4 (this is the firewall interface I want the internal traffic to go to, as outlined in ACL 110)

What am I missing?

I did notice that the config guide for 7202 mentions the following:

"PBR also ignores any deny clauses in an ACL. Traffic that matches a deny clause is routed normally using Layer 3 paths."

as well as:

"If you are configuring the ACL for use in a route map, always specify permit. Otherwise, the Brocade device will ignore deny clauses and packets that match deny clauses are routed normally."

However, the deny lines I have in the first ACL (101) work like a charm....Go figure....

Thanks in advance!!

Occasional Contributor
Posts: 7
Registered: ‎01-22-2011

Re: PBR - Multiple Route Maps for an Interface?

cmaier wrote:

I did notice that the config guide for 7202 mentions the following:

"PBR also ignores any deny clauses in an ACL. Traffic that matches a deny clause is routed normally using Layer 3 paths."

as well as:

"If you are configuring the ACL for use in a route map, always specify permit. Otherwise, the Brocade device will ignore deny clauses and packets that match deny clauses are routed normally."

However, the deny lines I have in the first ACL (101) work like a charm....Go figure....

Thanks in advance!!

The lengthy explanation of this is that the permit/deny in the first line of the route-map clause is the

action that will be taken on the match in an ACL. The permit/deny within the ACL acts more as an

"evaluate/don't evaluate" tag. In your example in your original post all of the deny lines of your ACL

would be ignored by the route-map itself in the first clause just as if you left them out of the ACL altogether.

Here's the first ACL:
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.166.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.167.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.69.168.0 0.0.0.255
...blah a whole bunch of internal subnets
...blah a whole bunch more internal subnets
access-list 101 deny ip 10.69.169.0 0.0.0.255 172.17.188.0 0.0.0.255
access-list 101 deny ip 10.69.169.0 0.0.0.255 10.70.169.0 0.0.0.255
access-list 101 permit ip 10.69.169.0 0.0.0.255 any

The permit statement will be the only one evaluated and acted upon by the route-map.

access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.166.0 0.0.0.255 access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.167.0 0.0.0.255 access-list 110 permit ip 10.69.169.0 0.0.0.255 10.69.168.0 0.0.0.255

The permit statement you have in ACL101 matches all 3 of these so it may make more sense to put the clause that contains this
rule first in the route-map.
Always go More specific > Less specific.

If you have deny statements in an ACL being evaluated by the route-map, then you might be hitting a bug.

Ken Penttinen

Limelight Networks

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook