Aruba & ProVision-based

ACLs and pbr service groups on 5406

New Member

ACLs and pbr service groups on 5406


I have a 5406R and I have multiple VLANS which use a service-policy pbr to forward specific traffic to a proxy server.  This is working for me.

I also want to apply an ACL on thie VLAN restrict traffic from devices on this vlan going out.  This also works fine, except when this ACL policy is applied on the VLAN, the service-policy doesnt work.

The service-policy pbr works fine by itself, but as soon as I apply the ACL access-group, it breaks the pbr.


this is my vlan

vlan 500
name "VLAN500"
ip address
ip access-group "ACL_LIST" in
service-policy "PROXY_PBR" in


policy pbr "PROXY_PBR"
10 class ipv4 "PROXY-CLASS"
action ip next-hop

ip access-list extended "ACL_LIST"
10 permit ip log
20 permit ip log
30 deny any any



Any Ideas?




Re: ACLs and pbr service groups on 5406

Create the traffic classes:

Rack2sw1(config)# class ipv4 TCP
Rack2sw1(config-class)# match tcp eq 80
Rack2sw1(config-class)# match tcp eq 22
Rack2sw1(config-class)# match tcp eq 23
Rack2sw1(config-class)# exit

Rack2sw1(config)# class ipv4 UDP
Rack2sw1(config-class)# match udp eq 80
Rack2sw1(config-class)# match udp eq 22
Rack2sw1(config-class)# match udp eq 23
Rack2sw1(config-class)# exit

Verify traffic classes:

Rack2sw1(config)# show class config

class ipv4 "TCP"
     10 match tcp eq 80
     20 match tcp eq 22
     30 match tcp eq 23
class ipv4 "UDP"
     10 match udp eq 80
     20 match udp eq 22
     30 match udp eq 23

Create the routing policy:

Rack2sw1(config)# policy pbr TCP_UDP
Rack2sw1(policy-pbr)# class ipv4 TCP
Rack2sw1(policy-pbr-class)# action ip next-hop
Rack2sw1(policy-pbr-class)# action interface null
Rack2sw1(policy-pbr-class)# exit

Rack2sw1(policy-pbr)# class ipv4 UDP
Rack2sw1(policy-pbr-class)# action ip default-next-hop
Rack2sw1(policy-pbr-class)# action interface tunnel 3
Rack2sw1(policy-pbr-class)# exit

Verify the routing policy:

Rack2sw1# show policy config

policy pbr "TCP_UDP"
     10 class ipv4 "TCP"
      action ip next-hop
      action interface null
     20 class ipv4 "UDP"
      action ip default-next-hop
      action interface tunnel 3

Configure the VLAN for the service policy:

Rack2sw1(config)# vlan 10 service-policy TCP_UDP in

Verify the vlan policy configuration:

Rack2sw1# show policy vlan 10

 Policies for VLAN 10
 Name   : TCP_UDP
 Type   : PBR

Use the show statistics policy command to display information about which PBR action for an applied policy is active. Hit counts are displayed for each entry in the class and policy with the active action.

Rack2sw1# show statistics policy TCP_UDP vlan 10 in

 HitCounts for Policy TCP_UDP


 10 class ipv4 TCP action interface null
(       0 )      10 match tcp eq 80
(       0 )      20 match tcp eq 22
(       0 )      30 match tcp eq 23

 20 class ipv4 UDP action ignore
(       0 )      10 match udp eq 80
(       0 )      20 match udp eq 22
(       0 )      30 match udp eq 23


I am an HPE Employee

Accept or Kudo