- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- HPE 3800 PBR HELP
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2018 09:53 PM
01-17-2018 09:53 PM
HPE 3800 PBR HELP
Hi all,
I had attached a simple network diagram descripting my issue.
I had been trying to configure my switch for PBR. Was wondering if my configuration is correct?
is the two default route 0.0.0.0 0.0.0.0 192.168.x.253 needed?
Below is my configuration. omitted the unneeded information.
class ipv4 "User"
20 match ip 192.168.54.0 255.255.254.0 0.0.0.0 255.255.255.255
exit
class ipv4 "Server"
10 match ip 192.168.52.0 255.255.254.0 0.0.0.0 255.255.255.255
exit
class ipv4 "CorpWIFI"
10 match ip 192.168.56.0 255.255.255.0 0.0.0.0 255.255.255.255
exit
policy pbr "CorpWIFIPBR"
10 class ipv4 "CorpWIFI"
action ip next-hop 192.168.54.253
exit
exit
policy pbr "ServerPBR"
10 class ipv4 "Server"
action ip next-hop 192.168.52.253
exit
exit
policy pbr "UserPBR"
10 class ipv4 "User"
action ip next-hop 192.168.54.253
exit
exit
ip route 0.0.0.0 0.0.0.0 192.168.52.253
ip route 0.0.0.0 0.0.0.0 192.168.54.253
ip routing
vlan 1
name "Server VLAN"
no untagged 1/12,1/37-1/44,2/4-2/5,2/26,2/37-2/38,2/40-2/44
untagged 1/2-1/11,1/13-1/25,1/34-1/36,1/49-1/51,2/1-2/3,2/6-2/25,2/27,2/36,2/39,2/49-2/51,Trk1-Trk7
tagged 1/1
ip address 192.168.53.1 255.255.254.0
service-policy "ServerPBR" in
exit
vlan 51
name "MGT VLAN"
untagged 2/5
ip access-group "ACL-BLOCK" in
no ip address
exit
vlan 54
name "Users VLAN"
untagged 1/37-1/38,1/43-1/44,2/4,2/37-2/38,2/40-2/44
tagged Trk1-Trk5
ip address 192.168.54.1 255.255.254.0
ip helper-address 192.168.52.8
ip helper-address 192.168.52.9
service-policy "UserPBR" in
exit
vlan 56
name "CorpWIFI VLAN"
tagged Trk1-Trk3
ip address 192.168.56.1 255.255.255.0
ip helper-address 192.168.52.8
ip helper-address 192.168.52.9
service-policy "CorpWIFIPBR" in
exit
vlan 58
name "Guest VLAN"
untagged 1/39-1/42,2/26
tagged Trk1-Trk3
no ip address
exit
vlan 59
name "CCTV VLAN"
untagged 1/1,1/12
tagged Trk1-Trk7
no ip address
exit
Pls let me know if you have any questions regarding the network setup.
Will appreciate any advice!
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2018 04:33 PM
01-21-2018 04:33 PM
Re: HPE 3800 PBR HELP
If you are doing the routing for each subnet on the Layer3 switch then you should not be extending those VLANs to the firewall.
If you do extend those VLANs to the firewall, then you don't need to do any routing on the switch and should remove the IP addressing and make the frieasll interfaces the default gateways for their respective subnets.
The basic concept you have got wrong here is that you are spanning a segment across two Layer3 devices.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2018 02:41 AM
01-22-2018 02:41 AM
Re: HPE 3800 PBR HELP
Hi,
The switch is doign the VLAN routing and end user default gateway is the switch vlan interface iP.
However, my switch default gateway for server and user vlan is different thus i will like to configure PBR.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2018 05:16 PM
01-22-2018 05:16 PM
Re: HPE 3800 PBR HELP
If your switch is doing the routing then you need to remove the host VLANs from the uplinks to the firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2018 05:24 PM
01-22-2018 05:24 PM
Re: HPE 3800 PBR HELP
What will happen is your first packet from any host will hit the switch, pick one of the default routes, go the firewall, and if it happens to have picked the default route to the firewall interface that is in the same subnet as as the host (with your two default routes on the switch, packets will simply use them alternately), the firewall will send back an ICMP redirect to the host which will insert a more specific route in the host's routing table which will replace whatever default route you have configured on the host and future packets will be sent by the host direct to the firewall.
Return packets will always be routed from the firewall direct to the host instead of to the Layer3 switch.
This is what you need to get those 2 host VLANs off the firewall so you can route your traffic properly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2018 06:32 AM
01-23-2018 06:32 AM
Re: HPE 3800 PBR HELP
Hello, what do you mean by removing the host VLANs from the uplinks to the firewall?
Thanks for your patience.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2018 06:36 AM
01-23-2018 06:36 AM
Re: HPE 3800 PBR HELP
What will happen is your first packet from any host will hit the switch, pick one of the default routes, go the firewall, and if it happens to have picked the default route to the firewall interface that is in the same subnet as as the host (with your two default routes on the switch, packets will simply use them alternately
-> how do i configure in a way that.. Subnet 192.168.53.0 will be going to the firewall interface 1( 192.168.53.253) instead of interface 2 (192.168.54.253)? doesnt my policy pbr config take care of this?
I am trying to figure this out as the 192.168.54.253 interface might be moving to another firewall. i have to ensure that the traffic from 192.168.54.0 is going out by the correct path.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2018 05:29 PM
01-23-2018 05:29 PM
Re: HPE 3800 PBR HELP
@jun_ng wrote:...Subnet 192.168.53.0 will be going to the firewall interface 1( 192.168.53.253)
No. You've told us your switch is the router for that subnet, not the firewall, so you need to stop trunking that VLAN to the firewall.
This picture explains how you design a network at Layer3:
If you consider the middle router, that is like your switch. What you have done is put the 192.168.2.0 subnet (the middle switch's LAN subnet for hosts) on the connected interfaces of Routers1 & 3. That is not the way a network should be designed.
You need to fix that before you consider implementing PBR.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2018 06:50 AM
01-25-2018 06:50 AM
Re: HPE 3800 PBR HELP
InterVLAN routing to be done by the switch. but to route out to internet, different vlan is to route out to different firewall.
i am not sure how to configure it for this scenario, does the connecting port to firewall have to be untagged with the VLAN? and does having the same IP range at the firewall cause routing issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-26-2018 01:16 PM
01-26-2018 01:16 PM
Re: HPE 3800 PBR HELP
If you want your switch route between VLANs, then configure a new unique subnet between the switch and the firewall. No PBR needed. No matter which VLAN the source, switch will route it to firewall on that unique subnet.
If you don't want the switch route between VLANs, then remove the IPs from switch (keep one for management). Each VLAN will be terminated on a firewall interface, and that firewall interface will be the default gateway for that VLAN.