HPE Community
Comware Based
1751894 Members
5200 Online
108783 Solutions
New Discussion

Re: 5130 Comware packet-filter with PBR not work.

 
xy22y
Visitor

‎06-07-2018 02:03 AM

‎06-07-2018 02:03 AM

5130 Comware packet-filter with PBR not work.

 

Dear,

I want to apply filtering and policy-based routing with the following device.

 

HPE 5130-24G-4SFP+ EI (JG932A)
HPE Comware Software, Version 7.1.045, Release 3109P14

 

 

I want to do the things are as follows.

if ( src 192.168.199.0/24 and dst 192.168.0.0/24 ) {
    drop packet
} else {
    next hop 192.168.251.1
}

 

I tried below config, but not work. Any packets are passed from 192.168.199.0/24 to 192.168.0.0/24.

acl number 3000
 rule 10 permit ip destination 192.168.0.0 0.0.0.255

policy-based-route pbr1 deny node 10
 if-match acl 3000

policy-based-route pbr1 permit node 20
 apply next-hop 192.168.251.1

acl number 3199
 rule 100 deny ip destination 192.168.0.0 0.0.0.255
 rule 900 permit ip

interface Vlan-interface199
 ip address 192.168.199.1 255.255.255.0
 packet-filter 3199 inbound
 ip policy-based-route pbr1

 

 

Are there any good ideas?

 

Regards,

0 Kudos
6 REPLIES 6
pattap
Regular Advisor

‎06-08-2018 01:06 AM

‎06-08-2018 01:06 AM

Re: 5130 Comware packet-filter with PBR not work.

You need "if-match" and "apply" to be in one node. Also if you have deny mode in your node the apply clause is not executed, if I understand your requirement correctly you want traffic towards 192.168.0.0 to go via 192.168.251.1  therefore permit should be used

acl number 3000
 rule 10 permit ip destination 192.168.0.0 0.0.0.255
#
policy-based-route pbr1 permit node 10
if-match acl 3000
apply next-hop 192.168.251.1
#
interface Vlan-interface199
 ip address 192.168.199.1 255.255.255.0
 ip policy-based-route pbr1

I'm not sure about ACL, it looks ok

 

check this out:

https://abouthpnetworking.com/2015/02/09/comware7-routed-port-acl-packet-filter-applies-to-switched-traffic/

0 Kudos
xy22y
Visitor

‎06-08-2018 02:37 AM - edited ‎06-08-2018 02:53 AM

‎06-08-2018 02:37 AM - edited ‎06-08-2018 02:53 AM

Re: 5130 Comware packet-filter with PBR not work.

Thank you, but that is not my requirement. More details are as follows.

if ( src 192.168.199.0/24 ) {
    if ( dst 192.168.0.0/24 ) {
        drop packet and not routing
    } else {
        default gateway 192.168.251.1
    }
} else {
    default gateway 192.168.250.1
}

 

However, the following config will not work.

acl number 3000
 rule 10 permit ip destination 192.168.0.0 0.0.0.255

policy-based-route pbr1 deny node 10
 if-match acl 3000

policy-based-route pbr1 permit node 20
 apply next-hop 192.168.251.1

acl number 3199
 rule 100 deny ip destination 192.168.0.0 0.0.0.255
 rule 900 permit ip

interface Vlan-interface199
 ip address 192.168.199.1 255.255.255.0
 packet-filter 3199 inbound
 ip policy-based-route pbr1

interface Vlan-interface1
 ip address 192.168.0.1 255.255.255.0

interface Vlan-interface250
 ip address 192.168.250.2 255.255.255.0

interface Vlan-interface251
 ip address 192.168.251.2 255.255.255.0

ip route-static 0.0.0.0 0 192.168.250.1

It works only with "apply" in one node. This "pbr1 deny node 10" suggests "not apply next-hop".

In addition, it is confirmed that "packet-filter filter route" and "all (default)" do not work either way.

 

Regards,

0 Kudos
xy22y
Visitor

‎06-08-2018 03:30 AM

‎06-08-2018 03:30 AM

Re: 5130 Comware packet-filter with PBR not work.

Thank you, but that is not my requirement. More details are as follows.

if ( src 192.168.199.0/24 ) {
    if ( dst 192.168.0.0/24 ) {
        drop packet and not routing
    } else {
        default gateway 192.168.251.1
    }
} else {
    default gateway 192.168.250.1
}

However, the following config will not work.

acl number 3000
 rule 10 permit ip destination 192.168.0.0 0.0.0.255

policy-based-route pbr1 deny node 10
 if-match acl 3000

policy-based-route pbr1 permit node 20
 apply next-hop 192.168.251.1

acl number 3199
 rule 100 deny ip destination 192.168.0.0 0.0.0.255
 rule 900 permit ip

interface Vlan-interface199
 ip address 192.168.199.1 255.255.255.0
 packet-filter 3199 inbound
 ip policy-based-route pbr1

interface Vlan-interface1
 ip address 192.168.0.1 255.255.255.0

interface Vlan-interface250
 ip address 192.168.250.2 255.255.255.0

interface Vlan-interface251
 ip address 192.168.251.2 255.255.255.0

ip route-static 0.0.0.0 0 192.168.250.1

This "pbr1 deny node 10" suggests "not apply next-hop". So, it works only with "apply" in one node.

