This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Policy/Source based routing in EXOS on a VR

Policy/Source based routing in EXOS on a VR

Frank
Contributor

‎04-04-2018 07:57 AM

I know... yet another PBR question, maybe I just need clarification.

I have two 8800s, 15.6.3.1 p1-9 (can be updated to 16.latest if need be).
Those two (with mlags to access switches) play default-gateway with vrrp for my internal VLANs (servers, workstations, other things)
Those VLANs are all in the VR "VR-Mine"
The VR-Mine participates in OSPF and also has a nice fast default gateway to the Internet.

Suddenly the requirement has popped up that the workstation vlan needs to get routed to the Internet via a separate content-filtering firewall (i.e. new default gateway JUST for that vlan. Technically two, but still)

Also, we're talking both, IPv6 and IPv4 (dual-stack)

I thought "PBR/source-based-routing" would "surely" be the answer, but I'm hitting a few snags:

From what I understand, "flow-redirect" is not an option because it won't work on "user created VRs" - I'm assuming since everything happens in "VR-Mine", that is a user-created VR so I'm out of luck?

If I understand right, the next approach would be policies. Now, I understand the concept, "if source is this and destination is that, then set nexthop to the content-filter-IP". However, the only thing that I can see where I can apply that policy/access-list, is to individual ports, according to the concept guide.

If I can't apply the access list to the VR-Mine 'router', can I really not apply it to the VLAN?

Do I really have to list all the ports that are members of that vlan and apply it to those ports - presumable as "ingress" (also: if not specified, does it mean ingress and egress)? Which also makes it harder, because I would have to add a port to that rule every time I add a port to the VLAN. That's high-maintenance!

I was thinking that as a last resort, I could stick the special VLAN(s) into their own VR (VR-Theirs), and then route between VRs, but then I saw the sentence "No can do with V6".

I'm wide open to suggestions/explanations/hints. Oh, and I really want to avoid handing out the content-filter's IP as default gateway for those VLANs because of a flurry of issues that would bring with it.

Thanks,
Frank
0 Kudos
2 REPLIES 2

Frank
Contributor

‎04-24-2018 11:09 AM

Oh snaps... The short of it is: PBR doesn't work on user-defined VRs. (Support: thank you for your patience!) Off to moving everything from "VR-Mine" to "VR-Default".
0 Kudos

Frank
Contributor

‎04-18-2018 11:22 AM

"bump" - because I must've gone senile and didn't click all applicable categories. Thanks for adding one, mysterious maintainer 🙂
0 Kudos
GTM-P2G8KFN