Controller Based WLANs

How to configure a router ACL for PBR?

PBR is used to route packets based on a certain policy. Unlike traditional destination IP based routing, ACLs are used to determine the routing path. ACL characterizes the packet on its source/destination IP address, L4 protocol and ports, and also the kind of application (appRF).

 

Feature introduced from AOS 6.4.3

 

Network Topology

 

rtaImage (2).jpg

 

Need to have PEF license for creating ACL.

(6.4.3-Beta-Master) (config) #show license

License Table
-------------
Key                                               Installed   Expires  Flags  Service Type
---                                               ---------   -------  -----  ------------
VJJpNB4W-Vy661uqG-zYDDAqx+-AcDqHo7W-y5i67c7K-UTk  2014-11-27  Never     E     Next Generation Policy Enforcement Firewall Module: 128
                                                  21:55:24

ro8x99xG-ZB5XWMqH-XdCHG0sp-SkV6MZTs-wugFRyfu-pyk  2014-11-27  Never     E     Access Points: 32
                                                  21:55:34
e07GEm/S-cZeLd/1F-DY+NKjxf-UTD/nfCR-4teUYtTW-KO4  2014-11-27  Never     E     Policy Enforcement Firewall for VPN users
                                                  21:55:44
1vVO6Tf1-RXyAXDMh-loBSuTA7-4vxeVnk3-hSMoFey2-fBE  2014-11-27  Never     E     RF Protect: 32
                                                  21:55:55

License Entries: 4

Flags: A - auto-generated; E - enabled; R - reboot required to activate

(6.4.3-Beta-Master) (config) #

1) Create  a Next hop list
2) Create a route ACL with PBR option required
3) Bind the ACL to user role or VLAN interface

 

To create a PBR based ACL:

1) Create  a Next hop list

(6.4.3-Beta-Master) (config) #show ip nexthop-list

Nexthop-List Entries
--------------------
Nexthop-list Name             Nexthop-list Id  Preemptive Failover  Active IP  Nexthop IPs(Priority)
-----------------             ---------------  -------------------  ---------  ---------------------
Branch-with-multiple-uplinks                   Enabled                          10.17.170.40(40), 10.17.168.200(30), 10.17.169.200(20), 10.17.164.254(10)
test                                           Enabled                          10.17.168.193(128), 10.17.169.200(128), 10.17.164.254(128)

2) Create a route ACL with PBR option required

(6.4.3-Beta-Master) (config-route-test)#network 10.0.0.0 255.255.0.0 any any route ?
ipsec-map               Forward packets to ipsec tunnel
next-hop-list           Forward packets to nexthop list
tunnel                  Forward packets to L3 tunnel
tunnel-group            Forward packets to tunnel group

(6.4.3-Beta-Master) (config-route-test)#network 10.0.0.0 255.255.0.0 any any route next-hop-list test
(6.4.3-Beta-Master) (config-route-test)#exit

 

(6.4.3-Beta-Master) #show ip access-list test

ip access-list route test
test
----
Priority  Source                Destination  Service  Application  Action   NextHopList  IpsecMap  Tunnel  TunnelGroup  IPv4/6
--------  ------                -----------  -------  -----------  ------   -----------  --------  ------  -----------  ------
1         10.0.0.0 255.255.0.0  any          any                   forward  test                                        4

(6.4.3-Beta-Master) #

 

 

Use the following commands to understand the behaviour:


(6.4.3-Beta-Master) #show datapath route-cache

Route Cache Entries
-------------------

Flags: L - Local, P - Permanent,  T - Tunnel, I - IPsec,
       t - trusted, A - ARP, D - Drop, R - Routed across vlan
       O - Temporary, N - INactive, H - DHCP snooped

       IP              MAC             VLAN       Flags
---------------  -----------------  -----------  ------
172.16.0.254     00:1A:1E:01:2D:18            1  LP
10.17.168.200    00:1A:1E:01:2D:18          174  LP
10.17.170.40     00:1A:1E:01:2D:18          187  LP
10.17.169.200    00:1A:1E:01:2D:18          183  LP
10.17.164.230    00:1A:1E:01:2D:18          164  LP
10.17.164.254    00:1A:1E:09:15:C0          164  tA

Version History
Revision #:
1 of 1
Last update:
‎04-08-2015 05:10 AM
Updated by:
 
Labels (1)
Contributors
Comments
jgauruder

How is the "show ip access-list test" showing an action of "forward" when you create it with keyword "route" ?

 

network 10.0.0.0 255.255.0.0 any any route next-hop-list test

(6.4.3-Beta-Master) #show ip access-list test

ip access-list route test
test
----
Priority  Source                Destination  Service  Application  Action   NextHopList  IpsecMap  Tunnel  TunnelGroup  IPv4/6
--------  ------                -----------  -------  -----------  ------   -----------  --------  ------  -----------  ------
1         10.0.0.0 255.255.0.0  any          any                   forward  test                                        4

(6.4.3-Beta-Master) #

 

 

when I do the same in ArubaOS v6.4.3.5  , a "route" action is shown when I do "show ip access-list test"

 

And this PBR function is not working for me - does not appear to send to next hop as provided. 

it shows in the data-path route cache and I have the appropriate license to configure/enable PBR.

 

I have an open ticket w/ Aruba TAC to try and figure it out.

 

 

(7205) (config) #ip nexthop-list test
(7205) (config-nexthop-list)#  ip 10.20.0.17
(7205) (config-nexthop-list)#exit
(7205) (config) #ip access-list route test        
(7205) (config-route-test)#network 10.0.0.0 255.255.0.0 any any route next-hop-list test
(7205) (config-route-test)#show ip access-list test

ip access-list route test
test
----
Priority  Source                Destination  Service  Application  Action  NextHopList  IpsecMap  Tunnel  TunnelGroup  IPv4/6
--------  ------                -----------  -------  -----------  ------  -----------  --------  ------  -----------  ------
1         10.0.0.0 255.255.0.0  any          any                   route   test                                        4

(7205) (config-route-test)#

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.