Re: PBR wih VPN-Instance

Jacques_GRILLOT · ‎03-25-2016

Hi All,

I have an IRF stack with 2 x A5500-24G-4SFP HI.
Version is Comware Software, Version 5.20.99, Release 5501P19.

There are 2 VLAN and 2 VPN-Instance.
VLAN 100 (10.0.0.252) is binding vpn-instance vpn_main.
VLAN 1002 (10.0.5.25) is binding vpn-instance vpn_CustomerA.
I configure vpn-target between the vpn-instance, BGP sessions with an import-route direct and I can ping interface Vlan 100 from interface Vlan 1002 and vice-versa.
There is an UTM in VLAN1002 and its IP address is 10.0.5.27 : it is the default route for vpn_CustomerA.
the default gateway for vpn_main is 10.0.0.254.
There is a CPE in VLAN100 and its IP address is 10.0.0.203.
An there is a device behind CPE and its IP address is 10.3.239.254.

I need configure a PBR from 10.3.239.254 to 0.0.0.0 through 10.0.5.27.

I write an ACL :

acl number 3012 name ACL-PBR
step 10
rule 10 permit ip source 10.3.224.0 0.0.15.255
rule 20 permit icmp source 10.3.224.0 0.0.15.255

I write a PBR rule :

policy-based-route PBR permit node 5
if-match acl 3012
apply ip-address next-hop 10.0.5.27

I put this policy in VLAN100 (bind to vpn_main).

From my device, I telnet an IP and I see with a "tcpdump" that this flow goes through 10.0.0.254.
Then I delete the vpn-instance binding in VLAN1002 and I retry a telnet : the flow goes through 10.0.5.27, yeah !

So, how can I use PBR with the binding vpn-instance ?

Merci,

Jacques

Jacques_GRILLOT · ‎04-14-2016

I'm fighting again with PBR inside VPN-Instance.
After lots of tests, my conclusion at the moment is PBR doesn't not work inside VPN-Instance but I think of having missed something in the configuration.
Anybody has already made it work ?

Mike_ES · ‎04-14-2016

Hi,

Please try configure your PBR's ACL with vpn-instance keyword.

Should help. If not, maybe there is bug existsing in your Comware version.

Michal

Jacques_GRILLOT · ‎04-14-2016

Bonjour Michal,

I write PBR as :

acl number 3012 name ACL-PBR
step 10
rule 20 permit icmp vpn-instance vpn_main source 10.3.224.0 0.0.15.255
rule 30 permit ip vpn-instance vpn_main source 10.3.224.0 0.0.15.255

Failure... :(

Maybe have you an example that works with you... ;)

Best regards,

Jacques

Mike_ES · ‎04-14-2016

Do you have your PBR next-hop 10.0.5.27 configured inside vpn-instance vpn_main ???

Jacques_GRILLOT · ‎04-14-2016

Please find configuration :

ip vpn-instance vpn_main
route-distinguisher 100:1
vpn-target 100:1 1002:1 export-extcommunity
vpn-target 100:1 1002:1 import-extcommunity
#
ip vpn-instance vpn_CustomerA
route-distinguisher 1002:1
vpn-target 1002:1 100:1 export-extcommunity
vpn-target 1002:1 100:1 import-extcommunity

acl number 3012 name ACL-PBR
step 10
rule 20 permit icmp vpn-instance vpn_main source 10.3.224.0 0.0.15.255
rule 30 permit ip vpn-instance vpn_main source 10.3.224.0 0.0.15.255

policy-based-route PBR permit node 5
if-match acl 3012
apply ip-address next-hop 10.0.5.27

interface Vlan-interface100
ip binding vpn-instance vpn_main
ip address 10.0.0.252 255.255.255.0
ip policy-based-route PBR

interface Vlan-interface1002
ip binding vpn-instance vpn_CustomerA
ip address 10.0.5.25 255.255.255.248

bgp 65001
undo synchronization
#
ipv4-family vpn-instance vpn_main
import-route direct
#
ipv4-family vpn-instance vpn_CustomerA
import-route direct

the ip-routing table for vpn_main :

Routing Tables: vpn_main
Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/0           Static 60   0            10.0.0.254      Vlan100
10.0.0.0/24         Direct 0    0            10.0.0.252      Vlan100
10.0.0.252/32       Direct 0    0            127.0.0.1       InLoop0
10.0.5.24/29        BGP    130 0            10.0.5.25       Vlan1002
10.0.5.25/32        BGP    130 0            127.0.0.1       InLoop0
10.3.0.0/16         BGP    255 10           10.0.0.204      Vlan100
127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

the ip-routing table for vpn_CustomerA :

Routing Tables: vpn_CustomerA
Destinations : 30 Routes : 30

Destination/Mask Proto Pre Cost NextHop Interface

10.0.0.0/24         BGP    130 10           10.0.0.252      Vlan100
10.0.0.252/32       BGP    130 10           127.0.0.1       InLoop0
10.0.5.24/29        Direct 0    0            10.0.5.25       Vlan1002
10.0.5.25/32        Direct 0    0            127.0.0.1       InLoop0
10.3.0.0/16         BGP    255 10           10.0.0.204      Vlan100
127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

Jacques_GRILLOT · ‎04-14-2016

I find this old post, it seems to be the same problem : http://community.hpe.com/t5/Comware-Based/Policy-based-route-not-working-inside-a-VRF/td-p/6047587

Jacques_GRILLOT · ‎04-15-2016

Yesterday I upgraded with new release (Comware Software, Version 5.20.99, Release 5501P21), same problem.
I opened a ticket, I hope that Support answers me with a good new.
However, if someone has an idea... ;)

Jacques_GRILLOT · ‎04-22-2016

HPE support can't help me... unless paying a service with an external people :(

Jacques_GRILLOT · ‎07-29-2016

I get the answer : Comware5 doesn't support PBR with VRF.

Comware7 does.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: PBR wih VPN-Instance

PBR wih VPN-Instance