Hello @JarlBalgruuf
The PBR policy has to be applied to an interface in order to perform what is supposed to. From the configuration snippets you provided I cannot see if this was done. Please provide the VLAN configuration or even better the whole running configuration of the switch.
For reference you can have a look at Chapter 10 Policy Based Routing of the Multicast and Routing Guide, page 234. There is also an example there and you can see that the last command applies the policy to the VLAN.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00091308en_us
Hi! as @Emil_G remembered you the service policy needs to be applied (on desired VLANs) and this can be achieved by using the command vlan [vlan-id] service-policy [policy-name] in.
Let's suppose VLAN 2 refers to 192.168.153.0/24 and you want to apply the policy pbr "spx traffic" then vlan 2 service-policy тАЬspx trafficтАЭ in, cleary that service policy should also be paired with the other vlan 1 service-policy "hosting traffic" in (supposing the VLAN 1 is referring to 172.21.0.0/16) valid for VLAN 1.
Edit: Chapter 14 "Classifier-based software configuration" (starting at 366/424) of Aruba 2930F/2930M Advanced TrafficManagement Guide for ArubaOS-Switch 16.10 goes pretty deep with regards to PBR (See figure 64 on page 394/424).
I'm not an HPE Employee
Hello,
I am not sure if I understand fully the scenario, thats why I would like to ask for more details in order to understand how exactly the PBR is affecting the management traffic.
Which IP interface on the switch do you want to use for management - VLAN 1 or VLAN 2?
In which VLAN (resp IP subnet) is placed the management PC from which you are trying to establish Telnet/HTTPs connection with the switch? Is it connected to the same switch or some other switch? Which device is the gateway of the management PC?
Should the next hop 172.21.1.240 that you specified for VLAN 1 in the PBR policy be able to route to the subnet of the management PC?
If you do a tracert resp traceroute from both the management PC and the switch can you see where exactly the communication is breaking? For traceroute from the switch it is important to specify the source interface.
Hello
You can use the source argument in order to specify source interface.
2930F# traceroute ?
HOST-NAME-STR Hostname of the destination device.
IP-ADDR Destination IPv4 address.
source Source address or VLAN or loopback.
2930F# traceroute
Strange I can use the source argument. After source you can either speicify vlan ID (only the integer without VLAN) or the IP address of the VLAN.
Anyway: Could you please test if changing the action in the PBR policy "hosting traffic" will have any effect. Please use the action "ip default-next-hop" instead of "ip next-hop" and observe if management access is possible
I really hate that all this is done through CLI. When I try to do "no action ip next-hop 172.21.1.240" it says "invalid input: action" and will not let me remove that line. I tried adding the action ip default-next-hop 172.21.1.240 to see if it would override it, but now they are both in there.
