Below a screenshot of your method, I still do not get the correct result, I validated that the configuration is in sync.
Original Message:
Sent: Apr 10, 2024 01:44 PM
From: Pragadesh Raja
Subject: Microbranch with filtered breakout
From the PBR screenshot you shared, it looks like you want to allow only 10.0.0.0/24 and 192.168.25.0/24 network to the data center. From the Rules under the user role - there should be ACL(s) to block any other traffic which is missing.
For the user role - Try by adding ACL rules to allow networks 10.0.0.0/24 and 192.168.25.0/24 as well as Microsoft teams applications. Then add an ACL rule to deny everything else followed by the PBR assignment. With this, the AP first processed the ACL rules (what traffic are allowed or denied) and proceeds to PBR (which determines where the traffic should be directed to)
Original Message:
Sent: Apr 08, 2024 04:01 PM
From: mvanoverbeek
Subject: Microbranch with filtered breakout
I am having a hard time setting up a granular policy for the microbranch. I followed techdocs esp-sd-branch-deploy-100-L3-Microbranch (Optional) Routed Layer 3 Full-Tunnel Configuration (see below), without success
https://www.arubanetworks.com/techdocs/VSG/docs/080-sd-branch-deploy/esp-sd-branch-deploy-100-L3-Microbranch/#optional-routed-layer-3-full-tunnel-configuration
What keeps happening is that despite defining that only certain applications are allowed everything is still able to pass though except for ICMP echo.
I defined a PBR policy
In the PBR policy I added two datacenter subnets
I defined a policy for the SSID I was testing
I also changed per the document the tunnels & routing datacenter settings.
I am running the correct code.
With these settings, users of the SSID are still able to browse the internet. What I wanted to achieve is that users would be able to access datacenter servers as well as use Microsoft Teams, but not be able to browse the internet. Is this possible? What am I doing wrong?
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------