Wired Intelligent Edge

 View Only
Back to discussions
Expand all | Collapse all

HPE 3800 PBR HELP

This thread has been viewed 0 times

  • 1.  HPE 3800 PBR HELP

    Posted Jan 18, 2018 12:54 AM
      |   view attached

    Network DiagramNetwork Diagram

     

    Hi all,

     I had attached a simple network diagram descripting my issue.

    I had been trying to configure my switch for PBR. Was wondering if my configuration is correct?
    is the two default route 0.0.0.0 0.0.0.0 192.168.x.253 needed?

    Below is my configuration. omitted the unneeded information.

     

     

    class ipv4 "User"

         20 match ip 192.168.54.0 255.255.254.0 0.0.0.0 255.255.255.255

       exit

    class ipv4 "Server"

         10 match ip 192.168.52.0 255.255.254.0 0.0.0.0 255.255.255.255

       exit

    class ipv4 "CorpWIFI"

         10 match ip 192.168.56.0 255.255.255.0 0.0.0.0 255.255.255.255

       exit

    policy pbr "CorpWIFIPBR"

         10 class ipv4 "CorpWIFI"

          action ip next-hop 192.168.54.253

          exit

       exit

    policy pbr "ServerPBR"

         10 class ipv4 "Server"

          action ip next-hop 192.168.52.253

          exit

       exit

    policy pbr "UserPBR"

         10 class ipv4 "User"

          action ip next-hop 192.168.54.253

          exit

       exit

    ip route 0.0.0.0 0.0.0.0 192.168.52.253

    ip route 0.0.0.0 0.0.0.0 192.168.54.253

    ip routing

    vlan 1

       name "Server VLAN"

       no untagged 1/12,1/37-1/44,2/4-2/5,2/26,2/37-2/38,2/40-2/44

       untagged 1/2-1/11,1/13-1/25,1/34-1/36,1/49-1/51,2/1-2/3,2/6-2/25,2/27,2/36,2/39,2/49-2/51,Trk1-Trk7

       tagged 1/1

       ip address 192.168.53.1 255.255.254.0

       service-policy "ServerPBR" in

       exit

    vlan 51

       name "MGT VLAN"

       untagged 2/5

       ip access-group "ACL-BLOCK" in

       no ip address

       exit

    vlan 54

       name "Users VLAN"

       untagged 1/37-1/38,1/43-1/44,2/4,2/37-2/38,2/40-2/44

       tagged Trk1-Trk5

       ip address 192.168.54.1 255.255.254.0

       ip helper-address 192.168.52.8

       ip helper-address 192.168.52.9

       service-policy "UserPBR" in

       exit

    vlan 56

       name "CorpWIFI VLAN"

       tagged Trk1-Trk3

       ip address 192.168.56.1 255.255.255.0

       ip helper-address 192.168.52.8

       ip helper-address 192.168.52.9

       service-policy "CorpWIFIPBR" in

       exit

    vlan 58

       name "Guest VLAN"

       untagged 1/39-1/42,2/26

       tagged Trk1-Trk3

       no ip address

       exit

    vlan 59

       name "CCTV VLAN"

       untagged 1/1,1/12

       tagged Trk1-Trk7

       no ip address

       exit

     

    Pls let me know if you have any questions regarding the network setup. 

    Will appreciate any advice!

    Thanks!



  • 2.  RE: HPE 3800 PBR HELP

    Posted Jan 21, 2018 07:34 PM

    If you are doing the routing for each subnet on the Layer3 switch then you should not be extending those VLANs to the firewall.

    If you do extend those VLANs to the firewall, then you don't need to do any routing on the switch and should remove the IP addressing and make the frieasll interfaces the default gateways for their respective subnets.

    The basic concept you have got wrong here is that you are spanning a segment across two Layer3 devices.



  • 3.  RE: HPE 3800 PBR HELP

    Posted Jan 22, 2018 05:42 AM

    Hi,

     

    The switch is doign the VLAN routing and end user default gateway is the switch vlan interface iP.

