https://community.extremenetworks.com/t5/extremeswitching-exos-switch/policy-source-based-routing-in-exos-on-a-vr/m-p/49725#M13231 "bump" - because I must've gone senile and didn't click all applicable categories. Thanks for adding one, mysterious maintainer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> Wed, 18 Apr 2018 18:22:00 GMT Frank 2018-04-18T18:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/policy-source-based-routing-in-exos-on-a-vr/m-p/49724#M13230 I know... yet another PBR question, maybe I just need clarification.<BR /> <BR /> I have two 8800s, 15.6.3.1 p1-9 (can be updated to 16.latest if need be).<BR /> Those two (with mlags to access switches) play default-gateway with vrrp for my internal VLANs (servers, workstations, other things)<BR /> Those VLANs are all in the VR "VR-Mine"<BR /> The VR-Mine participates in OSPF and also has a nice fast default gateway to the Internet.<BR /> <BR /> Suddenly the requirement has popped up that the workstation vlan needs to get routed to the Internet via a separate content-filtering firewall (i.e. new default gateway JUST for that vlan. Technically two, but still)<BR /> <BR /> Also, we're talking both, IPv6 and IPv4 (dual-stack)<BR /> <BR /> I thought "PBR/source-based-routing" would "surely" be the answer, but I'm hitting a few snags:<BR /> <BR /> From what I understand, "flow-redirect" is not an option because it won't work on "user created VRs" - I'm assuming since everything happens in "VR-Mine", that is a user-created VR so I'm out of luck?<BR /> <BR /> If I understand right, the next approach would be policies. Now, I understand the concept, "if source is this and destination is that, then set nexthop to the content-filter-IP". However, the only thing that I can see where I can apply that policy/access-list, is to individual ports, according to the concept guide.<BR /> <BR /> If I can't apply the access list to the VR-Mine 'router', can I really not apply it to the VLAN?<BR /> <BR /> Do I really have to list all the ports that are members of that vlan and apply it to those ports - presumable as "ingress" (also: if not specified, does it mean ingress and egress)? Which also makes it harder, because I would have to add a port to that rule every time I add a port to the VLAN. That's high-maintenance!<BR /> <BR /> I was thinking that as a last resort, I could stick the special VLAN(s) into their own VR (VR-Theirs), and then route between VRs, but then I saw the sentence "No can do with V6".<BR /> <BR /> I'm wide open to suggestions/explanations/hints. Oh, and I really want to avoid handing out the content-filter's IP as default gateway for those VLANs because of a flurry of issues that would bring with it.<BR /> <BR /> Thanks,<BR /> Frank<BR /> Wed, 04 Apr 2018 14:57:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/policy-source-based-routing-in-exos-on-a-vr/m-p/49724#M13230 Frank 2018-04-04T14:57:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/policy-source-based-routing-in-exos-on-a-vr/m-p/49725#M13231 "bump" - because I must've gone senile and didn't click all applicable categories. Thanks for adding one, mysterious maintainer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> Wed, 18 Apr 2018 18:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/policy-source-based-routing-in-exos-on-a-vr/m-p/49725#M13231 Frank 2018-04-18T18:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/policy-source-based-routing-in-exos-on-a-vr/m-p/49726#M13232 Oh snaps... The short of it is: PBR doesn't work on user-defined VRs. (Support: thank you for your patience!) Off to moving everything from "VR-Mine" to "VR-Default".<BR /> Tue, 24 Apr 2018 18:09:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/policy-source-based-routing-in-exos-on-a-vr/m-p/49726#M13232 Frank 2018-04-24T18:09:00Z