https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13905#M1309 Update Thu, 14 May 2015 22:09:00 GMT Arison_Mercado 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13887#M1291 Hi I have a remote site that connects through our hub via LAN and they have their own independent Firewall connection for internet. They communicate to a few devices on our network and everything else is blocked via access-list but they need to have a server on our LAN. Now I need to move their server and host it on our network 172.16.x.x but they need it to use their Firewall for internet access. The only thing I can think of is create an access-list on our Firewall uplink to allow everything but their server and add the server to the access-list that connects to their LAN with addition to add another IP default route inside my hub. That’s the only thing I can think of at the moment, does anyone have a better solution?<BR /> <BR /> Thu, 14 May 2015 21:32:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13887#M1291 Arison_Mercado 2015-05-14T21:32:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13888#M1292 <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="b38c1f19054244fda73c8151c4002b31_RackMultipart20150514-17720-puwzy1-IProute_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/3542iFEB49BFF6BD385BF/image-size/large?v=v2&amp;px=999" role="button" title="b38c1f19054244fda73c8151c4002b31_RackMultipart20150514-17720-puwzy1-IProute_inline.png" alt="b38c1f19054244fda73c8151c4002b31_RackMultipart20150514-17720-puwzy1-IProute_inline.png" /></span></P><BR /> Thu, 14 May 2015 21:33:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13888#M1292 Arison_Mercado 2015-05-14T21:33:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13889#M1293 The server 172.16.10.10 will have to have a default route of 172.16.10.1 . On 172.16.10.1 create a policy based route, if it has that capability, to forward any traffic sourced from 172.16.10.10 to go to the IP address of the Customer Hub on the interface you have drawn and labeled LAN link.<BR /> <BR /> It all depends on if your firewall supports policy based routing. Thu, 14 May 2015 22:04:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13889#M1293 McKitrick__Mark 2015-05-14T22:04:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13890#M1294 Understood but where would this access-list entry reside on? On the uplink to our Firewall (That doesn't have a access-list) or on the access-list that is between my site and the customers? Because I would like the policy to redirect to there network and not my firewall. Thu, 14 May 2015 22:04:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13890#M1294 Arison_Mercado 2015-05-14T22:04:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13891#M1295 If you're 172.16.X.X is a flat /16 and that's the only network the customer server needs access to, then I would think a simple PBR ACL on the network hub switch would suffice... According to the subnet masks you have in your diagram everything else would be L2 switched... If there are additional subnets at your hub site that the customer server needs access to, then more specifics would need to be added to the policy. <BR /> <BR /> So something to the effect of:<BR /> <BR /> entry PBR {<BR /> if {<BR /> source-address 172.16.10.10/32;<BR /> destination-address 0.0.0.0/0;<BR /> } then {<BR /> redirect X.X.X.X (the appropriate next hop for the remote site)<BR /> }<BR /> } Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13891#M1295 McClane 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13892#M1296 The customers LAN is a flat network vs mine but they only need to communicate with a few devices on one VLan which I can give them a range of /29. But like I mentioned to the other user is that I'm a bit confused on where the PBR policy takes place in order to redirect it back to their LAN? Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13892#M1296 Arison_Mercado 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13893#M1297 It could be applied to the VLAN of the default gateway... Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13893#M1297 McClane 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13894#M1298 I'm a bit confused, because I have an ingress rule on the Link between the customer and I. I understand the entry you supplied with me with but I don't know where I should enter it? In the ingress rule between the site or create a egress rule between my hub and firewall and add that entry so that it redirects over the LAN link......... Sorry I come from a Cisco background. Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13894#M1298 Arison_Mercado 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13895#M1299 Just to confirm, what is the subnet for your server 172.16.10.10? And what is the name of that VLAN?