NULL
When configuring PBR on the int vsi interface, it prompts that the operation is not supported
This is because the VPN is specified in the ACL rule called by PBR. The underlying hardware of the device chip does not support ACL matching vpn, so if PBR calls this ACL, an error will be reported. Even if the matching VPN is not written in the rule, the traffic of source 10.3.32.3 can be matched (the current chip's underlying hardware does not support ACL matching VPN. The disadvantage is that in environments such as MPLS, if multiple VPNs use the same network segment, At this time, the ACL will match all VPNs that exist in the network segment, and it cannot exactly match the network segment in a specific VPN).
The reason why the rule binding VPN can be configured is because ACL can also be used for software platform functions, such as ssh sever acl 3010.
In addition, as long as the ACL application that will deliver the underlying hardware has this restriction, such as QOS. This restriction exists whether it is applied to the int vlan port or the int vsi port.
The test is as follows:
[2034-S6520X-EI]acl advanced 3010
[2034-S6520X-EI-acl-ipv4-adv-3010] rule 10 permit ip vpn-instance vpn-default source 10.3.32.3 0
[2034-S6520X-EI-acl-ipv4-adv-3010]quit
[2034-S6520X-EI]policy-based-route 1 permit node 1
[2034-S6520X-EI-pbr-1-1] if-match acl 3010
[2034-S6520X-EI-pbr-1-1] apply next-hop vpn-instance vpn-default 172.31.2.9
[2034-S6520X-EI-pbr-1-1]#
[2034-S6520X-EI-pbr-1-1]quit
[2034-S6520X-EI]int Vsi-interface 3503
[2034-S6520X-EI-Vsi-interface3503]dis th
#
interface Vsi-interface3503
description jituan_caiwu
ip binding vpn-instance lan
ip address 10.88.136.1 255.255.254.0
#
return
[2034-S6520X-EI-Vsi-interface3503]ip policy-based-route 1 ?
<cr>
[2034-S6520X-EI-Vsi-interface3503]ip policy-based-route 1
The operation is not supported.
When applying QOS based on this ACL flow system, the following error will be reported.
[2034-S6520X-EI-Ten-GigabitEthernet1/0/1]qos apply policy p1
inbound
[2034-S6520X-EI-Ten-GigabitEthernet1/0/1]%Jun 24 04:28:49:
[2034-S6520X-EI-Ten-GigabitEthernet1/0/1]qos apply policy p1 out
[2034-S6520X-EI-Ten-GigabitEthernet1/0/1]qos apply policy p1 outbound
[2034-S6520X-EI-Ten-GigabitEthernet1/0/1]%Jun 24 04:29:26:010 2013 2034-S6520X-EI QOS/4/QOS_POLICY_APPLYIF_CBFAIL: Failed to apply classifier-behavior c1 in policy p1 to the outbound direction of interface Ten-GigabitEthernet1/0/1. In a classifier with AND operator, you cannot configure multiple ACL match rules
Cancel the vpn binding in the rule, and then it can be delivered successfully.
acl advanced 3010
rule 10 permit ip source 10.3.32.3 0
#
#
policy-based-route 1 permit node 1
if-match acl 3010
apply next-hop vpn-instance vpn-default 172.31.2.9
#
[2034-S6520X-EI]int Vsi-interface 3503
[2034-S6520X-EI-Vsi-interface3503]dis th
#
interface Vsi-interface3503
description jituan_caiwu
ip binding vpn-instance lan
ip address 10.88.136.1 255.255.254.0
[2034-S6520X-EI-Vsi-interface3503]ip policy-based-route 1
[2034-S6520X-EI-Vsi-interface3503]dis th
#
interface Vsi-interface3503
description jituan_caiwu
ip binding vpn-instance lan
ip address 10.88.136.1 255.255.254.0
ip policy-based-route 1
#
No comments
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作