Wired Intelligent Edge

 View Only
last person joined: 9 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Policy Based Routing Issue in aruba CX

This thread has been viewed 11 times

  • 1.  Policy Based Routing Issue in aruba CX

    Posted Jan 12, 2024 07:40 AM

    Hi Airheads,

    I want to migrate a customer's infrastrucute. At the moment the customer has a IRF of 2 x 5950 Comware Switches.

    Now we want to migrate him to a VSX stack of 2 x 8325.

    At the moment we have trouble migrating some special policy based routing (pbr) rules.

    In one VRF there are some VLANs with clients (e.g. 163, 164, ...) and one VLAN as a transfernet (e.g. 1305)  to a firewall system. My customer want like to set up like this:

    Devices from VLAN 163 should not be allowed to communicate DIRECTLY with devices from VLAN 164 but should send all the traffic to the firewall, which regulates the traffic. The same  vice versa, VLAN 164 should not be allowed to communicate DIRECTLY with other VLANs.

    An ACL is not an option, because there are some firewall rules that allow some traffic between those networks.

    At the moment (with comware) we do this with the following commands and the works without problems:

    policy-based-route CUSTOMER_CLIENTS permit node 10
 if-match acl 3501
 apply next-hop vpn-instance CUSTOMER_CLIENTS 172.16.1.65
#
acl number 3501 name PBR-VRF-CUSTOMER_CLIENTS
 rule 10 permit ip vpn-instance CUSTOMER_CLIENTS
#
interface Vlan-interface163
 ip binding vpn-instance CUSTOMER_CLIENTS
 ip address 172.17.163.254 255.255.255.0
 ip policy-based-route CUSTOMER_CLIENTS
#
interface Vlan-interface164
 ip binding vpn-instance CUSTOMER_CLIENTS
 ip address 172.17.164.254 255.255.255.0
 ip policy-based-route CUSTOMER_CLIENTS
#
interface Vlan-interface1305
 ip binding vpn-instance CUSTOMER_CLIENTS
 ip address 172.16.1.78 255.255.255.240

    Traffic from VLAN 163 and VLAN 164 is always directed to the firewall, independtly of the direct connected routes of the switch.

    Now we are looking for this function in CX and we tried the following:

    sw-core01# show run
[...]
vrf CUSTOMER_CLIENTS

class ip CL-CUSTOMER_CLIENTS
    vsx-sync
    !
    10 match any any any count
pbr-action-list PBR-AL_CUSTOMER_CLIENTS
    vsx-sync
    !
    10 nexthop 172.16.1.65
    20 interface null
policy PBR-CUSTOMER_CLIENTS
    vsx-sync
    !
    10 class ip CL-CUSTOMER_CLIENTS action pbr PBR-AL_CUSTOMER_CLIENTS

vlan 163
    name 163-CUSTOMER_CL1
    vsx-sync
vlan 164
    name 164-CUSTOMER_CL1
    vsx-sync
vlan 1305
    name 1305-CUSTOMER_Trans_CLIENTS
    vsx-sync

interface vlan 163
    vsx-sync active-gateways policies
    vrf attach CUSTOMER_CLIENTS
    ip address 172.17.163.251/24
    active-gateway ip mac 00:00:01:00:00:02
    active-gateway ip 172.17.163.254
    apply policy PBR-CUSTOMER_CLIENTS routed-in
interface vlan 164
    vsx-sync active-gateways policies
    vrf attach CUSTOMER_CLIENTS
    ip address 172.17.164.251/24
    active-gateway ip mac 00:00:01:00:00:02
    active-gateway ip 172.17.164.254
    apply policy PBR-CUSTOMER_CLIENTS routed-in

interface vlan 1305
    vrf attach CUSTOMER_CLIENTS
    ip address 172.16.1.76/28
    active-gateway ip mac 00:00:01:00:00:02
    active-gateway ip 172.16.1.78

ip route 0.0.0.0/0 172.16.1.66 vrf CUSTOMER_CLIENTS
[...]