<BR /> Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13895#M1299 McClane 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13896#M1300 Lets just say its 172.16.10.0/24 and its called "SERVERS" and the customers network is 192.168.0.0/24<BR /> Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13896#M1300 Arison_Mercado 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13897#M1301 So it should be:<BR /> <BR /> config access-list PBR vlan Servers ingress<BR /> <BR /> Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13897#M1301 McClane 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13898#M1302 Ok, I think I'm getting it. You're basically telling me that the Policy can be entered on the VLAN interface itself and not just a port which is the usual. So once I create it I can enter the specific IP address to redirect its default route to the customers LAN. Also, in this scenario do I have to create a any any entry for the other IP's that I dont list get routed by its usual default route? Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13898#M1302 Arison_Mercado 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13899#M1303 If you use just the host (/32) as the source the other IPs will not match that ACL, so you don't have to worry about them. But, if that customer server needs to access anything on your hub network that is outside of its local subnet, the policy will need to be modified... I'm assuming it just needs access to servers on its own subnet which would be L2 switched, then anything from this host that hits the L3 gateway would match and follow the ACL. Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13899#M1303 McClane 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13900#M1304 I'm going to dedicate The SERVERS VLAN on my network for their servers to reside on. I just need to modify the current ACL to let their network communicate with the SERVERS VLAN on my Hub and apply the PBR policy on that vlan to redirect to their network........Does that make any sense? Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13900#M1304 Arison_Mercado 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13901#M1305 that makes sense Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13901#M1305 McClane 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13902#M1306 Ok, I'll get working on this but I wont have a server until next week. I'll let you know how it went  Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13902#M1306 Arison_Mercado 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13903#M1307 I attempted to create the PBR policy on the switch but I was unsuccessful because I couldn't figure out the next entry. Please see attachment. PS I have a x450a series Summit switch.<P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="08cd0a996a8b4eda8be3aad7907b0252_RackMultipart20150514-12816-158bjjq-PBR_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/27i572EBD6D40F520E0/image-size/large?v=v2&amp;px=999" role="button" title="08cd0a996a8b4eda8be3aad7907b0252_RackMultipart20150514-12816-158bjjq-PBR_inline.png" alt="08cd0a996a8b4eda8be3aad7907b0252_RackMultipart20150514-12816-158bjjq-PBR_inline.png" /></span></P> Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13903#M1307 Arison_Mercado 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13904#M1308 you have to create the policy with:<BR /> <BR /> edit policy pbr (policy name)<BR /> <BR /> that will open a vi editor<BR /> <BR /> <A href="http://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS/?q=exos+acl&amp;#38;l=en_US&amp;#38;fs=Search&amp;#38;pn=1" target="_blank" rel="nofollow noreferrer noopener">http://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS/?q=exos+acl&amp;l=en_US&amp;fs=Search&amp;pn=1</A> Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13904#M1308 McClane 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13905#M1309 Update Thu, 14 May 2015 22:09:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13905#M1309 Arison_Mercado 2015-05-14T22:09:00Z https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13906#M1310 Hi Everyone,<BR /> <BR /> So far what I have done is I just added a VLAN on my network that extendeds there so I can keep the servers within there own subnet. I'm able to get passed the ACL that resides on they're port uplink but I cannot default route through it. Is there where I need to apply a PBR somewhere?<BR /> <BR /> My Business HUB Customer HUB<BR /> 17216.0.0 /16 192.168.0.0/24<BR /> ACL<BR /> <BR /> Source Destination<BR /> VLAN A - 172.16.0.0/16 Deny 192.168.0.0/24<BR /> VLAN B - 192.168.2.1 Permit 192.168.0.0/24<BR /> <BR /> Lab address Permit ANY (Succesful)<BR /> 192.168.2.4<BR /> Ping 8.8.8.8 from 192.168.2.4 (Request Timed out)<BR /> <BR /> Next step is I would assume I create a PBR ACL under VLAN B that default routes to their Firewall? The reason for this is because the VLAN resides on my network?<BR /> <BR /> Tue, 19 May 2015 20:18:00 GMT https://community.extremenetworks.com/t5/network-architecture-design/i-need-one-device-to-have-a-specific-ip-default-route-to-another/m-p/13906#M1310 Arison_Mercado 2015-05-19T20:18:00Z