Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Archangel2014-10-03 12:24:19
HP
Archangel, 2014-10-03 12:24:19

How to implement PBR on an HP switch?

There is an HP A5500-24G-SFP EI switch.
Previously, I did not encounter the routing functionality of H3C switches. Therefore, I want to ask the community for help, maybe someone has come across and can help.
In total, there is a task from selected VLANs to route traffic through a router other than the default gateway.
acl created:

acl number 3002 
 rule 10 permit ip source 10.10.254.0 0.0.0.255 logging

and object
policy-based-route test-pbr-new permit node 2
   if-match acl 3002
   apply ip-address next-hop 10.10.253.2 direct

Outward routing really worked, but routing to neighboring VLANs stopped working.
Then I added another acl:
acl number 3003
 rule 3 permit ip destination 10.10.0.0 0.0.255.255
 rule 4 permit ip destination 192.168.0.0 0.0.255.255

and modified PBR:
policy-based-route test-pbr-new permit node 1
   if-match acl 3003
policy-based-route test-pbr-new permit node 2
   if-match acl 3002
   apply ip-address next-hop 10.10.253.2 direct

However, that didn't help either.
The trace from the device to neighboring VLANs has become like this:
tracert -d 10.10.108.128

Tracing route to 10.10.108.128 over a maximum of 30 hops

  1     *        1 ms     1 ms  10.10.254.1
  2     1 ms     1 ms     1 ms  10.10.253.1
  3    <1 ms    <1 ms    <1 ms  10.10.108.128

Trace complete.

10.10.253.1 and 10.10.254.1 are interfaces of the same switch.
Those. if the route-map_e works correctly, the trace should not contain the 2nd line.
Interestingly, debug route-map only responds to traceroute requests. Everything else does not seem to trigger route-map-a, but the traffic still wanders incomprehensibly where and incomprehensibly why.
General config:
#
 version 5.20, Release 2208P01
#
 sysname HP Optical Switch
#
 clock timezone #Web#4#02 add 04:00:00
#
 super password level 3 simple <pass>
#
 dhcp relay server-group 1 ip 192.168.1.1
 dhcp relay server-group 1 ip 192.168.2.1
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
#
 domain default enable system
#
 telnet server enable
#
 ip ttl-expires enable
#
 ip http acl 2001
#               
acl number 3002
 rule 10 permit ip source 10.10.254.0 0.0.0.255 logging
acl number 3003
 rule 3 permit ip destination 10.10.0.0 0.0.255.255
 rule 4 permit ip destination 192.168.0.0 0.0.255.255
#
vlan 1
#

.....

#
vlan 253
#
vlan 254
 description Test-VLAN
#
radius scheme system
 primary authentication 127.0.0.1 1645
 primary accounting 127.0.0.1 1646
 user-name-format without-domain
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
user-group system
#
local-user admin
 password cipher <pass>
 authorization-attribute level 3
 service-type ssh telnet terminal
local-user sys
 password simple <pass>
 authorization-attribute level 3
 service-type ssh telnet terminal
 service-type portal
#
interface NULL0
#
interface Vlan-interface1
 ip address 192.168.5.1 255.255.0.0
#

.......

#
interface Vlan-interface253
 ip address 10.10.253.1 255.255.255.0
#
interface Vlan-interface254
 ip address 10.10.254.1 255.255.255.0
 ip policy-based-route test-pbr-new
#

.....

#
interface GigabitEthernet1/0/12
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 254 tagged
 port hybrid vlan 1 untagged
#
interface GigabitEthernet1/0/32
 port link-mode bridge
 port link-type hybrid
 port hybrid vlan 253 tagged
 port hybrid vlan 1 untagged
#
policy-based-route test-pbr-new permit node 1
   if-match acl 3003
policy-based-route test-pbr-new permit node 2
   if-match acl 3002
   apply ip-address next-hop 10.10.253.2
#
 ip route-static 0.0.0.0 0.0.0.0 10.10.100.100 track 2
 ip route-static 0.0.0.0 0.0.0.0 10.10.100.101 preference 70
#
 snmp-agent
 snmp-agent local-engineid <id>
 snmp-agent community read public
 snmp-agent sys-info location Left rack
 snmp-agent sys-info version v2c v3
#
 dhcp enable
#
 ntp-service unicast-server 192.168.6.1
#
 ssh server enable
#
 undo arp check enable
#
 load xml-configuration
#
user-interface aux 0
user-interface vty 0
 acl 2001 inbound
 authentication-mode scheme
user-interface vty 1 5
 acl 2001 inbound
 authentication-mode scheme
 user privilege level 3
 set authentication password simple <pass>
user-interface vty 6 15
 acl 2001 inbound
 authentication-mode scheme
#
return

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
R
RazorBlade, 2014-10-10
@RazorBlade

Not very strong in HP, but it seems to me that I need to fix ACL 3002 by prohibiting access to neighboring VLANs:

acl number 3002 
 rule 1 deny ip destination 10.10.0.0 0.0.255.255
 rule 2 deny ip destination 192.168.0.0 0.0.255.255
 rule 10 permit ip source 10.10.254.0 0.0.0.255 logging

I don’t know if it’s possible to specify source and destination in the ACL, if possible, it’s better to specify both
And leave the original PBR
policy-based-route test-pbr-new permit node 2
   if-match acl 3002
   apply ip-address next-hop 10.10.253.2 direct

Then, in theory, traffic to neighboring VLANs will not fall into PBR

Report
A
Archangel, 2015-06-17
@Archangel

In general, after a long time I had to return to this issue.
In case anyone runs into a similar problem:

policy-based-route test-pbr-new permit node 1
   if-match acl 3003
policy-based-route test-pbr-new permit node 2
   if-match acl 3002
   apply ip-address next-hop 10.10.253.2

The PBR itself is correct. The problem was in the ACLs.
First:
Comware in PBR simply ignores permit and deny within the ACL itself.
Secondly:
It was experimentally found that the situation when an ACL appears in several PBR nodes is processed correctly only if the ACLs in all nodes except the last one have both source and destination. Otherwise, processing does not stop when the ACL is triggered.
Thirdly:
It was also experimentally revealed that when specifying in the ACL as the only source the subnet that matches the subnet of the given interface, when processing the policy, all nodes containing the ACL with destination are simply ignored.
That.
To implement the above scenario, ACLs must be
Advanced ACL  3002, named -none-, 2 rules,
ACL's step is 5
 rule 10 permit ip source 10.10.254.0 0.0.0.255 destination 10.10.0.0 0.0.255.255 (72 times matched)
 rule 20 permit ip source 10.10.254.0 0.0.0.255 destination 192.168.0.0 0.0.255.255

Advanced ACL  3003, named -none-, 1 rule,
ACL's step is 5
 rule 10 permit ip source 10.10.254.0 0.0.0.127 (6 times matched)

And if you need to wrap the entire subnet, then in the second PBR node you simply do not need to specify the ACL at all.

Similar questions
H
hostadmin2012-08-23 22:18:33
Can I use 3 monitors on a laptop with AMD Radeon HD 7570M? 5Reply
I
III2013-01-14 19:23:43
Licensing concerns. HP laptop. Upgrading to Windows 8 Pro 4Reply
T
Tarkibi2020-06-11 13:08:53
Why is the HP 6125G Blade Switch on the HP C3000 only running at 20 Mbps? 0Reply
L
lazix2020-06-21 10:40:03
Why does the HP P2055dn printer go offline over the network? 3Reply
A
amirkhonov2016-02-07 21:15:57
Which RAID controllers are suitable for HP DL160 G6? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question