There are a few minor changes you have to make to your configuration to allow PBR within a VPN instance (or VRF, same thing, different kit)
I will use the same concept & IP Addressing as my previous PBR posts.
The router in the picture above (.254) has a default gateway of 2.2.2.1. However, I want traffic sourced from the 192.168.10.0 to.
1. Only use the switches default gateway for any traffic to 10.0.0.0/8
2. Use 1.1.1.1 (the firewall) for any traffic to the internet.
3. To be done within a VRF / VPN Instance called Customer01
Create your VPN Instance / VRF
ip vpn-instance Customer01
route-distinguisher 65005:1
description Customer01
Create a PBR Node called CUSTOMER01-PBR, and match it on ACL 3001 - note the 'deny' statement.
policy-based-route CUSTOMER01-PBR deny node 10
if-match acl 3001
quit
Create a PBR Node called CUSTOMER01-PBR, and match it on ACL 3002 - note the 'permit' statement, the new next hop, and the reference to the VPN instance!
policy-based-route CUSTOMER01-PBR permit node 11
if-match acl 3002
apply next-hop vpn-instance Customer01 1.1.1.1
quit
Now create the ACL's - this first ACL matches on any internal traffic to 10.0.0.0/8 or 192.168.0.0/16
acl number 3001 name CUSTOMER01-PBR-INTERNAL-TRAFFIC
rule permit ip source 192.168.10.0 0.0.0.255 destination 10.0.0.0 0.255.255.255 vpn-instance Customer01
rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 vpn-instance Customer01
Now the following ACL is a catch all for anything else.. ie the internet this includes 172.16.0.0/12 - so make sure you don't need that network, or add it to ACL 3001
acl number 3002 name CUSTOMER01-PBR-EXTERNAL-TRAFFIC
rule permit ip destination 0.0.0.0 255.255.255.255 vpn-instance Customer01
And here's where the magic happens, apply the PBR to the VLAN interface.
interface vlan 10
ip binding vpn-instance Customer01
ip policy-based-route CUSTOMER01-PBR
ip address 192.168.10.254
description Customer01
Note: This is only supported in Comware 7, routing within a PBR is not supported in Comware 5