17 Posts
0
827
Policy Based Routing on N3000 Series
Hello,
I'm trying to convert my ACLs on some VLAN Interfaces to PBR, because I need Source Based Routing on these VLANs.
I have some deny rules in my ACLs and tried to implement them in the following way:
route-map Route_1 permit 20
match ip address Routing_1_Drop
set interface null0
This doesn't work, because "set interface null0" is not allowed for the next hop.
My question now: If I omit the last line and have no next-hop statement (only the match statement), will the packet be dropped or transferred to the default router?
Hope to get an answer to this very specific question.
Kind Regards
DELL-Charles R
Moderator
Moderator
•
3.7K Posts
0
September 15th, 2022 13:00
Hello BeiDerArbeit,
That looks ok to me. You can test that out.
I would note we typically don't do initial configuration on the forum, such as we are trying to create new PBR configuration, we have deployment services that can be contracted for that. I am, though, giving you best effort to assist you.
DELL-Charles R
Moderator
Moderator
•
3.7K Posts
0
September 12th, 2022 13:00
Hello BeiDerArbeit,
I think this will be the best guide:
How to perform Policy-Based Routing (PBR) on DELL Networking N-Series Switches
https://dell.to/3d8fpOp
BeiDerArbeit
17 Posts
0
September 12th, 2022 23:00
Hi,
Thank you very much for your quick reply. I think I know this document although I can't open the link.
Unfortunately there is no information on how to drop the traffic. In Cisco like routers you can use the null0 interface for the next-hop, in Dell routers it isn't allowed.
So my question again: If I omit the next-hop statement in the policy rule (below), will all packets matching the match clause be dropped?
route-map Route_1 permit 20
match ip address Routing_1_Drop
By the way, another solution would be to configure a blackhole, but this is not preferred.
Florian
DELL-Erman O
Moderator
Moderator
•
2.4K Posts
0
September 13th, 2022 03:00
Hi, I'm sharing above link without URL shortener and adding two guides.
How to perform Policy-Based Routing (PBR) on DELL Networking N-Series Switches https://www.dell.com/support/kbdoc/en-us/000120976/how-to-perform-policy-based-routing-pbr-on-dell-networking-n-series-switches?dgc=SM&cid=304571&lid=spr7602661710&refid=sm_LITHIUM_spr7602661710&linkId=181108593
Policy-Based Routing pg685 https://downloads.dell.com/manuals/all-products/esuprt_networking_int/esuprt_networking_switches_series/networking-n3000-series_cli-guide8_en-us.pdf
IPv6 Policy-Based Routing Commands pg1832 https://downloads.dell.com/manuals/all-products/esuprt_networking_int/esuprt_networking_switches_series/networking-n3000-series_cli-guide8_en-us.pdf
DELL-Charles R
Moderator
Moderator
•
3.7K Posts
0
September 13th, 2022 05:00
Maybe Erman's information may help you.
In case that does not help; let me gather some more information.
I see you're trying to do something that you normally do on Cisco, there may be another way it is done on N-Series.
What deny rules are you using in the ACL?
What do you need to accomplish with deny rules in the ACL?
BeiDerArbeit
17 Posts
0
September 13th, 2022 06:00
Hi, thanks for coming back.
In fact, it doesn't help me.
Before I started to use PBR we filtered the traffic by ACLs on VLANs. But both, ACL and PBR can't be used on the same VLAN.
So I translated the ACLs to PBR.
ACL:
1000 permit icmp any any
1100 permit udp any any eq 67
1200 permit tcp 10.110.112.0 0.0.0.0 eq 22 any
1300 permit tcp 10.110.0.0 0.0.255.255 10.9.16.120 0.0.0.0 eq http
1400 permit udp 10.110.0.0 0.0.255.255 10.9.16.111 0.0.0.0 eq domain
5000 deny ip any 10.0.0.0 0.255.255.255
5100 deny ip any 172.16.0.0 0.15.255.255
5200 deny ip any 192.168.0.0 0.0.255.255
10000 permit every
I created three route-maps:
route-map "route-1" deny 10
match ip address block1 "block1->new ACL with lines 1000-1400"
exit
!
route-map "route-2" permit 20
match ip address block2 "block2->new ACL with lines 5000-5200"
>>>>> here I need a blackhole!!! All traffic should be discarded.
exit
!
route-map "route-3" permit 30
match ip address block3 "block3->new ACL with line 10000"
set ip next-hop 10.110.48.1
exit
I hope it's getting clear by this example. The first route-map is deny and returns the traffic to the default router. The second route-map should drop all other traffic to isolate our private network. The third route-map routes the all traffic to another internet connection. Of course, this is just a simple source based routing ...
Basically everthing works fine and I can see the traffic on the different maps.
But I'm not sure, if I leave the set ip next-hop empty at the second rule, all traffic maching the clause will be dropped.
Or do I need to use a blackhole here? And if so, I don't know how a secure blackhole is created on Dell switches because IP4 doesn't have this build in.
Is it getting clearer? I hope so and if not I will explain in more detail.
