HPE Community
WAN Routing
1753432 Members
4736 Online
108793 Solutions
New Discussion юеВ

Networking help required - to set up PBR or route mapping?

 
michelle79
Advisor

тАО02-19-2018 02:25 PM - edited тАО02-19-2018 06:29 PM

тАО02-19-2018 02:25 PM - edited тАО02-19-2018 06:29 PM

Networking help required - to set up PBR or route mapping?

Hi all, I need to segment our public network which currently spans across our WAN on L2. The problem I have is that routed traffic on a new segment traverses the network, following the default routes, and hits the firewall's "Trusted" interface. I need to somehow direct the Public subnet traffic to the Public interface on the firewall. I've tried setting up PBR on switch A (as labelled in diagram) but I think since all the traffic from B comes across on the same VLAN/subnet it doesn't pick up the originating source address. It's like the PBR isn't recursive if that makes sense.  Can anyone help please? If it's not going to work how I envisaged is there any alternative way of achieving the required outcome with the current hardware?

Diagram below is our current setup and includes the additional proposed subnet.

 

Proposed library network design snippet for HP forum.jpg

0 Kudos
16 REPLIES 16
Vince-Whirlwind
Honored Contributor

тАО02-19-2018 04:57 PM

тАО02-19-2018 04:57 PM

Re: Networking help required - to set up PBR or route mapping?

Your host "public" that is attached to switch B is on the same subnet as the interface "public" on the firewall, so where does any routing come into it?

 

 

0 Kudos
michelle79
Advisor

тАО02-19-2018 06:30 PM

тАО02-19-2018 06:30 PM

Re: Networking help required - to set up PBR or route mapping?

Hi Vince, I've edited my post and updated the diagram to make it a bit more clear (and correct! Sorry about that, I screwed up on the addresses big time)

Cheers,

Michelle

0 Kudos
Paul Kurtz
HPE Pro

тАО02-19-2018 09:12 PM - edited тАО02-19-2018 09:13 PM

тАО02-19-2018 09:12 PM - edited тАО02-19-2018 09:13 PM

Re: Networking help required - to set up PBR or route mapping?

WouldnтАЩt you want to do the PBR on switch B

Classify all 5.5.5.5 to route to 1.1.1.254?

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03323396

PBR reference
I am a HPE Employee
0 Kudos
michelle79
Advisor

тАО02-19-2018 09:12 PM

тАО02-19-2018 09:12 PM

Re: Networking help required - to set up PBR or route mapping?

After researching further and working on this for most part of the day I've gotten a bit closer... I've applied a PBR but it doesn't work...

Command: show statistics policy "PublicTrafficToPublicFirewall" vlan 20 in returns that the packets are being ignored

Hit Counts for Policy PublicTrafficToPublicFirewall

Total

10 class ipv4 PublicNetworks action ignore
( 6286 ) 10 match ip 5.5.5.0 0.0.0.255 0.0.0.0 255.255.255.255

 

Currently have following config on switch A

class ipv4 "PublicNetworks"
     10 match ip 5.5.5.0 0.0.0.255 0.0.0.0 255.255.255.255
   exit
policy pbr "PublicTrafficToPublicFirewall"
     10 class ipv4 "PublicNetworks"
     action ip next-hop 1.1.1.254
     action ip default-next-hop 1.1.1.254
  exit
exit

vlan 20
   ip address 3.3.3.253 255.255.255.0
   service-policy "PublicTrafficToPublicFirewall" in
exit

 

What on Earth is wrong with my config???? Going mad here 

0 Kudos
Paul Kurtz
HPE Pro

тАО02-19-2018 09:12 PM

тАО02-19-2018 09:12 PM

Re: Networking help required - to set up PBR or route mapping?

WouldnтАЩt you want to do the PBR on switch B

Classify all 5.5.5.x to route to 1.1.1.254?
I am a HPE Employee
0 Kudos
michelle79
Advisor

тАО02-19-2018 09:13 PM

тАО02-19-2018 09:13 PM

Re: Networking help required - to set up PBR or route mapping?

That's what I was wondering but unfortunately I dont think the 2920s are capable.

0 Kudos
michelle79
Advisor

тАО02-19-2018 09:15 PM

тАО02-19-2018 09:15 PM

Re: Networking help required - to set up PBR or route mapping?

I feel like I'm close Paul, with the config I added in my comment posted at the same time you posted but missing something.

0 Kudos
michelle79
Advisor

тАО02-19-2018 09:26 PM

тАО02-19-2018 09:26 PM

Re: Networking help required - to set up PBR or route mapping?

Say I did apply a PBR on switch B, and got to the point where I could remove the layer 2 network, would the next-hop have to change? 1.1.1.254 would no longer be a next hop as such, or is it smart enough to figure out the best route?

0 Kudos
Paul Kurtz
HPE Pro

тАО02-19-2018 10:18 PM

тАО02-19-2018 10:18 PM

Re: Networking help required - to set up PBR or route mapping?

Verified, 3800 and 5400 support it and checked 2920 manual and not listed.

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c04943197-2.pdf#page437
I am a HPE Employee
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.