Help required for EXOS 15.6 source ip based PBR

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Not a Problem
Running XOS 15.6 on X770 and configured ACL to match on source-address and ACL matches, but the actions i tried e.g. "redirect" and "redirect-name" to change nexthop does not work but instead the switch continues to use the default routing table. Anyone know of any PBR related bug on the version of XOS as we verified the commands exactly same as given in official concept guide and ACL solution guides?
Photo of Chew Choon Chong

Chew Choon Chong

  • 190 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,036 Points 5k badge 2x thumb
Hello, 

As far as I can see there is no bug that would preclude policy based routing on the X770.  Sometimes I find it helpful to put an ACL counter into my statements to make sure the the ACL's are actually hitting.  Add the "count" as an action and as you send traffic you can check the counters to make sure the match criteria is taking.  I would check that first and let me know if you need additional support.

Thanks.. Bill
Photo of Chew Choon Chong

Chew Choon Chong

  • 190 Points 100 badge 2x thumb

I have not used count, but instead changed the action from redirect to deny instead and found it had really denied the matched (source-address) traffic. So i am very sure ACL was it. Just both redirect and redirect-name did not work. Thanks.

Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi


Could you confirm if you are trying the flow-redirect in the default virtual router or a user-created virtual router? 

Flow re-direct is not supported in user created VR. 

Thanks.
Prashanth KG
Photo of Chew Choon Chong

Chew Choon Chong

  • 190 Points 100 badge 2x thumb

Now another new issue with PBR feature on same firmware and switch. After running for some time, all of a sudden it no longer redirects any more even though next hop is up (ping health checks) and counter still incrementing (in policy file). Only starts to redirect after a switch reboot done.

Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi,

the PBR with flow- redirect is working when (concept guide) :redirect IP address’s adjacency
 is resolved. When the ARP table does not have the information to reach the redirect IP
 address, the packet is routed based on the Layer 3 routing table.

Maybe the next-hop IP is learned from routing protocol like OSPF,BGP etc..
and then it will be up

--
Jarek
Photo of Chew Choon Chong

Chew Choon Chong

  • 190 Points 100 badge 2x thumb

Hi Jarek,

 

Health check using ping was configured and switch still recognises that next hop to be healthy (UP) when problem occured. Ping test to nexthop working but flow-redirect not working still. Snoop at peer showed no packet received from Extreme. So redirect not doing what its supposed to.

 

Chew