How to configure PBR in Master-Local setup

MVP Expert
MVP Expert
Requirement:

Need to configure PBR in a Master-Local setup. 



Solution:

PBR polices are configured to route the traffic based on the the source/destination/Application information. 

PBR policy is mapped to the user-role which will be applicable for all the clients in the user-role. 

With Master-Local setup, user-role, session ACLs are configured in the Master controller which will be pushed to the Local controllers. 

Whereas the pbr policy (route ACL) needs to be created and applied manually on the Local controllers.



Configuration:

On Master controller: 

Create the user-role and apply the session ACLs. 

(Master) (config) #user-role employee
(Master) (config-role) #session-acl allowall
(Master) (config-role) #exit
(Master) (config) #write memory 

 

On Local controller: 

The above created user-role would be pushed to the Local controller. 

Create the PBR policy. 

1. Create the nexthop lis on the local controller (if required)

(Local) (config) #ip nexthop-list route-to-palo
(Local) (config-nexthop-list)#ipsec-map palo
(Local) (config-nexthop-list)#exit
(Local) (config) #

2. Create the pbr policy on the local controller and map the nexthop-list. 

(Local) (config) #ip access-list route pbr-palo
(Local) (config-route-pbr-palo)#any any any route next-hop-list route-to-palo
(Local) (config-route-pbr-palo)#exit

3. Map the pbr policy to the user-role. 

(Local) (config) #routing-policy-map role employee access-list pbr-palo

 

This needs to be done individually on each Local controller in case of multiple Local controllers. 

 



Verification

Execute the command #show rights <role-name> to verify route ACL is mapped to the Local controller. 

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                 Type     Location
--------  ----                 ----     --------
1         global-sacl          session  
2         apprf-employee-sacl  session  
3         allowall             session  
4         pbr-palo             route    

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-employee-sacl
-------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
allowall
--------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit                           Low                                                           4        
2         any     any          any-v6                permit                           Low                                                           6        

Expired Policies (due to time constraints) = 0
pbr-palo
--------
Priority  Source  Destination  Service  Application  Action  NextHopList    IpsecMap  Tunnel  TunnelGroup  IPv4/6
--------  ------  -----------  -------  -----------  ------  -----------    --------  ------  -----------  ------
1         any     any          any                   route   route-to-palo                                 4

(Local) (config) #  
Version history
Revision #:
2 of 2
Last update:
‎09-26-2019 03:17 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: