Solved: Re: PBR wih VPN-Instance

Jacques_GRILLOT · ‎03-25-2016

Hi All,

I have an IRF stack with 2 x A5500-24G-4SFP HI.
Version is Comware Software, Version 5.20.99, Release 5501P19.

There are 2 VLAN and 2 VPN-Instance.
VLAN 100 (10.0.0.252) is binding vpn-instance vpn_main.
VLAN 1002 (10.0.5.25) is binding vpn-instance vpn_CustomerA.
I configure vpn-target between the vpn-instance, BGP sessions with an import-route direct and I can ping interface Vlan 100 from interface Vlan 1002 and vice-versa.
There is an UTM in VLAN1002 and its IP address is 10.0.5.27 : it is the default route for vpn_CustomerA.
the default gateway for vpn_main is 10.0.0.254.
There is a CPE in VLAN100 and its IP address is 10.0.0.203.
An there is a device behind CPE and its IP address is 10.3.239.254.

I need configure a PBR from 10.3.239.254 to 0.0.0.0 through 10.0.5.27.

I write an ACL :

acl number 3012 name ACL-PBR
step 10
rule 10 permit ip source 10.3.224.0 0.0.15.255
rule 20 permit icmp source 10.3.224.0 0.0.15.255

I write a PBR rule :

policy-based-route PBR permit node 5
if-match acl 3012
apply ip-address next-hop 10.0.5.27

I put this policy in VLAN100 (bind to vpn_main).

From my device, I telnet an IP and I see with a "tcpdump" that this flow goes through 10.0.0.254.
Then I delete the vpn-instance binding in VLAN1002 and I retry a telnet : the flow goes through 10.0.5.27, yeah !

So, how can I use PBR with the binding vpn-instance ?

Merci,

Jacques

Jacques_GRILLOT · ‎04-14-2016

I'm fighting again with PBR inside VPN-Instance.
After lots of tests, my conclusion at the moment is PBR doesn't not work inside VPN-Instance but I think of having missed something in the configuration.
Anybody has already made it work ?

Mike_ES · ‎04-14-2016

Hi,

Please try configure your PBR's ACL with vpn-instance keyword.

Should help. If not, maybe there is bug existsing in your Comware version.

Michal

Jacques_GRILLOT · ‎04-14-2016

Bonjour Michal,

I write PBR as :

acl number 3012 name ACL-PBR
step 10
rule 20 permit icmp vpn-instance vpn_main source 10.3.224.0 0.0.15.255
rule 30 permit ip vpn-instance vpn_main source 10.3.224.0 0.0.15.255

Failure... :(

Maybe have you an example that works with you... ;)

Best regards,

Jacques

Mike_ES · ‎04-14-2016

Do you have your PBR next-hop 10.0.5.27 configured inside vpn-instance vpn_main ???

Jacques_GRILLOT · ‎04-14-2016

Please find configuration :

ip vpn-instance vpn_main
route-distinguisher 100:1
vpn-target 100:1 1002:1 export-extcommunity
vpn-target 100:1 1002:1 import-extcommunity
#
ip vpn-instance vpn_CustomerA
route-distinguisher 1002:1
vpn-target 1002:1 100:1 export-extcommunity
vpn-target 1002:1 100:1 import-extcommunity

acl number 3012 name ACL-PBR
step 10
rule 20 permit icmp vpn-instance vpn_main source 10.3.224.0 0.0.15.255
rule 30 permit ip vpn-instance vpn_main source 10.3.224.0 0.0.15.255

policy-based-route PBR permit node 5
if-match acl 3012
apply ip-address next-hop 10.0.5.27

interface Vlan-interface100
ip binding vpn-instance vpn_main
ip address 10.0.0.252 255.255.255.0
ip policy-based-route PBR

interface Vlan-interface1002
ip binding vpn-instance vpn_CustomerA
ip address 10.0.5.25 255.255.255.248

bgp 65001
undo synchronization
#
ipv4-family vpn-instance vpn_main
import-route direct
#
ipv4-family vpn-instance vpn_CustomerA
import-route direct

the ip-routing table for vpn_main :

Routing Tables: vpn_main
Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost NextHop Interface

0.0.0.0/0           Static 60   0            10.0.0.254      Vlan100
10.0.0.0/24         Direct 0    0            10.0.0.252      Vlan100
10.0.0.252/32       Direct 0    0            127.0.0.1       InLoop0
10.0.5.24/29        BGP    130 0            10.0.5.25       Vlan1002
10.0.5.25/32        BGP    130 0            127.0.0.1       InLoop0
10.3.0.0/16         BGP    255 10           10.0.0.204      Vlan100
127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

the ip-routing table for vpn_CustomerA :

Routing Tables: vpn_CustomerA
Destinations : 30 Routes : 30

Destination/Mask Proto Pre Cost NextHop Interface

10.0.0.0/24         BGP    130 10           10.0.0.252      Vlan100
10.0.0.252/32       BGP    130 10           127.0.0.1       InLoop0
10.0.5.24/29        Direct 0    0            10.0.5.25       Vlan1002
10.0.5.25/32        Direct 0    0            127.0.0.1       InLoop0
10.3.0.0/16         BGP    255 10           10.0.0.204      Vlan100
127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

Jacques_GRILLOT · ‎04-14-2016

I find this old post, it seems to be the same problem : http://community.hpe.com/t5/Comware-Based/Policy-based-route-not-working-inside-a-VRF/td-p/6047587

Jacques_GRILLOT · ‎04-15-2016

Yesterday I upgraded with new release (Comware Software, Version 5.20.99, Release 5501P21), same problem.
I opened a ticket, I hope that Support answers me with a good new.
However, if someone has an idea... ;)

Jacques_GRILLOT · ‎04-22-2016

HPE support can't help me... unless paying a service with an external people :(

Jacques_GRILLOT · ‎07-29-2016

I get the answer : Comware5 doesn't support PBR with VRF.

Comware7 does.