HPE Community
Comware Based
1753840 Members
9318 Online
108806 Solutions
New Discussion

Re: Policy based routing on a A7500

 
rob_barton
Occasional Visitor

‎05-13-2013 06:41 AM - edited ‎05-13-2013 06:42 AM

‎05-13-2013 06:41 AM - edited ‎05-13-2013 06:42 AM

Policy based routing on a A7500

Hi all

 

I have a question that I wanted to ask over policy based routing. We have a mobile device network I want to configure a policy that says if the Core switch receives traffic on to the mobile device subnet that it will route this traffic to a specified next hop address. At the moment mobile device traffic goes to an ASA which then routes traffic to our websense server then out to the net. We want to re-route that traffic and point it to another firewall instead while all other data traffic goes through the ASA here is my config

.

LSW-A7506-C-01:

 

# Define ACL 3101 to match mobile device network.

 

< LSW-A7506-C-01> system-view

 

[LSW-A7506-C-01] acl number 2007

 

[LSW-A7506-C-01-acl-adv-3101] rule permit source 10.x.x.x (mobile device subnet)

 

[LSW-A7506-C-01-acl-adv-3101] quit

 

# Define Node 5 of policy mobile device, which forwards  packets to next hop 194.x.x.x (Palo alto firewall)

 

[LSW-A7506-C-01] policy-based-route mobile device permit node 2

 

[LSW-A7506-C-01-pbr-mobile device-5] if-match acl 2007

 

[LSW-A7506-C-01-pbr-mobile device-5] apply ip-address next-hop 194.x.x.x (Palo alto firewall)

 

[LSW-A7506-C-01-pbr-mobile device-5] quit

 

# Apply policy mobile device to LSW-A7506-C-01.

 

[LSW-A7506-C-01] ip local policy-based-route mobile device

 

i want to know from what i have put together would this work? . in theory it should but theres a lot riding on this and i have no time to test. Plus im not 100% sure

 

any feed back would be appreciated

 

regards

 

rob

 

 

0 Kudos
3 REPLIES 3
paulgear
Esteemed Contributor

‎05-21-2013 02:33 PM

‎05-21-2013 02:33 PM

Re: Policy based routing on a A7500

Hi Rob,

I'm not qualified to answer your specific question, but if you're in a situation where there's a lot riding on it, you're not sure, and you don't have time to test, that's a pretty dangerous position to be in. I think that justifies outsourcing the question to someone who can be 100% sure without testing and take responsibility for it if it fails.
Regards,
Paul
0 Kudos
Vince_Whirlwind
Trusted Contributor

‎05-21-2013 07:19 PM

‎05-21-2013 07:19 PM

Re: Policy based routing on a A7500

Hear! Hear!

 

You do need to test it.

 

Create a new subnet. Put one PC on it. Create your policy-based route. Test.

 

If you have no time for testing, you don't have time to change anything.

0 Kudos
Peter_Debruyne
Honored Contributor

‎05-22-2013 04:10 AM

‎05-22-2013 04:10 AM

Re: Policy based routing on a A7500

Hi,

 

the "ip local policy-based-route " command activates PBR for the locally generated traffic of the switch (like outgoing snmp traps, or telnet reply traffic), it is not applied to the user traffic passing the switch.

 

To apply the pbr policy for user traffic, you should identify the L3 interface on which the traffic is arriving at the switch. On that interface, you must enable the pbr policy.

 

So if your mobile device client traffic would be entering the switch through the vlan 10 IP interfaces, you would configure:

int vlan 10

 ip policy-based-route XXX

 

So this must be configured on the source interface (PBR is also sometimes referred to as source-based routing).

 

Hope this helps,

Best regards,Peter.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.