WAN Routing

Re: Policy Based Routing on 5400R zl2 (J9851A) switch

 
michelle79
Advisor

Policy Based Routing on 5400R zl2 (J9851A) switch

Hi all, I'm hoping someone can tell me if I'm headed in the right direction with my first ever PBR implementation or correct me if I'm not! I've only just learnt about it over the past few days so if I'm way off please forgive and enlighten me :)

Firstly, I better just mention we have all v3 PoE modules but the management modules are v1. I have read that v1 modules are not supported. Not sure if that includes management side of things though...

So now the issue... Let's say you had both public and private subnets running on the same switches separated by VLANs... eventually traffic hits the core switch and it would direct all traffic out through our private firewall because that's it's default route.

What I need to have happen is traffic that originates from a public subnet is redirected to the public firewall.

From what I have read over the past few days I have got:

class ipv4 "Public Networks Class"

match ip 192.168.5.0/24 any

match ip 192.168.6.0/24 any

exit

policy pbr "Public Networks Policy"

class ipv4 "Public Networks Class"

action ip next-hop 192.168.1.1

exit

I think the next step is to apply the policy to the interfaces on the core switch where those networks link in from. Something like: interface A1,A2 service-policy "Public Networks Policy" in

Am I on the right track? My biggest concern is that once I put this in place traffic not matching the criteria will be dropped/blocked. Will the policy still allow traffic from other networks to continue through unaffected?

I also wasnt sure whether I was meant to use route-map commands or if that is for a different purpose altogether. Can anyone tell me that too please?

 

Cheers,

Michelle

6 REPLIES 6
parnassus
Honored Contributor

Re: Policy Based Routing on 5400R zl2 (J9851A) switch


michelle79 wrote: Firstly, I better just mention we have all v3 PoE modules but the management modules are v1. I have read that v1 modules are not supported. Not sure if that includes management side of things though...

Hello Michelle,

regarding your doubt above...AFAIK...the Aruba 5400R zl2 Management Module (J9827A) wasn't "versioned" (through a complete re-engineering) like happened during the years to various interface modules (see v1 - aka/called - zl only, v2 zl and v3 zl2)...that Management Module works only on a Aruba 5400R zl2 chassis exactly like the HP E5400 zl Management Module (J8727A) works only on the old HP E5400 zl Switch series.

The rule is that the old 5400 zl works with v1 zl and/or v2 zl interface modules, the new 5400R zl2 works with v2 zl and/or v3 zl2 interface modules (in "compatibility mode" or in "v3 only mode").


I'm not an HPE Employee
Kudos and Accepted Solution banner
Michael Patmon
Trusted Contributor

Re: Policy Based Routing on 5400R zl2 (J9851A) switch

Hello.  As Parnassus mentioned 5400R does not support v1 interface modules.  There is only one version of management module so no concern there.

Your classifier statements as configured will match any IP packet with a source of 192.168.5.0/24 or 192.168.6.0/24 ingressing ports A1 & A2 (if you were to apply them there).  You could instead apply the service-policy to the VLAN(s) where your "public" clients are and just do a "match ip any any".  

Packets that do not match will be routed normally according to the routing table.

Route-maps are used in conjunction with routing protocols.  Sounds like PBR is what you want here.

Hope that helps.

michelle79
Advisor

Re: Policy Based Routing on 5400R zl2 (J9851A) switch

Hi Michael, thanks for the help. I have added below config to only test pings to begin with however I can still see ICMP packets from the source address 172.16.24.254 on the default gateway rather than the alternative gateway. I'm not sure what I'm missing here :(

Below is config used:

class ipv4 "Test"

match icmp 172.16.24.254 255.255.255.255 any

match icmp 172.16.24.254 255.255.255.0 any (added later just to cover everything)

exit

policy pbr "Test"

class ipv4 "Test"

action ip next-hop 192.168.1.1

exit

vlan 24 service-policy "Test" in

 

Appreciate any ideas you may have... Thank in advance

 

Cheers,

Michelle

Michael Patmon
Trusted Contributor

Re: Policy Based Routing on 5400R zl2 (J9851A) switch

Hi Michelle..  I would first check that the classifier policy is being hit by showing the statistics:

HP-Switch-5406Rzl2(config)# show statistic policy test vlan 24 in

Hit Counts for Policy test

Total

10 class ipv4 test action ip next-hop 192.168.1.1
( 200792 ) 10 match icmp 172.16.24.254 0.0.0.0 0.0.0.0 255.255.255.255

If it's being hit and not routed that's one problem.  You said the packet is showing up at the default next hop so my guess is that it's not being hit.

The packet has to be a routed packet by the 5400R to hit the PBR policy.  In other words, the MAC DA of the packet needs to be the 5400R.  If the DA MAC is some other device then the 5400R is just switching it to whatever port that MAC is learned on.  

I've attached a sample config.  When Ii send traffic to 5.5.5.5 from 172.16.24.254 with no service-policy applied I see the packet sent to 10.1.1.2 (VLAN 10).  When I apply the service-policy to VLAN24 the packet is routed out 192.168.1.1 (VLAN 192).

michelle79
Advisor

Re: Policy Based Routing on 5400R zl2 (J9851A) switch

Hello again, thank you Michael, that statistics command was very helpful. It confirmed that my PBR was working however the next next hop was overriding the route I wanted the traffic to take.  So now I've got that issue sorted out I have come across another... as per the PBR all traffic from a specific network now goes via the internet even if it is destined for an internal server. Can I apply more than one policy to the same vlan with prioirty so the next hop action will "match icmp 172.16.24.254 0.0.0.0 0.0.0.0 255.255.255.255"  ONLY if it doesnt "match icmp 172.16.24.254 0.0.0.0 172.16.0.0 255.255.0.0"

 

Thanks again,

Michelle

Michael Patmon
Trusted Contributor

Re: Policy Based Routing on 5400R zl2 (J9851A) switch

You cannot apply two policies to the same VLAN or interface but what you can do is put a more specific entry "above" that match statement to ignore those packets.  In classifiers, and ACLs, the first entry that matches is the action that takes place.  No futher matching is done on the packet.  So if you have the following configured:

     class ipv4 "class1"
          10 match icmp 172.16.24.254 0.0.0.0 0.0.0.0 255.255.255.255
     exit

Then you could insert the more specific entry above #10:

     5406Rzl2(config-class)# 5 ignore icmp host 172.16.24.254 172.16.0.0/16

The "ignore" basically says "do not apply policy for these packets".  Packets that hit the ignore should get routed normally.

Also note that classifier/ACL entries use the inverse subnet mask.  You're really matching on the host portion of a network mask.  So the above would turn into the following config:

     class ipv4 "class1"
          5 ignore icmp 172.16.24.254 0.0.0.0 172.16.0.0 0.0.255.255
          10 match icmp 172.16.24.254 0.0.0.0 0.0.0.0 255.255.255.255
     exit