PBR, VSX, and VLAN ACLs

Multichassis Link Aggregation Group (MCLAG) with VSX is a high-availability feature where a switch containing LAG members is connected to multiple switches to allow for node-level redundancy on that link. If one of the other switches goes down the LAG remains up and can continue to carry all the LAG traffic, bandwidth permitting.

A LAG (and an MCLAG) can be a member of a VLAN and a Layer 3 VSI (virtual switch interface), which can be created for that VLAN for the purposes of routing a policy with Layer 3 specific actions (that is, PBR), which can therefore be applied to that interface to influence routing decisions for matching Layer 3 packets on the MCLAG; like any other route-only port or VSI. Under such a configuration, it is likely that it is desirable to use VLAN ACLs applied to the VLAN the MCLAG is a member of.

NOTE:

There is a limit with this particular combination when the VLAN ACL specifies both IPv4 and IPv6 entries and the PBR policy has entries with IPv4 and IPv6 classes. This configuration will exhaust the switching ASIC resources and will fail to apply. To achieve a similar configuration, you may use port ACLs for IPv4 traffic (applying the ACL to all ports individually in the VLAN) while preserving the rest of the configuration.