Comware

Hello, I would like to create a policy based route to route on source & destination. For example:

 

Traffic from vlan 100 with destination 172.20.100.0/24 needs to be routed via router 10.100.254.254

Traffic from vlan 200 with destination 172.20.100.0/24 needs to be routed via router 10.200.254.254

 

Is this possible with policy based routing? Wich is implemented in the K15 software. And how to?

The routing guide from HP describes PBR in combination with OSPF wich isn't my situation. Hope you can help me.

 

Thx! Joep

#ProCurve
#policybasedrouting
#5400
#3500
#pbr

Hello Joepske,

 

You're in luck, PBR was added in K.15.06.0006:

Policy Based Routing (PBR)
■ Enhancement (PR_0000072658) - PBR provides the ability to manipulate a packet’s path based on attributes of the packet. Traffic with the same destination can be routed over different paths, so that different types of traffic, such as VOIP or traffic with special security requirements, can be better managed. For more information, see the "Classifier-Based Software Configuration" chapter in the Advanced Traffic Management Guide for your switch.

 

As the description mentions, you should check the ATM Guide for K.15.06 for further information:

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c03015541/c03015541.pdf

You'll want to have a look through Chapter 8 for the configuration. You've got to basically configure a traffic class, configure policies for it, and then apply it (in this case) to each of the VLANs you want it for.

 

Hope that helps :)

Hello Juston,

 

Thanks for your reply and working solutions for the 5406.

 

Next problem I ran against, is that we also have 3500yl-24G-PoE switches (wich I thought would be exactly the same, because it uses the same firmware). But when trying to configure the policy based routing on the 3500 I ran against this message:

 

RTR02(policy-pbr-class)#  action ip default-next-hop 172.28.0.97
This command is not supported with v1-modules.  Please enter the command
'no allow-v1-modules' to enable the v2-module capabilities.

 

So I think I learn 2 things from this:

PBR is only possible on 5400 series when there are NO V1 modules installed

PBR is not possible on 3500 series

 

Can you confirm?

 

Many thanks,

Joep

 

Hello Joep,

That's quite interesting and also unfortunate. My guess would be that if the software has been instructed to inform you of this then it's true, but it's not documented anywhere that I can see either.

As for why this is done, I'd imagine it's due to hardware limitations with the 3500 and the V1 modules.

Since no documentation other than that message exists I can't confirm it for you either. You could open a support case about it to clarify this and get an official confirmation if you wish (including why it isn't documented).

One additional thing I remembered - are you using a module in the 3500, like one of the 10GbE uplink modules?

This might also be causing the note about v1 modules in the 3500yl.

Some features, like PBR, requires a 'clean' v2 module environment, that is known, so it is not a bug.

 

Cheers

In the release notes for K.15.09.0004 it is true for concurrent meshing and routing, which is also a new feature. So I'm guessing that all new features have only been developed with V2 modules in mind.

 

"

NOTE: Since concurrent meshing and routing is only supported on V2 modules, the no
allow-v1-modules configuration parameter must be set on switches that are configured for
meshing and routing. "

 

So my guess I that this is true also for PBR (and probably RPVST+ also?)

 

 

Hi all,

 

Does that mean there isn't any alternative way to config multi-home infratructure?

In our environment, most of our modules are v1.

Does this configuration also works for the 8212 zl ?

Hello HP Forum first time forum subscriber long time product consumer. I am trying to wrap my head around

policy based routing and secure vlan communication. What i am trying to accomplish is define which vlans can communicate and make a policy to route internet traffic. I am currently trying to confgure this on a HP5406zl. After some googling there are three solutions to this problem. One i can remove the ip address on the vlan interface and set the firewall ip adress as gateway. Two i can implement acl on the vlan interfaces to deny traffic to other vlans. And three i can create policy based routing that sets next hop to the firewall. I have fairly many vlans but the client vlans consist mostly of teachers and students. I have to create fairly many acl for each vlan interface to hinder communication between students and teacher vlans. If there were a easier way to do this with policy based routing it would be easier to maintain access lists because then i dont have to deny the traffic from one source to all other destinations and default permit anything else in the bottom of the access list. I could just create an access list that permits traffic from sources to destination and default deny the last rule in the acl and create a policy that sets next hop to the firewall. Is this possible in a fairly easy way i want secure intervlan traffic defined with a policy based routing that also can reach the internet.  I currently have an 3com router that does this today but i want to replace it with an 5406zl.

 

To make an example this is what i want accomplish.

 

Student vlan and student server vlan can communicate.

Techer vlan and teacher server vlan can communicate.

Both vlans can reach internet with next hop to the firewall.

 

VLAN56: 10.100.56.0/22 (Student vlan)

VLAN80: 10.100.80.0/24 (Student Server vlan)

VLAN160: 10.100.160.0/22 (Techer vlan)

VLAN180: 10.100.180.0/24 (Staff Server vlan)

VLAN10: 10.100.10.0/31 (Transport vlan for firewall)

FWIP: 10.100.10.1/32