Regards
DELL-Charles R
Moderator
Moderator
•
3.7K Posts
0
September 13th, 2022 08:00
Thank you BeiDerArbeit for that information. Let me work with this and update you.
BeiDerArbeit
17 Posts
0
September 14th, 2022 07:00
Hi Charles,
I don't understand your question exactly.
If I use "set interface null0" when a match clause used in the route-map I get an error that a "set interface null0" ist only allowed without a match clause.
It is not possible to use ACLs AND PBR at same VLAN interface, this is what I was told by DELL.
The first route-map has deny, that means the ACL inhere controls the packets, that should handled by the default router.
The second route-map has permit and should act as a blackhole.
The rest is internet traffic und will forwarded by the third route-map.
Since I can't use ACLs and PBR at the same VLAN interface I have to use the second route-map to drop the packets.
Or do you have another idea?
Regards,
Florian
DELL-Charles R
Moderator
Moderator
•
3.7K Posts
0
September 14th, 2022 07:00
Hello BeiDerArbeit,
What do you get when you do use : "set interface null0"
The ACL should be denying only what you want to deny and permit everything else -- and then the PBR will come into play.
DELL-Charles R
Moderator
Moderator
•
3.7K Posts
0
September 14th, 2022 10:00
Hello BeiDerArbeit
I think we have an example that will do what you want. If not you may be able to modify it to meet your needs.
==============================================================================
Create 3 ACLs based of the traffic and policies that need to be applied
block1, block2, block3
==============================================================================
ip access-list block1
1000 permit icmp any any
1100 permit udp any any eq 67
1200 permit tcp 10.110.112.0 0.0.0.0 eq 22 any
1300 permit tcp 10.110.0.0 0.0.255.255 10.9.16.120 0.0.0.0 eq http
1400 permit udp 10.110.0.0 0.0.255.255 10.9.16.111 0.0.0.0 eq domain
exit
ip access-list block2
5000 deny ip any 10.0.0.0 0.255.255.255
5100 deny ip any 172.16.0.0 0.15.255.255
5200 deny ip any 192.168.0.0 0.0.255.255
10000 permit ip any any
exit
ip access-list block3
1000 permit every
exit
==============================================================================
Create route-map == pbr. This will do policy based routing for
traffic in ACLs - block1 and block3
==============================================================================
route-map pbr deny 10
match ip address block1
exit
route-map pbr permit 30
match ip address block3
set ip next-hop 10.110.48.1
exit
==============================================================================
block2 traffic is going to be a regular ACL which we are going to configure
on the VLAN as vlan acl. Assuming vlan is vlan 10.
==============================================================================
interface vlan 10
ip policy route-map pbr
ip access-group block2 in
exit
BeiDerArbeit
17 Posts
0
September 15th, 2022 00:00
Dear Charles,
Thank you so much for your proposal. Did you try this in real-time?
As I wrote before (and I could verify this behavior), IP based ACLs AND PBR at the same time is not possible on the same VLAN. I attach the original answer from DELL (it's in German, try google translator):
** Actionplan **
Interfaces in denen PBR aktiv ist können keine weiteren IP based ACLs genutzt werden um den Datenstrom zu steuern. Sie können hier alternative das PBR über einen VRF laufen lassen oder eben anstatt des VLANs ein anderes Interface verwenden um die ACL zu nutzen (einen Uplink z.B.) Alternative können Sie natürlich die ACL für PBR so anpassen, dass die Richtlinien Ihrer ingress ACL inkludiert werden.
But your proposal is a good idea to continue. Please have a look on this.
==============================================================================
Create only 2 ACLs based of the traffic and policies that need to be applied
block1, block2
==============================================================================
ip access-list block1
1000 permit icmp any any
1100 permit udp any any eq 67
1200 permit tcp 10.110.112.0 0.0.0.0 eq 22 any
1300 permit tcp 10.110.0.0 0.0.255.255 10.9.16.120 0.0.0.0 eq http
1400 permit udp 10.110.0.0 0.0.255.255 10.9.16.111 0.0.0.0 eq domain
exit
ip access-list block2
5000 deny ip any 10.0.0.0 0.255.255.255
5100 deny ip any 172.16.0.0 0.15.255.255
5200 deny ip any 192.168.0.0 0.0.255.255
10000 permit ip any any
exit
==============================================================================
Create route-map == pbr. This will do policy based routing for
traffic in ACLs - block1 and block2 and the final "drop all traffic"
==============================================================================
route-map pbr deny 10
match ip address block1
exit
route-map pbr permit 20
match ip address block2
set ip next-hop 10.110.48.1
exit
route-map pbr permit 30
set interface null0
exit
==============================================================================
What do you think, will this be a good solution for my conditions?
Thank you again for looking in the details.
Florian
DELL-Erman O
Moderator
Moderator
•
2.4K Posts
0
September 15th, 2022 02:00
Hi Florian, this might be a good idea, sounds like worth a try to me. But Charles isn't online yet, but I think he'd better take a look when he's online.