Networking General

BeiDerArbeit · ‎09-12-2022

Hello,

I'm trying to convert my ACLs on some VLAN Interfaces to PBR, because I need Source Based Routing on these VLANs.

I have some deny rules in my ACLs and tried to implement them in the following way:

route-map Route_1 permit 20
match ip address Routing_1_Drop
set interface null0

This doesn't work, because "set interface null0" is not allowed for the next hop.

My question now: If I omit the last line and have no next-hop statement (only the match statement), will the packet be dropped or transferred to the default router?

Hope to get an answer to this very specific question.

Kind Regards

BeiDerArbeit · ‎09-15-2022

Dear Charles,

Thank you so much for your proposal. Did you try this in real-time?

As I wrote before (and I could verify this behavior), IP based ACLs AND PBR at the same time is not possible on the same VLAN. I attach the original answer from DELL (it's in German, try google translator):

** Actionplan **
Interfaces in denen PBR aktiv ist können keine weiteren IP based ACLs genutzt werden um den Datenstrom zu steuern. Sie können hier alternative das PBR über einen VRF laufen lassen oder eben anstatt des VLANs ein anderes Interface verwenden um die ACL zu nutzen (einen Uplink z.B.) Alternative können Sie natürlich die ACL für PBR so anpassen, dass die Richtlinien Ihrer ingress ACL inkludiert werden.

But your proposal is a good idea to continue. Please have a look on this.

==============================================================================

Create only 2 ACLs based of the traffic and policies that need to be applied

block1, block2

==============================================================================

ip access-list block1

1000 permit icmp any any

1100 permit udp any any eq 67

1200 permit tcp 10.110.112.0 0.0.0.0 eq 22 any

1300 permit tcp 10.110.0.0 0.0.255.255 10.9.16.120 0.0.0.0 eq http

1400 permit udp 10.110.0.0 0.0.255.255 10.9.16.111 0.0.0.0 eq domain

exit

ip access-list block2

5000 deny ip any 10.0.0.0 0.255.255.255

5100 deny ip any 172.16.0.0 0.15.255.255

5200 deny ip any 192.168.0.0 0.0.255.255

10000 permit ip any any

exit

==============================================================================

Create route-map == pbr. This will do policy based routing for

traffic in ACLs - block1 and block2 and the final "drop all traffic"

==============================================================================

route-map pbr deny 10

match ip address block1

exit

route-map pbr permit 20

match ip address block2

set ip next-hop 10.110.48.1

exit

route-map pbr permit 30

set interface null0

exit

==============================================================================

What do you think, will this be a good solution for my conditions?

Thank you again for looking in the details.

Florian

Dell-ErmanO · ‎09-15-2022

Hi Florian, this might be a good idea, sounds like worth a try to me. But Charles isn't online yet, but I think he'd better take a look when he's online.

Thanks,

Erman Özkurt
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#Iwork4Dell

Did I answer your query? Please click on ‘Accept as Solution’
‘Kudo’ the posts you like!

Dell -Charles R · ‎09-15-2022

Hello BeiDerArbeit,

That looks ok to me. You can test that out.

I would note we typically don't do initial configuration on the forum, such as we are trying to create new PBR configuration, we have deployment services that can be contracted for that. I am, though, giving you best effort to assist you.

Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

Networking General

Policy Based Routing on N3000 Series