Policy based routing and port SPAN

  • 3 March 2020
  • 2 replies

I have a simple setup - two switches in a MLAG pair, directly connected to a firewall with multiple ports. One port being dedicated to end user traffic (running through a Riverbed before hitting the firewall for optimization) and the other port is dedicated for Backups/DR (no optimization). Backup/DR traffic is routed to one of those ports using policy based routing, and all other traffic uses a static default route and goes to the optimized port.

It seems there is a (potentially) known Cumulus bug where if you have policy based routing configured and also have a port SPAN setup, PBR is completely ignored so the only traffic that gets routed is via. the static routes. The official response on this behavior is “When a frame arrives that would be mirrored because of a SPAN or ERSPAN, the SPAN rule does the SPAN and then the frame gets put back on the pipeline, but does not go through the PBR portion of the pipeline.”

Given that Cumulus is not currently able to handle policy based routing when a SPAN port is setup on the same switch, I’m looking for ideas that will allow me accomplish this simple goal without having to revert to a different product that is capable of routing properly with a port mirror setup.

Has anyone else had this problem? The end goal is just setting up a mirrored port for a log collector for a SIEM solution. Any/all ideas are welcomed and appreciated! 

2 replies

Userlevel 5

I wish we could offer more options here. PBR itself is not a common feature with most of our customers… if you need it, you need it and you know just WHY you need it… because there usually isn't another way to do what you’re trying to do. PBR and full-time SPAN is a use-case that gets even less love amongst our customer-base.

I might recommend using two switches, one for SPAN and the other for PBR or perhaps looping traffic back around with a physical loopback cable so on the first pass you can span in one VRF, and on the second pass you can do your PBR in another VRF. Both of these are less then ideal but functional.

I didn’t realize PBR was a feature, but I believe your answer has given me the information I need. It sounds like since not many Cumulus customers use policy-based routing this known limitation will not be resolved. That’s a fair enough answer and will allow me to move on to alternate solutions. It may be worth noting the behavior somewhere in the PBR documentation to potentially avoid customers breaking their network, but just a suggestion. Thank you for the response and clarification.