Hi Airheads,
I want to migrate a customer's infrastrucute. At the moment the customer has a IRF of 2 x 5950 Comware Switches.
Now we want to migrate him to a VSX stack of 2 x 8325.
At the moment we have trouble migrating some special policy based routing (pbr) rules.
In one VRF there are some VLANs with clients (e.g. 163, 164, ...) and one VLAN as a transfernet (e.g. 1305) to a firewall system. My customer want like to set up like this:
Devices from VLAN 163 should not be allowed to communicate DIRECTLY with devices from VLAN 164 but should send all the traffic to the firewall, which regulates the traffic. The same vice versa, VLAN 164 should not be allowed to communicate DIRECTLY with other VLANs.
An ACL is not an option, because there are some firewall rules that allow some traffic between those networks.
At the moment (with comware) we do this with the following commands and the works without problems:
policy-based-route CUSTOMER_CLIENTS permit node 10
if-match acl 3501
apply next-hop vpn-instance CUSTOMER_CLIENTS 172.16.1.65
#
acl number 3501 name PBR-VRF-CUSTOMER_CLIENTS
rule 10 permit ip vpn-instance CUSTOMER_CLIENTS
#
interface Vlan-interface163
ip binding vpn-instance CUSTOMER_CLIENTS
ip address 172.17.163.254 255.255.255.0
ip policy-based-route CUSTOMER_CLIENTS
#
interface Vlan-interface164
ip binding vpn-instance CUSTOMER_CLIENTS
ip address 172.17.164.254 255.255.255.0
ip policy-based-route CUSTOMER_CLIENTS
#
interface Vlan-interface1305
ip binding vpn-instance CUSTOMER_CLIENTS
ip address 172.16.1.78 255.255.255.240
Traffic from VLAN 163 and VLAN 164 is always directed to the firewall, independtly of the direct connected routes of the switch.
Now we are looking for this function in CX and we tried the following:
sw-core01# show run
[...]
vrf CUSTOMER_CLIENTS
class ip CL-CUSTOMER_CLIENTS
vsx-sync
!
10 match any any any count
pbr-action-list PBR-AL_CUSTOMER_CLIENTS
vsx-sync
!
10 nexthop 172.16.1.65
20 interface null
policy PBR-CUSTOMER_CLIENTS
vsx-sync
!
10 class ip CL-CUSTOMER_CLIENTS action pbr PBR-AL_CUSTOMER_CLIENTS
vlan 163
name 163-CUSTOMER_CL1
vsx-sync
vlan 164
name 164-CUSTOMER_CL1
vsx-sync
vlan 1305
name 1305-CUSTOMER_Trans_CLIENTS
vsx-sync
interface vlan 163
vsx-sync active-gateways policies
vrf attach CUSTOMER_CLIENTS
ip address 172.17.163.251/24
active-gateway ip mac 00:00:01:00:00:02
active-gateway ip 172.17.163.254
apply policy PBR-CUSTOMER_CLIENTS routed-in
interface vlan 164
vsx-sync active-gateways policies
vrf attach CUSTOMER_CLIENTS
ip address 172.17.164.251/24
active-gateway ip mac 00:00:01:00:00:02
active-gateway ip 172.17.164.254
apply policy PBR-CUSTOMER_CLIENTS routed-in
interface vlan 1305
vrf attach CUSTOMER_CLIENTS
ip address 172.16.1.76/28
active-gateway ip mac 00:00:01:00:00:02
active-gateway ip 172.16.1.78
ip route 0.0.0.0/0 172.16.1.66 vrf CUSTOMER_CLIENTS
[...]
sw-core01(config-policy)# show ip route vrf CUSTOMER_CLIENTS
Displaying ipv4 routes selected for forwarding
VRF: CUSTOMER_CLIENTS
Prefix Nexthop Interface VRF(egress) Origin/ Distance/ Age
Type Metric
--------------------------------------------------------------------------------------------------------
0.0.0.0/0 172.16.1.66 vlan1305 - S [1/0] 06d:21h:25m
172.16.1.64/28 - vlan1305 - C [0/0] -
172.16.1.76/32 - vlan1305 - L [0/0] -
172.17.163.0/24 - vlan163 - C [0/0] -
172.17.163.251/32 - vlan163 - L [0/0] -
172.17.164.0/24 - vlan164 - C [0/0] -
172.17.164.251/32 - vlan164 - L [0/0] -
192.168.10.0/24 172.16.1.66 vlan1305 - S [1/0] 06d:21h:11m
Total Route Count : 8
sw-core01(config-policy)# show pbr summary
VRF
Port
Policy
Class
PBR
Sequence Type Nexthop
-------------------------------------------------------------------------------
CUSTOMER_CLIENTS
vlan164
PBR-CUSTOMER_CLIENTS
CL-CUSTOMER_CLIENTS
PBR-AL_CUSTOMER_CLIENTS
10 nexthop 172.16.1.65 (active)
vlan163
PBR-CUSTOMER_CLIENTS
CL-CUSTOMER_CLIENTS
PBR-AL_CUSTOMER_CLIENTS
10 nexthop 172.16.1.65 (active)
When we now send traffic from a Client in VLAN 163 to anywhere in the internet, the traffic is correctly routed to the firewall. But when the client tries to reach a destination in VLAN 164, the traffic does not passes the firewall but is routed directly to VLAN 164. It seems that the "nexthop" action is ignored, when there is a directrly connected network? Or do we have a configuration problem?
Has anybody an idea who to solve this problem?
Thank you!
------------------------------
Steffen
------------------------------