Comware

I everybody,
I want to install an HPN FlexNetwork 5130 EI Switch, 24G SFP, 4 SFP+ Ports (JG933A) as a core switch
and define multiple VLAN e.g. VLAN 100, 200, 300, 400, 500, ....

THe VLAN 100 it's the subnet for the WAN where I have 3 external Internet gateway:
the first gatweway is 10.10.1.252, the second on 10.10.1.253 and the third on 10.10.1.254.
I want that the VLAN 200 use the first gateway, the VLAN 300 the second gateway and all other VLAN the third gateway

It's possibile with this switch ?
How I can configure this routing ?
Thank you for any help
Luca

Hello @Luceluz !

Generally all the routers choose a route according destination. This is a general rule of IP routing, but you want to route by source instead of destination, so you need to use a mechanism that will override this rule. This mechanism is called Policy-based routing (PBR) and it uses user-defined policies to route packets. Check out this guide - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c04771710, 'Configuring PBR' section. Look for 'Interface PBR', this is the PBR type you need.

If you need a quick hint, I think this is an example that suits your needs:

system-view
#
acl advanded 3333
rule 10 permit ip
#
policy-based-route VLAN200 permit node 10
 if-match acl 3333
 apply next-hop 10.10.1.252
#
policy-based-route VLAN300 permit node 10
 if-match acl 3333
 apply next-hop 10.10.1.253
#
policy-based-route ALL_OTHER_VLANS permit node 10
 if-match acl 3333
 apply next-hop 10.10.1.254
#
interface Vlan-interface200
 ip policy-based-route VLAN200
#
interface Vlan-interface300
 ip policy-based-route VLAN300
#
interface <any vlan-interface except 100, 200 and 300>
  ip policy-based-route ALL_OTHER_VLANS
#

We created one common ACL that just match all the incoming traffic (rule 10 permit ip) then we used this ACL in all PBR policies. For example, PBR policy 'VLAN200' matches all incoming traffic on the Vlan-interface200 (according the ACL 3333) and routes it (apply-next-hop) over the 10.10.1.252 address. The rest of PBR policies work in the same way, just use different next-hops (default gateways). 

Hope this helps!

BTW, we can optimize PBR policies a little bit in order to exclude the need of ACL:

policy-based-route VLAN200 permit node 10
 if-match any
 apply next-hop 10.10.1.252
#
policy-based-route VLAN300 permit node 10
 if-match any
 apply next-hop 10.10.1.253
#
policy-based-route ALL_OTHER_VLANS permit node 10
 if-match any
 apply next-hop 10.10.1.254

Here instead of using ACL 3333 that matches all traffic according its rule 10 "permit ip", we just use "if-match any" to match everything that comes on the respective Vlan-interface. This practically makes ACL 3333 redundant and not needed. I am not sure if it will work on this model, but you can try this approach just in case... I don't see why it shouldn't work, but you never know until try it

Hi Ivan_B,

thank you, but the routing between the vlan defined inside the switch remains active?

Can a device in the VLAN 200 reach a device in the VLAN 300?

Oh, you didn't mention you want to keep the inter-vlan routing... That will require a slight modification to the scenario. 

I do not know your IP numbering plan and how you assign subnets, but let me offer you a general scenario when all traffic destined to 10.0.0.0/8 will be routed according the routing table, e.g. inter-vlan routing will work, and the rest of the traffic will be pushed to the respective gateways:

acl advanded 3332
 rule 10 permit ip destination 10.0.0.0 0.255.255.255
#
acl advanced 3333
 rule 10 permit ip
#
policy-based-route VLAN200 deny node 10
 if-match acl 3332
#
policy-based-route VLAN200 permit node 20
 if-match acl 3333
 apply next-hop 10.10.1.252
#
policy-based-route VLAN300 deny node 10
 if-match acl 3332
#
policy-based-route VLAN300 permit node 20
 if-match acl 3333
 apply next-hop 10.10.1.253
#
policy-based-route ALL_OTHER_VLANS deny node 10
 if-match acl 3332
#
policy-based-route ALL_OTHER_VLANS permit node 20
 if-match acl 3333
 apply next-hop 10.10.1.254
#
interface Vlan-interface200
 ip policy-based-route VLAN200
#
interface Vlan-interface300
 ip policy-based-route VLAN300
#
interface any_vlan-interface_except_100, 200_and_300
  ip policy-based-route ALL_OTHER_VLANS

The logic is pretty simple:
- define ACL 3332 that will match traffic destined to 10.0.0.0/8
- define ACL 3333 that matches all traffic
- create a deny policy node 10 the will match ACL 3332. Deny in this case means "stop processing PBR rules and route the packet according the routing table"
- create a permit policy node 20 that will activate only if the packet didn't match node 10, e.g. traffic that is NOT destined to 10.0.0.0/8. Apply the next-hop to push the traffic to respective next-hop.

