[c-nsp] PBR within MPLS VPN

Jeff Bacon bacon at walleyesoftware.com
Tue Aug 28 20:17:54 EDT 2012


As I sit and write this, this starts to sound stupid even to me. Just stick with it, please, THEN tell me I'm being stupid. :)


So, device A is a cat6500/sup720, global IP 172.31.1.1/32, a PE device in an MPLS mesh. device B is a cat6500/sup720, global IP 172.31.1.14/32, PE device in another city. there is a VRF "fred" defined. There's device C, also with VRF fred, global IP 172.31.2.3/32, publishing a default route.


host1 (172.30.250.40) -> int vlan 49/vrf-fred/device-A <-> MPLS mesh <-> int g3/1/vrf-fred/device-B -> <INTERNET> 
                                             |
                                              -> device-C-publishing-default-route -> <OTHERINTERNET>

so, the route table in VRF fred on device A looks like: 

C    172.31.250.32 is directly connected, Vlan49    <---- host1 is here 
     200.3.3.0/24 is variably subnetted, 3 subnets, 3 masks
B       200.3.3.32/29 [200/0] via 172.31.1.14, 3d18h
B*   0.0.0.0/0 [20/8192] via 64.1.1.1, 5d23h   

now, please don't ask why, but I want to be able to policy-route host1's traffic to make it use device-B and not follow the default route, e.g.:

int vlan 49
  ip policy route-map source-route-map

route-map source-route-map permit 10
   match ip address ACL-matching-172.30.250.40/32
   set ip next-hop <something-making-it-go-to-B>

I have no idea what <something> should be. 

Now, I can do "set ip next-hop recursive X" where X is a real IP in VRF fred on device B. Works fine. It's also software-switched - fast-path, "show ip cef switching stat feat" increments showing PBR is working via CEF, but "show int vlan49 switching" tells me that the packets are being fast-path-switched, not hardware-switched.

Release notes say that "set ip next-hop" is supported in hardware. But that presumes I give it the right IP address.  

The problem is this: so what's the next-hop that I *can* use to specify CEF adjacency of "that specific other PE device over there, VRF fred"? It doesn't appear to be 172.31.1.14. 

Or can you not policy-route to a non-directly-connected PE over MPLS using PBR? 

(I can hear it now - "that's what TE is for" or "can't you split the traffic into separate VRFs and use source selection"... ok, yes, well... ) 

Thanks for your indulgence,
-bacon





More information about the cisco-nsp mailing list