    However, my switch default gateway for server and user vlan is different thus i will like to configure PBR. 

     



  • 4.  RE: HPE 3800 PBR HELP

    Posted Jan 22, 2018 08:17 PM

    If your switch is doing the routing then you need to remove the host VLANs from the uplinks to the firewall.



  • 5.  RE: HPE 3800 PBR HELP

    Posted Jan 22, 2018 08:25 PM

    What will happen is your first packet from any host will hit the switch, pick one of the default routes, go the firewall, and if it happens to have picked the default route to the firewall interface that is in the same subnet as as the host (with your two default routes on the switch, packets will simply use them alternately), the firewall will send back an ICMP redirect to the host which will insert a more specific route in the host's routing table which will replace whatever default route you have configured on the host and future packets will be sent by the host direct to the firewall.

    Return packets will always be routed from the firewall direct to the host instead of to the Layer3 switch.

    This is what you need to get those 2 host VLANs off the firewall so you can route your traffic properly.



  • 6.  RE: HPE 3800 PBR HELP

    Posted Jan 23, 2018 09:36 AM

    What will happen is your first packet from any host will hit the switch, pick one of the default routes, go the firewall, and if it happens to have picked the default route to the firewall interface that is in the same subnet as as the host (with your two default routes on the switch, packets will simply use them alternately

    -> how do i configure in a way that.. Subnet 192.168.53.0 will be going to the firewall interface 1( 192.168.53.253) instead of interface 2 (192.168.54.253)? doesnt my policy pbr config take care of this?
    I am trying to figure this out as the 192.168.54.253 interface might be moving to another firewall. i have to ensure that the traffic from 192.168.54.0 is going out by the correct path.



  • 7.  RE: HPE 3800 PBR HELP

    Posted Jan 23, 2018 08:29 PM
    @jun_ng wrote:

    ...Subnet 192.168.53.0 will be going to the firewall interface 1( 192.168.53.253)

    No. You've told us your switch is the router for that subnet, not the firewall, so you need to stop trunking that VLAN to the firewall.

    This picture explains how you design a network at Layer3:
    If you consider the middle router, that is like your switch. What you have done is put the 192.168.2.0 subnet (the middle switch's LAN subnet for hosts) on the connected interfaces of Routers1 & 3. That is not the way a network should be designed.
    You need to fix that before you consider implementing PBR.



  • 8.  RE: HPE 3800 PBR HELP

    Posted Jan 25, 2018 09:50 AM

    Drawing1.jpg

     

    InterVLAN routing to be done by the switch. but to route out to internet, different vlan is to route out to different firewall.
    i am not sure how to configure it for this scenario, does the connecting port to firewall have to be untagged with the VLAN? and does having the same IP range at the firewall cause routing issue?

     



  • 9.  RE: HPE 3800 PBR HELP

    Posted Jan 23, 2018 09:32 AM

    Hello, what do you mean by removing the host VLANs from the uplinks to the firewall?

    Thanks for your patience.



  • 10.  RE: HPE 3800 PBR HELP

    Posted Jan 26, 2018 04:16 PM

    If you want your switch route between VLANs, then configure a new unique subnet between the switch and the firewall. No PBR needed. No matter which VLAN the source, switch will route it to firewall on that unique subnet.

    If you don't want the switch route between VLANs, then remove the IPs from switch (keep one for management). Each VLAN will be terminated on a firewall interface, and that firewall interface will be the default gateway for that VLAN.



  • 11.  RE: HPE 3800 PBR HELP

    Posted Feb 01, 2018 12:17 AM

    If the firewall has to be in the same vlan to configure the policies etc, is there a way we can achieve it? 
    or it is a must for me to change intervlan routing to firewall ?

    my requirement will be
    1.core switch doing the intervlan routing(thus having the need to have IP on switch)
    2. two routes out to internet, 1 for each vlan. 
    3. firewall IP must be same subnet to configure policies.

     



Related Content