HPE Community
Comware Based
1830149 Members
18307 Online
109999 Solutions
New Discussion

Re: Policy based routing 5900

 
pattap
Regular Advisor

‎05-02-2017 02:18 AM - edited ‎05-02-2017 02:45 AM

‎05-02-2017 02:18 AM - edited ‎05-02-2017 02:45 AM

Policy based routing 5900

Hi All

I just need some advice/confirmation

I've set a policy based routing so traffic sourced from 10.10.10.0/23 should be send via gre tunnel (next hop 192.168.1.1)

Config as per below, two 5900s and 12508, there's a GRE set between 5900s.

PBR is applied to int vlan 2 on 5900 on the left hand side.

Now I'm not sure how to validate this, when I tried debug ip policy I didn't see much happening

 

 

lan 10.10.10.0/23 -------5900 ----------- 12508 ------------ 5900
                                  vlan 2
                                10.10.10.1

                                  int tun1                                   int tun1
                               192.168.1.2--------GRE-------------192.168.1.1


interface vlan 2
ip address 10.10.10.1 255.255.254.0
ip policy-based-route PBR-test

Advanced ACL  3032, named PBR-test, 1 rule,
ACL's step is 5
 rule 5 permit ip source 10.10.10.0 0.0.1.255 logging


dis ip policy-based-route
Policy name: PBR-test
  node 5 permit:
    if-match acl 3032
    apply next-hop 192.168.1.1

I can see some matches as per the below but with number of users on the LAN i'd expect much more than that plus the PBR has been in place for a while now

dis ip policy-based-route interface Vlan-interface 2
Policy based routing information for interface Vlan-interface2:
Policy name: PBR-test
  node 5 permit:
    if-match acl 3032
    apply next-hop 192.168.1.1
  Matched: 67
Total matched: 67

0 Kudos
2 REPLIES 2
Ian Vaughan
Honored Contributor

‎05-03-2017 02:28 PM

‎05-03-2017 02:28 PM

Re: Policy based routing 5900

Howdy,

Maybe I'm over-simplifying this in my head but shouldn't a simple traceroute from a device in the LH subnet to a device in the RH subnet show that the traffic has gone over the tunnel rather than touching / routing over the intervening hardware?

I take your point that it's not entirely clear from the tunnel stats - can you force a regular GRE keepalive that you can see clicking up a counter?

HTH

Ian

 

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
0 Kudos
pattap
Regular Advisor

‎05-04-2017 03:07 AM

‎05-04-2017 03:07 AM

Re: Policy based routing 5900

Hi Ian

With tracroute it seems perfectly fine, I can see the other end of the tunnel being hit as well as with debug on I see the below: (debugging ip policy-based-route)

*May  4 09:56:40:851 2017  5900 PBR4/7/PBR Forward Info: apply next-hop 192.168.1.1.

*May  4 09:56:40:858 2017  5900 PBR4/7/PBR Forward Info: Policy: TEST, Node: 5, match succeeded.

*May  4 09:56:40:858 2017  5900 PBR4/7/PBR Forward Info: apply next-hop 192.168.1.1.

*May  4 09:56:40:863 2017  5900 PBR4/7/PBR Forward Info: Policy: TEST, Node: 5, match succeeded.

*May  4 09:56:40:863 2017   5900 PBR4/7/PBR Forward Info: apply next-hop 192.168.1.1.

I can't see any of these for other traffic though which is my concern

 

Sorry Ian I'm not sure what do you mean by forcing GRE  keepalives? Counter on tunnel interacees are clicking up but that's not user traffic I guess

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.