Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

HPE 3800 PBR HELP

JasonNG
Occasional Visitor

HPE 3800 PBR HELP

PHM.jpgNetwork Diagram

 

Hi all,

 I had attached a simple network diagram descripting my issue.

I had been trying to configure my switch for PBR. Was wondering if my configuration is correct?
is the two default route 0.0.0.0 0.0.0.0 192.168.x.253 needed?

Below is my configuration. omitted the unneeded information.

 

 

class ipv4 "User"

     20 match ip 192.168.54.0 255.255.254.0 0.0.0.0 255.255.255.255

   exit

class ipv4 "Server"

     10 match ip 192.168.52.0 255.255.254.0 0.0.0.0 255.255.255.255

   exit

class ipv4 "CorpWIFI"

     10 match ip 192.168.56.0 255.255.255.0 0.0.0.0 255.255.255.255

   exit

policy pbr "CorpWIFIPBR"

     10 class ipv4 "CorpWIFI"

      action ip next-hop 192.168.54.253

      exit

   exit

policy pbr "ServerPBR"

     10 class ipv4 "Server"

      action ip next-hop 192.168.52.253

      exit

   exit

policy pbr "UserPBR"

     10 class ipv4 "User"

      action ip next-hop 192.168.54.253

      exit

   exit

ip route 0.0.0.0 0.0.0.0 192.168.52.253

ip route 0.0.0.0 0.0.0.0 192.168.54.253

ip routing

vlan 1

   name "Server VLAN"

   no untagged 1/12,1/37-1/44,2/4-2/5,2/26,2/37-2/38,2/40-2/44

   untagged 1/2-1/11,1/13-1/25,1/34-1/36,1/49-1/51,2/1-2/3,2/6-2/25,2/27,2/36,2/39,2/49-2/51,Trk1-Trk7

   tagged 1/1

   ip address 192.168.53.1 255.255.254.0

   service-policy "ServerPBR" in

   exit

vlan 51

   name "MGT VLAN"

   untagged 2/5

   ip access-group "ACL-BLOCK" in

   no ip address

   exit

vlan 54

   name "Users VLAN"

   untagged 1/37-1/38,1/43-1/44,2/4,2/37-2/38,2/40-2/44

   tagged Trk1-Trk5

   ip address 192.168.54.1 255.255.254.0

   ip helper-address 192.168.52.8

   ip helper-address 192.168.52.9

   service-policy "UserPBR" in

   exit

vlan 56

   name "CorpWIFI VLAN"

   tagged Trk1-Trk3

   ip address 192.168.56.1 255.255.255.0

   ip helper-address 192.168.52.8

   ip helper-address 192.168.52.9

   service-policy "CorpWIFIPBR" in

   exit

vlan 58

   name "Guest VLAN"

   untagged 1/39-1/42,2/26

   tagged Trk1-Trk3

   no ip address

   exit

vlan 59

   name "CCTV VLAN"

   untagged 1/1,1/12

   tagged Trk1-Trk7

   no ip address

   exit

 

Pls let me know if you have any questions regarding the network setup. 

Will appreciate any advice!

Thanks!

10 REPLIES
Vince-Whirlwind
Honored Contributor

Re: HPE 3800 PBR HELP

If you are doing the routing for each subnet on the Layer3 switch then you should not be extending those VLANs to the firewall.

If you do extend those VLANs to the firewall, then you don't need to do any routing on the switch and should remove the IP addressing and make the frieasll interfaces the default gateways for their respective subnets.

The basic concept you have got wrong here is that you are spanning a segment across two Layer3 devices.

jun_ng
Occasional Advisor

Re: HPE 3800 PBR HELP

Hi,

 

The switch is doign the VLAN routing and end user default gateway is the switch vlan interface iP.

However, my switch default gateway for server and user vlan is different thus i will like to configure PBR. 

 

Vince-Whirlwind
Honored Contributor

Re: HPE 3800 PBR HELP

If your switch is doing the routing then you need to remove the host VLANs from the uplinks to the firewall.

Vince-Whirlwind
Honored Contributor

Re: HPE 3800 PBR HELP

What will happen is your first packet from any host will hit the switch, pick one of the default routes, go the firewall, and if it happens to have picked the default route to the firewall interface that is in the same subnet as as the host (with your two default routes on the switch, packets will simply use them alternately), the firewall will send back an ICMP redirect to the host which will insert a more specific route in the host's routing table which will replace whatever default route you have configured on the host and future packets will be sent by the host direct to the firewall.

Return packets will always be routed from the firewall direct to the host instead of to the Layer3 switch.

This is what you need to get those 2 host VLANs off the firewall so you can route your traffic properly.

jun_ng
Occasional Advisor

Re: HPE 3800 PBR HELP

Hello, what do you mean by removing the host VLANs from the uplinks to the firewall?

Thanks for your patience.

jun_ng
Occasional Advisor

Re: HPE 3800 PBR HELP

What will happen is your first packet from any host will hit the switch, pick one of the default routes, go the firewall, and if it happens to have picked the default route to the firewall interface that is in the same subnet as as the host (with your two default routes on the switch, packets will simply use them alternately

-> how do i configure in a way that.. Subnet 192.168.53.0 will be going to the firewall interface 1( 192.168.53.253) instead of interface 2 (192.168.54.253)? doesnt my policy pbr config take care of this?
I am trying to figure this out as the 192.168.54.253 interface might be moving to another firewall. i have to ensure that the traffic from 192.168.54.0 is going out by the correct path.

Vince-Whirlwind
Honored Contributor

Re: HPE 3800 PBR HELP


jun_ng wrote:

...Subnet 192.168.53.0 will be going to the firewall interface 1( 192.168.53.253)


No. You've told us your switch is the router for that subnet, not the firewall, so you need to stop trunking that VLAN to the firewall.

This picture explains how you design a network at Layer3:
If you consider the middle router, that is like your switch. What you have done is put the 192.168.2.0 subnet (the middle switch's LAN subnet for hosts) on the connected interfaces of Routers1 & 3. That is not the way a network should be designed.
You need to fix that before you consider implementing PBR.

jun_ng
Occasional Advisor

Re: HPE 3800 PBR HELP

Drawing1.jpg

 

InterVLAN routing to be done by the switch. but to route out to internet, different vlan is to route out to different firewall.
i am not sure how to configure it for this scenario, does the connecting port to firewall have to be untagged with the VLAN? and does having the same IP range at the firewall cause routing issue?

 

Amuzed123
Occasional Visitor

Re: HPE 3800 PBR HELP

If you want your switch route between VLANs, then configure a new unique subnet between the switch and the firewall. No PBR needed. No matter which VLAN the source, switch will route it to firewall on that unique subnet.

If you don't want the switch route between VLANs, then remove the IPs from switch (keep one for management). Each VLAN will be terminated on a firewall interface, and that firewall interface will be the default gateway for that VLAN.

jun_ng
Occasional Advisor

Re: HPE 3800 PBR HELP

If the firewall has to be in the same vlan to configure the policies etc, is there a way we can achieve it? 
or it is a must for me to change intervlan routing to firewall ?

my requirement will be
1.core switch doing the intervlan routing(thus having the need to have IP on switch)
2. two routes out to internet, 1 for each vlan. 
3. firewall IP must be same subnet to configure policies.