Hi Ivan_B,  thank you for your reply.

I received now the switch and, after changing the layout and the vlan, I am trying to configure the PBRs.
But unfortunately doesn't work.  It seems that acl are ignored.

This is my configuration:

UPE 5130 EI 24 SFP with firmware: 7.1.070 Release 3506P06

default internet gateway: 192.168.178.1
Secondary internet gateway: 192.168.178.2

VLAN10: 192.168.178.0/24 -> is the subnet where I put the two internet gateway
VLAN20: 10.0.12.0/24 -> subnet with normal client that use the default internet gateway (192.168.178.1)
VLAN30: 10.0.13.0./24 -> subnet with client that need to used the secondary internet gateway (192.168.178.2)
VLAN40: 10.0.14.0/24 -> subnet with server that use the default internet gateway (192.168.178.1)

I need the intervlan routing.
I have defined the static route for all internet traffic 0.0.0.0/0.0.0.0 -> next hop 192.168.178.1

for the PBR of VLAN30 I wrote the following ACL and PBR.

access-list advanced 3332
 rule 10 permit ip destination 10.0.0.0 0.255.255.255
 rule 20 permit ip destination 192.168.0.0 0.0.255.255
#
access-list advanced 3333
 rule 10 permit ip
#
policy-based-route VLAN30 deny node 10
 if-match acl 3332
#
policy-based-route VLAN30 permit node 20
 if-match acl 3333
 apply next-hop 192.168.178.2
# 
interface Vlan-interface30
 ip policy-based-route VLAN30

What i expect with this configuration:

• Clients/servers on VLAN10, VLAN20, VLAN40 use the defaul internet gateway (192.168.18.1) defined on the static route.
• Clients on VLAN30 that need to reach another VLAN (interVLAN routing) can do so thanks to VLAN30 deny node 10 when ACL3332 as matched.
• Internet traffic from VLAN30 is routed through the secondary internet gateway (192.168.178.2), thanks to VLAN30 permit node 20 and next hop.

how it works instead:

• All vlan use the default gateway for internet traffic
• Intervlan routing is ok
• If I connect the PC to the vlan 30, the traffic still exits on the default gateway, not with secondary GW

Where is the error?
The PBR has priority over static route, right ?

<CORE>display ip policy-based-route policy VLAN30
Policy name: VLAN30
  node 10 deny:
    if-match acl 3332
  node 20 permit:
    if-match acl 3333
    apply next-hop 192.168.178.2


<CORE>dis ip policy-based-route setup
Policy name              Type     Interface
VLAN30                   Forward  Vlan-interface30

<CORE>display ip policy-based-route interface Vlan-interface 30 slot 1
Policy-based routing information for interface Vlan-interface30:
Policy name: VLAN30
  node 10 deny:
    if-match acl 3332
  Matched: 0
  node 20 permit:
    if-match acl 3333
    apply next-hop 192.168.178.2
  Matched: 0
Total matched: 0

<CORE>display ip policy-based-route local slot 1
Local policy-based routing is not enabled.

Thank you

Best regards

Luca

Hi @Luceluz !

That is strange. I have made a quick proof-of-concept setup and it worked as expected. However, it is not on 5130 EI, but on virtual routers VSR1000. May be I have overlooked some specific of 5130 EI, let me try to set the lab with 5130s and I will test it once again. BTW, while I am testing, could you double-check that your PC in VLAN30 uses 5130's Vlan-interface30 IP address as default gateway - e.g. the switch must be the next-hop router for your hosts, otherwise PBR won't work.

Hi @Ivan_B ,

wait, seems to work.
Nothing has changed since yesterday when I stopped, I don't understand.

On the next days I'm still testing and then I'll let you know.

Luca

@Luceluz  good news. In order to investigate the PBR's behavior you can use debugging commands:

<HPE>terminal debugging
<HPE>debugging ip policy-based-route
.......
# In order to turn the debugging off, use following command:
<HPE>undo debugging all

Hi @Ivan_B ,

everything seems to be working: yesterday I turned off the switch and the laptop, this morning I turned them on again without changing anything (the laptop was already connected in VLAN port 30 with the correct ip and gateway) and it works. I can't explain it... 

thank you for your help.