HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Policy based routing 5900

 
pattap
Regular Advisor

Policy based routing 5900

Hi All

I just need some advice/confirmation

I've set a policy based routing so traffic sourced from 10.10.10.0/23 should be send via gre tunnel (next hop 192.168.1.1)

Config as per below, two 5900s and 12508, there's a GRE set between 5900s.

PBR is applied to int vlan 2 on 5900 on the left hand side.

Now I'm not sure how to validate this, when I tried debug ip policy I didn't see much happening

 

 

lan 10.10.10.0/23 -------5900 ----------- 12508 ------------ 5900
                                  vlan 2
                                10.10.10.1

                                  int tun1                                   int tun1
                               192.168.1.2--------GRE-------------192.168.1.1


interface vlan 2
ip address 10.10.10.1 255.255.254.0
ip policy-based-route PBR-test

Advanced ACL  3032, named PBR-test, 1 rule,
ACL's step is 5
 rule 5 permit ip source 10.10.10.0 0.0.1.255 logging


dis ip policy-based-route
Policy name: PBR-test
  node 5 permit:
    if-match acl 3032
    apply next-hop 192.168.1.1

I can see some matches as per the below but with number of users on the LAN i'd expect much more than that plus the PBR has been in place for a while now

dis ip policy-based-route interface Vlan-interface 2
Policy based routing information for interface Vlan-interface2:
Policy name: PBR-test
  node 5 permit:
    if-match acl 3032
    apply next-hop 192.168.1.1
  Matched: 67
Total matched: 67

2 REPLIES
Ian Vaughan
Honored Contributor

Re: Policy based routing 5900

Howdy,

Maybe I'm over-simplifying this in my head but shouldn't a simple traceroute from a device in the LH subnet to a device in the RH subnet show that the traffic has gone over the tunnel rather than touching / routing over the intervening hardware?

I take your point that it's not entirely clear from the tunnel stats - can you force a regular GRE keepalive that you can see clicking up a counter?

HTH

Ian

 

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
pattap
Regular Advisor

Re: Policy based routing 5900

Hi Ian

With tracroute it seems perfectly fine, I can see the other end of the tunnel being hit as well as with debug on I see the below: (debugging ip policy-based-route)

*May  4 09:56:40:851 2017  5900 PBR4/7/PBR Forward Info: apply next-hop 192.168.1.1.

*May  4 09:56:40:858 2017  5900 PBR4/7/PBR Forward Info: Policy: TEST, Node: 5, match succeeded.

*May  4 09:56:40:858 2017  5900 PBR4/7/PBR Forward Info: apply next-hop 192.168.1.1.

*May  4 09:56:40:863 2017  5900 PBR4/7/PBR Forward Info: Policy: TEST, Node: 5, match succeeded.

*May  4 09:56:40:863 2017   5900 PBR4/7/PBR Forward Info: apply next-hop 192.168.1.1.

I can't see any of these for other traffic though which is my concern

 

Sorry Ian I'm not sure what do you mean by forcing GRE  keepalives? Counter on tunnel interacees are clicking up but that's not user traffic I guess