Posted on September 16, 2020 3:55 pm
 |  Asked by Ismail Kalolwala
 |  67 views
0
0
Print Friendly, PDF & Email

We want use to PBR for Subnet 10.38.250.0 to egress out of DC1 Firewall and Subnet 10.39.250.0 to egress out of DC2 Firewall. PBR is deployed, but not operational.

Switches are Arista 7160 with Software version 4.21.10M

Single Vlan with Primary IP address 10.38.250.0 and Secondary IP address 10.39.250.0. Each data center holds a firewall.

PBR purpose is for the reverse connectivity. If a Server in 38 range, should alway use DC1 Firewall for egress. and 39 range Server should use DC2 Firewall for all egress.

Any suggestion is appreciated.

Regards,

Ismail kalolwala

0
Posted by Sreelekha
Answered on September 18, 2020 5:53 pm

Hi Ismail,

Thanks for using the forum.

I see you are trying use PBR on Arista 7160 devices. PBR is supported on this platform and EOS version unless your next-hop is behind a remote VTEP or IPv6.

As you mentioned PBR deployed , but not operational. Could you please verify if the next-hop configured, is fully resolved? "show ip route”, “show arp”, “show mac address-table” will help. Or you could send over the show-tech files of the Arista devices using the command below:

show tech-support | no

You can use the below commands to determine the status of PBR

show policy-map type pbr >> check activity status
show platform xp hardware pbr >>> nexthop status in hardware

Could you let us know where exactly are the arista devices and the firewall located/connected in the network? If possible can you share a rough topology explaining the expected flow?

Here are a few articles that may help you, if you haven't come across them already
https://eos.arista.com/eos-4-23-2f/policy-based-routing/#Specifying_VRF_for_PBR_nexthops
https://eos.arista.com/eos-4-20-5f/support-to-specify-vxlan-nexthops-for-pbr/

Cheers!
Sreelekha

0
Posted by Ismail Kalolwala
Answered on September 24, 2020 6:40 pm

Hi Sreelekha,

 

Policy Map configuration is as follows :

 

policy-map type pbr SPAN-DMZ
10 match ip 10.38.250.0/24 any set nexthop 10.38.250.2
20 match ip 10.39.250.0/24 any set nexthop 10.39.250.2

 

Interface vlan 3121

description SPAN-DMZ

mtu 9000

vrf SPAN-DMZ
ip address virtual 10.38.250.1/24

ip address virtual 10.39.250.1/24 secondary

 

We want to route 10.38.250.0/24 subnet primarily from Dc1 and 10.39.250.0/24 subnet primarily from DC2.

 

10.38.250.0 routes well via DC1 but 10.39.250.0 does not routes via DC2 when we have Servers in this Subnets in DC1.

 

What we have came to an understanding is - PBR is not supported over VXLAN.

 

When i execute show policy-map type pbr.

from dc1, and for subnet 10.38.250.0 - PBR show active - with next hop 10.38.250.1 but PBR not active for 10.39.250.0

 

reverse is seen in DC2.

 

IP connectivity is reachable between them...

 

Unfortunately , i have removed the entire configuration, but if this configuration would have worked then it would have completed our requirement.

 

Regards,

Ismail Kalolwala

 

0
Posted by Sreelekha
Answered on September 25, 2020 6:28 am

Hey Ismail,

Thanks for sharing the information. 

As per your design, in DC1 the next-hop for 10.38.250.0/24 is 10.38.250.2 which resides in the same DC and lets you egress out of the DC1 firewall. But for the traffic from 10.39.250.0/24 the next hop is 10.39.250.2 which resides in DC2 , reachable via VXLAN.

As you rightly inferred, the PBR nexthop over vxlan is not supported on this platform (7160). If you would like to use this feature, it is supported on DCS7280R, DCS7500R, DCS7504R, DCS7508R, DCS7512R, DCS7516R, DCS7280R2, DCS7500R2, DCS7050X, DCS7060, DCS7050X2, DCS7050X3.

The article below is a good read on this:
https://eos.arista.com/eos-4-20-5f/support-to-specify-vxlan-nexthops-for-pbr/

Cheers!
Sreelekha

Post your Answer

You must be logged in to post an answer.