sw-core01(config-policy)# show ip route vrf CUSTOMER_CLIENTS

Displaying ipv4 routes selected for forwarding

VRF: CUSTOMER_CLIENTS

Prefix              Nexthop          Interface     VRF(egress)       Origin/   Distance/    Age
                                                                     Type      Metric
--------------------------------------------------------------------------------------------------------
0.0.0.0/0           172.16.1.66      vlan1305      -                 S         [1/0]        06d:21h:25m
172.16.1.64/28      -                vlan1305      -                 C         [0/0]        -
172.16.1.76/32      -                vlan1305      -                 L         [0/0]        -
172.17.163.0/24     -                vlan163       -                 C         [0/0]        -
172.17.163.251/32   -                vlan163       -                 L         [0/0]        -
172.17.164.0/24     -                vlan164       -                 C         [0/0]        -
172.17.164.251/32   -                vlan164       -                 L         [0/0]        -
192.168.10.0/24     172.16.1.66      vlan1305      -                 S         [1/0]        06d:21h:11m

Total Route Count : 8


sw-core01(config-policy)# show pbr summary
VRF
      Port
                Policy
                          Class
                                    PBR
                                           Sequence  Type             Nexthop
-------------------------------------------------------------------------------
CUSTOMER_CLIENTS
      vlan164
                PBR-CUSTOMER_CLIENTS
                          CL-CUSTOMER_CLIENTS
                                    PBR-AL_CUSTOMER_CLIENTS
                                                 10  nexthop          172.16.1.65 (active)
      vlan163
                PBR-CUSTOMER_CLIENTS
                          CL-CUSTOMER_CLIENTS
                                    PBR-AL_CUSTOMER_CLIENTS
                                                 10  nexthop          172.16.1.65 (active)

    When we now send traffic from a Client in VLAN 163 to anywhere in the internet, the traffic is correctly routed to the firewall. But when the client tries to reach a destination in VLAN 164, the traffic does not passes the firewall but is routed directly to VLAN 164. It seems that the "nexthop" action is ignored, when there is a directrly connected network? Or do we have a configuration problem?

    Has anybody an idea who to solve this problem?

    Thank you!



    ------------------------------
    Steffen
    ------------------------------


  • 2.  RE: Policy Based Routing Issue in aruba CX

    EMPLOYEE
    Posted Jan 15, 2024 06:48 AM

    Is your PBR configuration identical on both VSX physical nodes and applied ?


    Original Message


  • 3.  RE: Policy Based Routing Issue in aruba CX

    Posted Jan 15, 2024 03:35 PM

    Thanks for your reply. Yes, both of the switches are identical configured. The problem also occurs when one of the VSX-devices is turned off and only one is active.



    ------------------------------
    Steffen
    ------------------------------

    Original Message


  • 4.  RE: Policy Based Routing Issue in aruba CX

    EMPLOYEE
    Posted Jan 16, 2024 07:14 AM

    No configuration mistake that I can spot out. For better focus and resolution, I would suggest contacting TAC.


    Original Message


  • 5.  RE: Policy Based Routing Issue in aruba CX

    Posted 11 days ago

    Any update on this?  Was TAC able to help?  We have a pair of 8400s and realized there was a problem with PBR years ago.  TAC came to no conclusions.  We worked around it.  We just recently realized that traffic coming into the secondary VSX switch was not going through policy evaluation at all:  not just PBR.  If we shut down the half of the mlag going to the secondary switch everything is right. If we shut down the half of the mlag going to the primary, traffic continues to flow, but no policies are applied at all.  We tried it with active gateways, independent SVIs, shutting the interfaces to see if it was related to the interface.  Everything right if the traffic enters the primary, but no policy applied if the traffic comes directly into the secondary VSX switch.


    Original Message