ExtremeSwitching (EXOS)

Expand all | Collapse all

Policy/Source based routing in EXOS on a VR

  • 1.  Policy/Source based routing in EXOS on a VR

    Posted 04-04-2018 07:57
    I know... yet another PBR question, maybe I just need clarification.

    I have two 8800s, 15.6.3.1 p1-9 (can be updated to 16.latest if need be).
    Those two (with mlags to access switches) play default-gateway with vrrp for my internal VLANs (servers, workstations, other things)
    Those VLANs are all in the VR "VR-Mine"
    The VR-Mine participates in OSPF and also has a nice fast default gateway to the Internet.

    Suddenly the requirement has popped up that the workstation vlan needs to get routed to the Internet via a separate content-filtering firewall (i.e. new default gateway JUST for that vlan. Technically two, but still)

    Also, we're talking both, IPv6 and IPv4 (dual-stack)

    I thought "PBR/source-based-routing" would "surely" be the answer, but I'm hitting a few snags:

    From what I understand, "flow-redirect" is not an option because it won't work on "user created VRs" - I'm assuming since everything happens in "VR-Mine", that is a user-created VR so I'm out of luck?

    If I understand right, the next approach would be policies. Now, I understand the concept, "if source is this and destination is that, then set nexthop to the content-filter-IP". However, the only thing that I can see where I can apply that policy/access-list, is to individual ports, according to the concept guide.

    If I can't apply the access list to the VR-Mine 'router', can I really not apply it to the VLAN?

    Do I really have to list all the ports that are members of that vlan and apply it to those ports - presumable as "ingress" (also: if not specified, does it mean ingress and egress)? Which also makes it harder, because I would have to add a port to that rule every time I add a port to the VLAN. That's high-maintenance!

    I was thinking that as a last resort, I could stick the special VLAN(s) into their own VR (VR-Theirs), and then route between VRs, but then I saw the sentence "No can do with V6".

    I'm wide open to suggestions/explanations/hints. Oh, and I really want to avoid handing out the content-filter's IP as default gateway for those VLANs because of a flurry of issues that would bring with it.

    Thanks,
    Frank


  • 2.  RE: Policy/Source based routing in EXOS on a VR

    Posted 04-18-2018 11:22
    "bump" - because I must've gone senile and didn't click all applicable categories. Thanks for adding one, mysterious maintainer :)


  • 3.  RE: Policy/Source based routing in EXOS on a VR

    Posted 04-24-2018 11:09
    Oh snaps... The short of it is: PBR doesn't work on user-defined VRs. (Support: thank you for your patience!) Off to moving everything from "VR-Mine" to "VR-Default".