HPE Community
LAN Routing
1751774 Members
4781 Online
108781 Solutions
New Discussion

Policy based routing 5406

 
Go to solution
Joepske
Occasional Advisor

‎01-20-2012 12:32 PM - edited ‎01-21-2012 02:27 AM

‎01-20-2012 12:32 PM - edited ‎01-21-2012 02:27 AM

Policy based routing 5406

Hello, I would like to create a policy based route to route on source & destination. For example:

 

Traffic from vlan 100 with destination 172.20.100.0/24 needs to be routed via router 10.100.254.254

Traffic from vlan 200 with destination 172.20.100.0/24 needs to be routed via router 10.200.254.254

 

Is this possible with policy based routing? Wich is implemented in the K15 software. And how to?

The routing guide from HP describes PBR in combination with OSPF wich isn't my situation. Hope you can help me.

 

Thx! Joep

0 Kudos
9 REPLIES 9
jguse
HPE Pro

‎01-21-2012 05:08 AM

‎01-21-2012 05:08 AM

Solution

Re: Policy based routing 5406

Hello Joepske,

 

You're in luck, PBR was added in K.15.06.0006:

Policy Based Routing (PBR)
■ Enhancement (PR_0000072658) - PBR provides the ability to manipulate a packet’s path based on attributes of the packet. Traffic with the same destination can be routed over different paths, so that different types of traffic, such as VOIP or traffic with special security requirements, can be better managed. For more information, see the "Classifier-Based Software Configuration" chapter in the Advanced Traffic Management Guide for your switch.

 

As the description mentions, you should check the ATM Guide for K.15.06 for further information:

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c03015541/c03015541.pdf

You'll want to have a look through Chapter 8 for the configuration. You've got to basically configure a traffic class, configure policies for it, and then apply it (in this case) to each of the VLANs you want it for.

 

Hope that helps :)

Best regards,
Justin

Working @ HPE
Accept or Kudo
0 Kudos
Joepske
Occasional Advisor

‎01-22-2012 04:58 AM - edited ‎01-22-2012 05:11 AM

‎01-22-2012 04:58 AM - edited ‎01-22-2012 05:11 AM

Re: Policy based routing 5406 / 3500

Hello Juston,

 

Thanks for your reply and working solutions for the 5406.

 

Next problem I ran against, is that we also have 3500yl-24G-PoE switches (wich I thought would be exactly the same, because it uses the same firmware). But when trying to configure the policy based routing on the 3500 I ran against this message:

 

RTR02(policy-pbr-class)#  action ip default-next-hop 172.28.0.97
This command is not supported with v1-modules.  Please enter the command
'no allow-v1-modules' to enable the v2-module capabilities.

 

So I think I learn 2 things from this:

PBR is only possible on 5400 series when there are NO V1 modules installed

PBR is not possible on 3500 series

 

Can you confirm?

 

Many thanks,

Joep

 

0 Kudos
jguse
HPE Pro

‎01-25-2012 06:07 AM

‎01-25-2012 06:07 AM

Re: Policy based routing 5406 / 3500

Hello Joep,

That's quite interesting and also unfortunate. My guess would be that if the software has been instructed to inform you of this then it's true, but it's not documented anywhere that I can see either.

As for why this is done, I'd imagine it's due to hardware limitations with the 3500 and the V1 modules.

Since no documentation other than that message exists I can't confirm it for you either. You could open a support case about it to clarify this and get an official confirmation if you wish (including why it isn't documented).
Best regards,
Justin

Working @ HPE
Accept or Kudo
0 Kudos
jguse
HPE Pro

‎01-30-2012 04:11 AM

‎01-30-2012 04:11 AM

Re: Policy based routing 5406 / 3500

One additional thing I remembered - are you using a module in the 3500, like one of the 10GbE uplink modules?

This might also be causing the note about v1 modules in the 3500yl.

Best regards,
Justin

Working @ HPE
Accept or Kudo
0 Kudos
C0LDWiR3D
Frequent Advisor

‎06-06-2012 06:58 PM

‎06-06-2012 06:58 PM

Re: Policy based routing 5406 / 3500

Some features, like PBR, requires a 'clean' v2 module environment, that is known, so it is not a bug.

 

Cheers

0 Kudos
Packet-Ghost
Occasional Advisor

‎09-19-2012 05:18 AM

‎09-19-2012 05:18 AM

Re: Policy based routing 5406 / 3500

In the release notes for K.15.09.0004 it is true for concurrent meshing and routing, which is also a new feature. So I'm guessing that all new features have only been developed with V2 modules in mind.

 

"

NOTE: Since concurrent meshing and routing is only supported on V2 modules, the no
allow-v1-modules configuration parameter must be set on switches that are configured for
meshing and routing. "

 

So my guess I that this is true also for PBR (and probably RPVST+ also?)

 

 

0 Kudos
YenLin
Frequent Advisor

‎05-05-2013 05:28 PM

‎05-05-2013 05:28 PM

Re: Policy based routing 5406 / 3500

Hi all,

 

Does that mean there isn't any alternative way to config multi-home infratructure?

In our environment, most of our modules are v1.

0 Kudos
loayabdelrazek
Occasional Visitor

‎12-04-2013 11:27 PM

‎12-04-2013 11:27 PM

Re: Policy based routing 5406

Does this configuration also works for the 8212 zl ?

0 Kudos
joshlinx
Occasional Visitor

‎02-26-2014 03:40 AM

‎02-26-2014 03:40 AM

Policy based routing 5406 and secure vlan routing

Hello HP Forum first time forum subscriber long time product consumer. I am trying to wrap my head around

policy based routing and secure vlan communication. What i am trying to accomplish is define which vlans can communicate and make a policy to route internet traffic. I am currently trying to confgure this on a HP5406zl. After some googling there are three solutions to this problem. One i can remove the ip address on the vlan interface and set the firewall ip adress as gateway. Two i can implement acl on the vlan interfaces to deny traffic to other vlans. And three i can create policy based routing that sets next hop to the firewall. I have fairly many vlans but the client vlans consist mostly of teachers and students. I have to create fairly many acl for each vlan interface to hinder communication between students and teacher vlans. If there were a easier way to do this with policy based routing it would be easier to maintain access lists because then i dont have to deny the traffic from one source to all other destinations and default permit anything else in the bottom of the access list. I could just create an access list that permits traffic from sources to destination and default deny the last rule in the acl and create a policy that sets next hop to the firewall. Is this possible in a fairly easy way i want secure intervlan traffic defined with a policy based routing that also can reach the internet.  I currently have an 3com router that does this today but i want to replace it with an 5406zl.

 

To make an example this is what i want accomplish.

 

Student vlan and student server vlan can communicate.

Techer vlan and teacher server vlan can communicate.

Both vlans can reach internet with next hop to the firewall.

 

VLAN56: 10.100.56.0/22 (Student vlan)

VLAN80: 10.100.80.0/24 (Student Server vlan)

VLAN160: 10.100.160.0/22 (Techer vlan)

VLAN180: 10.100.180.0/24 (Staff Server vlan)

VLAN10: 10.100.10.0/31 (Transport vlan for firewall)

FWIP: 10.100.10.1/32

 

 

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.