In addition, it is confirmed that "packet-filter filter route" and "all (default)" do not work either way.

 

Regards,

0 Kudos
pattap
Regular Advisor

‎06-08-2018 06:52 AM - edited ‎06-08-2018 06:57 AM

‎06-08-2018 06:52 AM - edited ‎06-08-2018 06:57 AM

Re: 5130 Comware packet-filter with PBR not work.

are all the vlan interfaces that you listed configured on bottom left switch labeled as 192.168.199.0/24?

and is it the same switch on which you are trying to configure PBR?

acl number 3000
 rule 10 permit ip destination 192.168.0.0 0.0.0.255

policy-based-route pbr1 deny node 10
 if-match acl 3000 

policy-based-route pbr1 permit node 20
 if-match acl <whatever traffic you want to push via 192.168.251.1>
 apply next-hop 192.168.251.1

 deny mode 10 will behave as follows:

The apply clause is not executed, the
packets will not go to the next policy
node for a match, and will be
forwarded according to the routing
table.

 I think PBR might not be the best match for what you are trying to achieve in node 10 you probably should figure how to use ACL to block that traffic

0 Kudos
xy22y
Visitor

‎06-10-2018 09:49 PM - edited ‎06-10-2018 09:53 PM

‎06-10-2018 09:49 PM - edited ‎06-10-2018 09:53 PM

Re: 5130 Comware packet-filter with PBR not work.

Thank you,

 

are all the vlan interfaces that you listed configured on bottom left switch labeled as 192.168.199.0/24?

The interface gi1/0/7 connected bottom left switch.

interface GigabitEthernet1/0/7
 port access vlan 199

and is it the same switch on which you are trying to configure PBR?

The switch on the bottom left and the switch that is trying to configure PBR are different devices.

 

 

deny mode 10 will behave as follows:

The apply clause is not executed, the
packets will not go to the next policy
node for a match, and will be
forwarded according to the routing
table.

That is exactly what I want. If I forcefully write acl to node 20, it will look like this.

acl number 2000
 rule 0 permit

policy-based-route pbr1 permit node 20
 if-match acl 2000
 apply next-hop 192.168.251.1

But I think the problem is not that PBR does not work, ACL does not work properly.

 

I think PBR might not be the best match for what you are trying to achieve in node 10 you probably should figure how to use ACL to block that traffic

I so think too of course, but ACL will not work if set with PBR.

 

Regards,

0 Kudos
xy22y
Visitor

‎06-11-2018 01:06 AM

‎06-11-2018 01:06 AM

Re: 5130 Comware packet-filter with PBR not work.

for example of ping 192.168.199.0/24 to 192.168.0.0/24.

Client-199>ping 192.168.1.11

Pinging 192.168.1.11 with 32 bytes of data:
Reply from 192.168.1.11: bytes=32 time=2ms TTL=62
Reply from 192.168.1.11: bytes=32 time=1ms TTL=62
Reply from 192.168.1.11: bytes=32 time=3ms TTL=62
Reply from 192.168.1.11: bytes=32 time=3ms TTL=62

Ping statistics for 192.168.1.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 3ms, Average = 2ms
<hpe5130>reset packet-filter stat int vlan199 in
<hpe5130>display packet-filter stat int vlan199 in
Interface: Vlan-interface199
 In-bound policy:
  ACL 3199, Hardware-count
   From 2018-06-11 16:24:55 to 2018-06-11 16:25:04
   rule 100 deny ip destination 192.168.0.0 0.0.0.255 counting (4 packets)
   rule 900 permit ip logging counting
   Totally 0 packets permitted, 4 packets denied
   Totally 0% permitted, 100% denied

counting "denied" by packet-filter, but ping passed and packet-filter not working. what's goin on I wonder.

 

confirm routing to external network by next-hop 192.168.251.1, there are no problem.

Client-199>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=4ms TTL=54
Reply from 8.8.8.8: bytes=32 time=3ms TTL=54
Reply from 8.8.8.8: bytes=32 time=3ms TTL=54
Reply from 8.8.8.8: bytes=32 time=2ms TTL=54

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 4ms, Average = 3ms
Router2# sh ip napt trans icmp
  Prot Inside Address:Port   Outside Address:Port  Dest Address:Port     Time
  icmp 192.168.199.198:1     nnn.nnn.nnn.nnn:1       8.8.8.8:0             60

Regards,

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.