Comware

 View Only
  • 1.  PBR wih VPN-Instance

    Posted Mar 25, 2016 08:06 AM

    Hi All,

    I have an IRF stack with 2 x A5500-24G-4SFP HI.
    Version is Comware Software, Version 5.20.99, Release 5501P19.

    There are 2 VLAN and 2 VPN-Instance.
    VLAN 100 (10.0.0.252) is binding vpn-instance vpn_main.
    VLAN 1002 (10.0.5.25) is binding vpn-instance vpn_CustomerA.
    I configure vpn-target between the vpn-instance, BGP sessions with an import-route direct and I can ping interface Vlan 100 from interface Vlan 1002 and vice-versa.
    There is an UTM in VLAN1002 and its IP address is 10.0.5.27 : it is the default route for vpn_CustomerA.
    the default gateway for vpn_main is 10.0.0.254.
    There is a CPE in VLAN100 and its IP address is 10.0.0.203.
    An there is a device behind CPE and its IP address is 10.3.239.254.

    I need configure a PBR from 10.3.239.254 to 0.0.0.0 through 10.0.5.27.

    I write an ACL :

    acl number 3012 name ACL-PBR
     step 10
     rule 10 permit ip source 10.3.224.0 0.0.15.255
     rule 20 permit icmp source 10.3.224.0 0.0.15.255

    I write a PBR rule :

    policy-based-route PBR permit node 5
       if-match acl 3012
       apply ip-address next-hop 10.0.5.27

    I put this policy in VLAN100 (bind to vpn_main).

    From my device, I telnet an IP and I see with a "tcpdump" that this flow goes through 10.0.0.254.
    Then I delete the vpn-instance binding in VLAN1002 and I retry a telnet : the flow goes through 10.0.5.27, yeah !

    So, how can I use PBR with the binding vpn-instance ?

    Merci,

    Jacques



  • 2.  RE: PBR wih VPN-Instance

    Posted Apr 14, 2016 09:22 AM

    I'm fighting again with PBR inside VPN-Instance.
    After lots of tests, my conclusion at the moment is PBR doesn't not work inside VPN-Instance but I think of having missed something in the configuration.
    Anybody has already made it work ?



  • 3.  RE: PBR wih VPN-Instance

    Posted Apr 14, 2016 09:51 AM

    Hi,

    Please try configure your PBR's ACL with vpn-instance keyword.

    Should help. If not, maybe there is bug existsing in your Comware version.

    Michal



  • 4.  RE: PBR wih VPN-Instance

    Posted Apr 14, 2016 10:56 AM

    Bonjour Michal,

    I write PBR as :

    acl number 3012 name ACL-PBR
     step 10
     rule 20 permit icmp vpn-instance vpn_main source 10.3.224.0 0.0.15.255
     rule 30 permit ip vpn-instance vpn_main source 10.3.224.0 0.0.15.255

    Failure... :(

    Maybe have you an example that works with you... ;)

    Best regards,

    Jacques



  • 5.  RE: PBR wih VPN-Instance

    Posted Apr 14, 2016 10:59 AM

    Do you have your PBR next-hop 10.0.5.27 configured inside vpn-instance vpn_main ???



  • 6.  RE: PBR wih VPN-Instance

    Posted Apr 14, 2016 11:07 AM

    Please find configuration :

    ip vpn-instance vpn_main
     route-distinguisher 100:1
     vpn-target 100:1 1002:1 export-extcommunity
     vpn-target 100:1 1002:1 import-extcommunity
    #
    ip vpn-instance vpn_CustomerA
     route-distinguisher 1002:1
     vpn-target 1002:1 100:1 export-extcommunity
     vpn-target 1002:1 100:1 import-extcommunity

    acl number 3012 name ACL-PBR
     step 10
     rule 20 permit icmp vpn-instance vpn_main source 10.3.224.0 0.0.15.255
     rule 30 permit ip vpn-instance vpn_main source 10.3.224.0 0.0.15.255

    policy-based-route PBR permit node 5
       if-match acl 3012
       apply ip-address next-hop 10.0.5.27

    interface Vlan-interface100
     ip binding vpn-instance vpn_main
     ip address 10.0.0.252 255.255.255.0
     ip policy-based-route PBR

    interface Vlan-interface1002
     ip binding vpn-instance vpn_CustomerA
     ip address 10.0.5.25 255.255.255.248

    bgp 65001
     undo synchronization
     #
     ipv4-family vpn-instance vpn_main
      import-route direct
     #
     ipv4-family vpn-instance vpn_CustomerA
      import-route direct

     

    the ip-routing table for vpn_main :

    Routing Tables: vpn_main
            Destinations : 8       Routes : 8

    Destination/Mask    Proto  Pre  Cost         NextHop         Interface

    0.0.0.0/0           Static 60   0            10.0.0.254      Vlan100
    10.0.0.0/24         Direct 0    0            10.0.0.252      Vlan100
    10.0.0.252/32       Direct 0    0            127.0.0.1       InLoop0
    10.0.5.24/29        BGP    130  0            10.0.5.25       Vlan1002
    10.0.5.25/32        BGP    130  0            127.0.0.1       InLoop0
    10.3.0.0/16         BGP    255  10           10.0.0.204      Vlan100
    127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
    127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

    the ip-routing table for vpn_CustomerA :

    Routing Tables: vpn_CustomerA
            Destinations : 30       Routes : 30

    Destination/Mask    Proto  Pre  Cost         NextHop         Interface

    10.0.0.0/24         BGP    130  10           10.0.0.252      Vlan100
    10.0.0.252/32       BGP    130  10           127.0.0.1       InLoop0
    10.0.5.24/29        Direct 0    0            10.0.5.25       Vlan1002
    10.0.5.25/32        Direct 0    0            127.0.0.1       InLoop0
    10.3.0.0/16         BGP    255  10           10.0.0.204      Vlan100
    127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0
    127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

     

     



  • 7.  RE: PBR wih VPN-Instance

    Posted Apr 14, 2016 03:16 PM


  • 8.  RE: PBR wih VPN-Instance

    Posted Apr 15, 2016 03:12 AM

    Yesterday I upgraded with new release (Comware Software, Version 5.20.99, Release 5501P21), same problem.
    I opened a ticket, I hope that Support answers me with a good new.
    However, if someone has an idea... ;)



  • 9.  RE: PBR wih VPN-Instance

    Posted Apr 22, 2016 06:45 PM

    HPE support can't help me... unless paying a service with an external people :(



  • 10.  RE: PBR wih VPN-Instance

    Posted Jul 29, 2016 10:10 AM

    I get the answer : Comware5 doesn't support PBR with VRF.

    Comware7 does.