LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

PBR wih VPN-Instance

SOLVED
Go to solution

PBR wih VPN-Instance

Hi All,

I have an IRF stack with 2 x A5500-24G-4SFP HI.
Version is Comware Software, Version 5.20.99, Release 5501P19.

There are 2 VLAN and 2 VPN-Instance.
VLAN 100 (10.0.0.252) is binding vpn-instance vpn_main.
VLAN 1002 (10.0.5.25) is binding vpn-instance vpn_CustomerA.
I configure vpn-target between the vpn-instance, BGP sessions with an import-route direct and I can ping interface Vlan 100 from interface Vlan 1002 and vice-versa.
There is an UTM in VLAN1002 and its IP address is 10.0.5.27 : it is the default route for vpn_CustomerA.
the default gateway for vpn_main is 10.0.0.254.
There is a CPE in VLAN100 and its IP address is 10.0.0.203.
An there is a device behind CPE and its IP address is 10.3.239.254.

I need configure a PBR from 10.3.239.254 to 0.0.0.0 through 10.0.5.27.

I write an ACL :

acl number 3012 name ACL-PBR
 step 10
 rule 10 permit ip source 10.3.224.0 0.0.15.255
 rule 20 permit icmp source 10.3.224.0 0.0.15.255

I write a PBR rule :

policy-based-route PBR permit node 5
   if-match acl 3012
   apply ip-address next-hop 10.0.5.27

I put this policy in VLAN100 (bind to vpn_main).

From my device, I telnet an IP and I see with a "tcpdump" that this flow goes through 10.0.0.254.
Then I delete the vpn-instance binding in VLAN1002 and I retry a telnet : the flow goes through 10.0.5.27, yeah !

So, how can I use PBR with the binding vpn-instance ?

Merci,

Jacques

9 REPLIES

Re: PBR wih VPN-Instance

I'm fighting again with PBR inside VPN-Instance.
After lots of tests, my conclusion at the moment is PBR doesn't not work inside VPN-Instance but I think of having missed something in the configuration.
Anybody has already made it work ?

Mike_ES
Valued Contributor

Re: PBR wih VPN-Instance

Hi,

Please try configure your PBR's ACL with vpn-instance keyword.

Should help. If not, maybe there is bug existsing in your Comware version.

Michal

Re: PBR wih VPN-Instance

Bonjour Michal,

I write PBR as :

acl number 3012 name ACL-PBR
 step 10
 rule 20 permit icmp vpn-instance vpn_main source 10.3.224.0 0.0.15.255
 rule 30 permit ip vpn-instance vpn_main source 10.3.224.0 0.0.15.255

Failure... :(

Maybe have you an example that works with you... ;)

Best regards,

Jacques

Mike_ES
Valued Contributor

Re: PBR wih VPN-Instance

Do you have your PBR next-hop 10.0.5.27 configured inside vpn-instance vpn_main ???

Re: PBR wih VPN-Instance

Please find configuration :

ip vpn-instance vpn_main
 route-distinguisher 100:1
 vpn-target 100:1 1002:1 export-extcommunity
 vpn-target 100:1 1002:1 import-extcommunity
#
ip vpn-instance vpn_CustomerA
 route-distinguisher 1002:1
 vpn-target 1002:1 100:1 export-extcommunity
 vpn-target 1002:1 100:1 import-extcommunity

acl number 3012 name ACL-PBR
 step 10
 rule 20 permit icmp vpn-instance vpn_main source 10.3.224.0 0.0.15.255
 rule 30 permit ip vpn-instance vpn_main source 10.3.224.0 0.0.15.255

policy-based-route PBR permit node 5
   if-match acl 3012
   apply ip-address next-hop 10.0.5.27

interface Vlan-interface100
 ip binding vpn-instance vpn_main
 ip address 10.0.0.252 255.255.255.0
 ip policy-based-route PBR

interface Vlan-interface1002
 ip binding vpn-instance vpn_CustomerA
 ip address 10.0.5.25 255.255.255.248

bgp 65001
 undo synchronization
 #
 ipv4-family vpn-instance vpn_main
  import-route direct
 #
 ipv4-family vpn-instance vpn_CustomerA
  import-route direct

 

the ip-routing table for vpn_main :

Routing Tables: vpn_main
        Destinations : 8       Routes : 8

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

0.0.0.0/0           Static 60   0            10.0.0.254      Vlan100
10.0.0.0/24         Direct 0    0            10.0.0.252      Vlan100
10.0.0.252/32       Direct 0    0            127.0.0.1       InLoop0
10.0.5.24/29        BGP    130  0            10.0.5.25       Vlan1002
10.0.5.25/32        BGP    130  0            127.0.0.1       InLoop0
10.3.0.0/16         BGP    255  10           10.0.0.204      Vlan100
127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

the ip-routing table for vpn_CustomerA :

Routing Tables: vpn_CustomerA
        Destinations : 30       Routes : 30

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

10.0.0.0/24         BGP    130  10           10.0.0.252      Vlan100
10.0.0.252/32       BGP    130  10           127.0.0.1       InLoop0
10.0.5.24/29        Direct 0    0            10.0.5.25       Vlan1002
10.0.5.25/32        Direct 0    0            127.0.0.1       InLoop0
10.3.0.0/16         BGP    255  10           10.0.0.204      Vlan100
127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

 

 

Re: PBR wih VPN-Instance

Re: PBR wih VPN-Instance

Yesterday I upgraded with new release (Comware Software, Version 5.20.99, Release 5501P21), same problem.
I opened a ticket, I hope that Support answers me with a good new.
However, if someone has an idea... ;)

Re: PBR wih VPN-Instance

HPE support can't help me... unless paying a service with an external people :(

Solution

Re: PBR wih VPN-Instance

I get the answer : Comware5 doesn't support PBR with VRF.

Comware7 does.