Policy/Source based routing in EXOS on a VR

  • 0
  • 1
  • Question
  • Updated 7 months ago
  • Answered
I know... yet another PBR question, maybe I just need clarification.

I have two 8800s, 15.6.3.1 p1-9 (can be updated to 16.latest if need be).
Those two (with mlags to access switches) play default-gateway with vrrp for my internal VLANs (servers, workstations, other things)
Those VLANs are all in the VR "VR-Mine"
The VR-Mine participates in OSPF and also has a nice fast default gateway to the Internet.

Suddenly the requirement has popped up that the workstation vlan needs to get routed to the Internet via a separate content-filtering firewall (i.e. new default gateway JUST for that vlan. Technically two, but still)

Also, we're talking both, IPv6 and IPv4 (dual-stack)

I thought "PBR/source-based-routing" would "surely" be the answer, but I'm hitting a few snags:

From what I understand, "flow-redirect" is not an option because it won't work on "user created VRs" - I'm assuming since everything happens in "VR-Mine", that is a user-created VR so I'm out of luck?

If I understand right, the next approach would be policies. Now, I understand the concept, "if source is this and destination is that, then set nexthop to the content-filter-IP". However, the only thing that I can see where I can apply that policy/access-list, is to individual ports, according to the concept guide.

If I can't apply the access list to the VR-Mine 'router', can I really not apply it to the VLAN?

Do I really have to list all the ports that are members of that vlan and apply it to those ports - presumable as "ingress" (also: if not specified, does it mean ingress and egress)? Which also makes it harder, because I would have to add a port to that rule every time I add a port to the VLAN. That's high-maintenance!

I was thinking that as a last resort, I could stick the special VLAN(s) into their own VR (VR-Theirs), and then route between VRs, but then I saw the sentence "No can do with V6".


I'm wide open to suggestions/explanations/hints. Oh, and I really want to avoid handing out the content-filter's IP as  default gateway for those VLANs because of a flurry of issues that would bring with it.

Thanks,
   Frank
Photo of Frank

Frank

  • 3,836 Points 3k badge 2x thumb

Posted 7 months ago

  • 0
  • 1
Photo of Frank

Frank

  • 3,836 Points 3k badge 2x thumb
"bump" - because I must've gone senile and didn't click all applicable categories. Thanks for adding one, mysterious maintainer :)
Photo of Frank

Frank

  • 3,836 Points 3k badge 2x thumb
Oh snaps... The short of it is: PBR doesn't work on user-defined VRs. (Support: thank you for your patience!) Off to moving everything from "VR-Mine" to "VR-Default".