topic RE: EXOS Lose Internal Access After Applying Policy Based Routing in ExtremeSwitching (EXOS/Switch Engine)

EXOS Lose Internal Access After Applying Policy Based Routing

Ty_Kolff — Tue, 08 Nov 2016 04:19:00 GMT

We are trying to route traffic from a particular server out an ASA firewall. We are moving from a Cisco core where we had the following in place:

ip access-list extended PBR-ASA
permit ip host 10.10.34.54 any
!
route-map ASA-MAP permit 10
match ip address PBR-ASA
set ip default next-hop 10.10.0.3

The behavior on the Cisco was basically to set the 0.0.0.0 route for that particular server to point to the ASA (10.10.0.3), but it still seemed to use all other routes internally so internal connectivity was just fine.

We have tried the following, but when we apply this we lose internal access to the Server (10.10.34.54):

entry PBR-ASA {
if match all {
source-address 10.10.34.54/32;
}
then {
redirect 10.10.0.3;
count pbr-asa;
}
}

I was applying this Access-List to the vlan that this server belonged to:

configure access-list PBR-ASA vlan VLAN305 ingress

We only want this server to redirect to 10.10.0.3 for it's external access. Any ideas on how to achieve this?

Thanks!

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Jeremy_Gibbs — Tue, 08 Nov 2016 05:35:00 GMT

Check out page 36.

http://extrcdn.extremenetworks.com/wp-content/uploads/2014/10/ACL_Solutions_Guide.pdf

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Jeremy_Gibbs — Tue, 08 Nov 2016 05:55:00 GMT

Also, what equipment do you have?

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Ty_Kolff — Tue, 08 Nov 2016 22:54:00 GMT

Jeremy,

This is on some x670 switches. Does the flow-redirect 'add nexthop' work similar to the 'set ip default next-hop' in Cisco?

Thanks!

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Erik_Auerswald — Tue, 08 Nov 2016 22:54:00 GMT

Hi Ty,

the list of nexthop entries created via add nexthop are used to define fallbacks if one (or more) nexthop(s) is(are) unreachable. This is different from setting a different default route via PBR in Cisco IOS.

Erik

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Erik_Auerswald — Wed, 09 Nov 2016 03:42:00 GMT

Hi Ty,

you could add an ACL entry to permit traffic from the server to any internal network before the redirect entry. That way internal traffic will be forwarded normally, only external traffic would use PBR, similar to setting a different default route via PBR in Cisco IOS.

Erik

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Ty_Kolff — Thu, 10 Nov 2016 02:00:00 GMT

So something like this should do the trick? This would allow access to the local subnet(s) 10.0.0.0/8 and then redirect to 10.10.0.3 for all non internal traffic?

entry PBR-LOCAL { if match all { source-address 10.10.34.54/32; destination-address 10.0.0.0/8; } then { permit; count pbr-local; } } entry PBR-ASA { if match all { source-address 10.10.34.54/32; } then { redirect 10.10.0.3; count pbr-asa; } }

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Ty_Kolff — Thu, 10 Nov 2016 02:00:00 GMT

I tested this in a lab and production environment and I can confirm that this does indeed do what we expected. It allows the server access to the local 10.0.0.0/8 subnet, but redirects all other traffic to 10.10.0.3.

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Erik_Auerswald — Thu, 10 Nov 2016 02:00:00 GMT

Thanks for letting us know! 

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Erik_Auerswald — Thu, 10 Nov 2016 16:26:00 GMT

Hi Ty,

that looks good to me, I would try that. 🙂

Erik

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Henrique — Fri, 11 Nov 2016 01:38:00 GMT

Interesting case... Just curious.. Did you try to trace to and from the server to check the path?

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Erik_Auerswald — Fri, 11 Nov 2016 01:38:00 GMT

Hi Henrique,

the set ip default next-hop feature of Cisco IOS policy based routing is quite special. It results in normal, non-policy routing for every matching packet whose destination follows a specific (i.e. non-default) route. Only if no specific route to the destination exists and the default route would be used, the specified next-hop is used instead.

The policy based routing available on EXOS always redirects matching packets (if fast-path forwarded).

Thus the different results.

Erik

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Henrique — Fri, 11 Nov 2016 01:38:00 GMT

Hi Erik, understood. Thanks for the explanation from Cisco side. 

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Ty_Kolff — Fri, 11 Nov 2016 02:38:00 GMT

I haven't had a chance to test this yet. I will be circling back to this in about a week and a half and let you know the results.

RE: EXOS Lose Internal Access After Applying Policy Based Routing

Henrique — Fri, 11 Nov 2016 02:38:00 GMT

Great, thank you.