Comware Based
1748089 Members
4888 Online
108758 Solutions
New Discussion юеВ

Re: HPE 5900 Policy Based Routing (PBR) Suddenly Stops Forwarding

 
SOLVED
Go to solution
JF7
Advisor

HPE 5900 Policy Based Routing (PBR) Suddenly Stops Forwarding

I have an HPE 5900 as our Core Switch that has been setup with Policy Based Routing. Everything is working except when I try to set one IP Address to deny so that instead of forwarding to the next hop it will forward based on the local routing.

A requirement, we cannot get around and forced by our Corporate IT Leadership, is to send all traffic between our workstations and servers through a firewall that both networks have an interface on the switch. Please, do not ask why or how to get around it as it will not be productive to resolve my issue.

The issue is every once in a while the PBR will just stop for no apparent reason, which routing should be completed by the switch itself, but I get nothing but failures on the pings. I had to revert the one device that was setup this way and implement a test machine, which we are still seeing the drops with.

Below is my configuration:

acl number 3010
 rule 0 permit ip source 10.0.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
 rule 1 permit ip source 10.0.0.25 0 destination 10.1.1.0 0.0.0.255

acl number 3011
 rule 0 permit ip source 10.0.0.0 0.0.0.255

acl number 3100
 rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
 rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.0.0.25 0

acl number 3101
 rule 0 permit ip source 10.1.1.0 0.0.0.255

policy-based-route ClientRoute deny node 5
 if-match acl 3010

policy-based-route ClientRoute permit node 10
 if-match acl 3011
 apply next-hop 10.0.0.1

policy-based-route ServerRoute deny node 5
 if-match acl 3100

policy-based-route ServerRoute permit node 10
 if-match acl 3101
 apply next-hop 10.1.1.1

interface Vlan-interface1
 ip address 10.0.0.254 255.255.255.0
 ip policy-based-route ClientRoute

interface Vlan-interface100
 ip address 10.1.1.254 255.255.255.0
 ip policy-based-route ServerRoute



The system with IP Address 10.0.0.25 is what I want the switch to pass without going to a next-hop address by directly routing to the 10.1.1.0 subnet.

6 REPLIES 6
JF7
Advisor

Re: HPE 5900 Policy Based Routing (PBR) Suddenly Stops Forwarding

I want to apologize as the formatting isn't working and it is taking out every new line and making it one long text in my post. I am going to try to fix on a different browser, but I can't right now. Sorry
JF7
Advisor

Re: HPE 5900 Policy Based Routing (PBR) Suddenly Stops Forwarding

I fixed the formatting on another device and it looks better, sorry again.

I also want to mention if the 10.0.0.25 device tries pinging the 10.0.0.254 during the intermittent PBR outage it fails, but another computer in the same network connected to the same switch can ping it.
jmpk
HPE Pro

Re: HPE 5900 Policy Based Routing (PBR) Suddenly Stops Forwarding

Hello ,

Can you please let us know the firmware version you are using on the , also provide the follow output

1.display ip policy-based-route [ policy policy-name ]

2.display ip policy-based-route setup

3. display ip policy-based-route interface interface-type nterface-number [ slot slot-number ] 

4. display ip policy-based-route local [ slot slot-number ]

Also refer configuration guide for more information 

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c04088674-2.pdf


I work for HPEAccept or Kudo
JF7
Advisor

Re: HPE 5900 Policy Based Routing (PBR) Suddenly Stops Forwarding

Sorry for not responding sooner, but here is the output requested.

1. display ip policy-based-route [ policy policy-name ]

[Switch]dis ip policy-based-route policy ClientRoute
Policy name: ClientRoute
  node 5 deny:
    if-match acl 3010
  node 10 permit:
    if-match acl 3011
    apply next-hop 10.0.0.1

[Switch]dis ip policy-based-route policy ServerRoute
Policy name: ServerRoute
  node 5 deny:
    if-match acl 3100
  node 10 permit:
    if-match acl 3101
    apply next-hop 10.1.1.1

[Switch]dis ip policy-based-route policy ChooseRoute
Policy name: ChooseRoute
  node 5 deny:
    if-match acl 3001
  node 10 permit:
    if-match acl 3011
    apply next-hop 10.0.0.1
  node 15 permit:
    if-match acl 3101
    apply next-hop 10.1.1.1

2. display ip policy-based-route setup

[Switch]dis ip policy-based-route setup
Policy Name              Interface Name
ClientRoute              Vlan-interface1
ServerRoute              Vlan-interface100
ChooseRoute              local

3. display ip policy-based-route interface interface-type nterface-number [ slot slot-number ]

[Switch]display ip policy-based-route interface Vlan-interface 1 slot 1
Policy based routing information for interface Vlan-interface1:
Policy name: ClientRoute
  node 5 deny:
    if-match acl 3010
  Matched: 0
  node 10 permit:
    if-match acl 3011
    apply next-hop 10.0.0.1
  Matched: 0
Total matched: 0

[Switch]display ip policy-based-route interface Vlan-interface 100 slot 1
Policy based routing information for interface Vlan-interface100:
Policy name: ServerRoute
  node 5 deny:
    if-match acl 3100
  Matched: 0
  node 10 permit:
    if-match acl 3101
    apply next-hop 10.1.1.1
  Matched: 0
Total matched: 0

4. display ip policy-based-route local [ slot slot-number ]

[Switch]display ip policy-based-route local slot 1
Policy based routing information for local:
Policy name: ChooseRoute
  node 5 deny:
    if-match acl 3001
  Matched: 0
  node 10 permit:
    if-match acl 3011
    apply next-hop 10.0.0.1
  Matched: 20
  node 15 permit:
    if-match acl 3101
    apply next-hop 10.1.1.1
  Matched: 20
Total matched: 40
JF7
Advisor

Re: HPE 5900 Policy Based Routing (PBR) Suddenly Stops Forwarding

Can anybody help me with this issue?
JF7
Advisor
Solution

Re: HPE 5900 Policy Based Routing (PBR) Suddenly Stops Forwarding

Well after a lot of time reviewing the newest Firmware and setting a maintenance window, I updated the Firmware to the below version.

After updating the Firmware and testing, the issue is resolved with this version of the Firmware.

<5900-Switch>dis curr
#
 version 7.1.045, Release 2432P06-US

 

The previous release was 2113P05, if I remember correctly. So one of the releases resolved this issue, even though, reviewing the release notes never fully addresses the error I was getting.

Thanks jmpk for trying to assess the issue.