This is a reminder for me where to find the commands because there is a bug in the web gui that means whenever you try to apply an action-group it will implement it with a next-hop address and next-hop interface which means it doesn’t work!
From the CLI:
Enable PBR for the ingress interface under the VR using the following commands:
set vr trust set interface <interface> pbr exit
Now the issue was where do I apply the below valid configuration? The answer turned out to be fairly simple. It also needs to be set under the “set vr trust” command. Once you type this command it will set the shell in “(trust-vr)(M)->” mode. Once you are in that mode you will have the option to get pbr configuration and of course set pbr configuration as the below valid config.
set vr trust
Example of a valid PBR configuration:
set access-list extended 10 src-ip X.X.X.X/32 entry 1 set match-group name test set match-group match ext-acl 10 match-entry 1 set action-group name pbr_to_dmz set action-group pbr_to_dmz next-hop X.XX.X.XX action-entry 1 set pbr policy name pbr_policy set pbr policy pbr_policy match-group test action-group pbr_to_dmz 1 exit set interface ethernet2/4 pbr pbr_policy set zone Trust pbr pbr_policy