Help

Networking General

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Last reply by 09-15-2022 Solved
Start a Discussion
2 Bronze
2 Bronze
480
‎09-12-2022 09:15 AM

Policy Based Routing on N3000 Series

Hello,

I'm trying to convert my ACLs on some VLAN Interfaces to PBR, because I need Source Based Routing on these VLANs.

I have some deny rules in my ACLs and tried to implement them in the following way:

route-map Route_1 permit 20
match ip address Routing_1_Drop
set interface null0

This doesn't work, because "set interface null0" is not allowed for the next hop.

My question now: If I omit the last line and have no next-hop statement (only the match statement), will the packet be dropped or transferred to the default router?

Hope to get an answer to this very specific question.

Kind Regards

0 Kudos
Accept as Solution
Solution (1)

Accepted Solutions
MOD
MOD
In response to BeiDerArbeit
377
‎09-15-2022 03:48 PM

Hello BeiDerArbeit,

 

That looks ok to me. You can test that out.

I would note we typically don't do initial configuration on the forum, such as we are trying to create new PBR configuration, we have deployment services that can be contracted for that. I am, though, giving you best effort to assist you.

 


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

View solution in original post

0 Kudos
Accept as Solution
Replies (12)
MOD
MOD
375
‎09-12-2022 03:41 PM

Hello BeiDerArbeit,

 

I think this will be the best guide:

How to perform Policy-Based Routing (PBR) on DELL Networking N-Series Switches

https://dell.to/3d8fpOp

 


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

0 Kudos
Accept as Solution
2 Bronze
2 Bronze
In response to Dell -Charles R
369
‎09-13-2022 01:19 AM

Hi,

Thank you very much for your quick reply. I think I know this document although I can't open the link.

Unfortunately there is no information on how to drop the traffic. In Cisco like routers you can use the null0 interface for the next-hop, in Dell routers it isn't allowed.

So my question again: If I omit the next-hop statement in the policy rule (below), will all packets matching the match clause be dropped?

route-map Route_1 permit 20
match ip address Routing_1_Drop

By the way, another solution would be to configure a blackhole, but this is not preferred.

Florian

0 Kudos
Accept as Solution
MOD
MOD
In response to BeiDerArbeit
368
‎09-13-2022 05:20 AM

Hi, I'm sharing above link without URL shortener and adding two guides. 

 

How to perform Policy-Based Routing (PBR) on DELL Networking N-Series Switches https://www.dell.com/support/kbdoc/en-us/000120976/how-to-perform-policy-based-routing-pbr-on-dell-n...

 

Policy-Based Routing pg685 https://downloads.dell.com/manuals/all-products/esuprt_networking_int/esuprt_networking_switches_ser...

 

IPv6 Policy-Based Routing Commands pg1832 https://downloads.dell.com/manuals/all-products/esuprt_networking_int/esuprt_networking_switches_ser...

 


Thanks,

Erman Özkurt
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#Iwork4Dell

Did I answer your query? Please click on ‘Accept as Solution’
‘Kudo’ the posts you like!
0 Kudos
Accept as Solution
MOD
MOD
In response to BeiDerArbeit
365
‎09-13-2022 07:47 AM

Maybe Erman's information may help you.

 

In case that does not help; let me gather some more information.

 

I see you're trying to do something that you normally do on Cisco, there may be another way it is done on N-Series.

 

What deny rules are you using in the ACL?

 

What do you need to accomplish with deny rules in the ACL?


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

0 Kudos
Accept as Solution
2 Bronze
2 Bronze
364
‎09-13-2022 08:16 AM

Hi, thanks for coming back.

In fact, it doesn't help me.

Before I started to use PBR we filtered the traffic by ACLs on VLANs. But both, ACL and PBR can't be used on the same VLAN.

So I translated the ACLs to PBR. 

ACL:
1000 permit icmp any any
1100 permit udp any any eq 67
1200 permit tcp 10.110.112.0 0.0.0.0 eq 22 any
1300 permit tcp 10.110.0.0 0.0.255.255 10.9.16.120 0.0.0.0 eq http
1400 permit udp 10.110.0.0 0.0.255.255 10.9.16.111 0.0.0.0 eq domain
5000 deny ip any 10.0.0.0 0.255.255.255
5100 deny ip any 172.16.0.0 0.15.255.255
5200 deny ip any 192.168.0.0 0.0.255.255
10000 permit every

I created three route-maps:
route-map "route-1" deny 10
match ip address block1    "block1->new ACL with lines 1000-1400"
exit
!
route-map "route-2" permit 20
match ip address block2      "block2->new ACL with lines 5000-5200"
>>>>> here I need a blackhole!!! All traffic should be discarded.
exit
!
route-map "route-3" permit 30
match ip address block3      "block3->new ACL with line 10000"
set ip next-hop 10.110.48.1
exit

I hope it's getting clear by this example. The first route-map is deny and returns the traffic to the default router. The second route-map should drop all other traffic to isolate our private network. The third route-map routes the all traffic to another internet connection. Of course, this is just a simple source based routing ... 

Basically everthing works fine and I can see the traffic on the different maps.

But I'm not sure, if I leave the set ip next-hop empty at the second rule, all traffic maching the clause will be dropped.

Or do I need to use a blackhole here? And if so, I don't know how a secure blackhole is created on Dell switches because IP4 doesn't have this build in.

Is it getting clearer? I hope so and if not I will explain in more detail.

Regards

0 Kudos
Accept as Solution
MOD
MOD
In response to BeiDerArbeit
361
‎09-13-2022 10:12 AM

Thank you BeiDerArbeit for that information. Let me work with this and update you.


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

0 Kudos
Accept as Solution
MOD
MOD
In response to BeiDerArbeit
344
‎09-14-2022 09:18 AM

Hello BeiDerArbeit,

 

What do you get when you do use : "set interface null0"

 

The ACL should be denying only what you want to deny and permit everything else -- and then the PBR will come into play.


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

0 Kudos
Accept as Solution
2 Bronze
2 Bronze
342
‎09-14-2022 09:34 AM

Hi Charles,

I don't understand your question exactly.

If I use "set interface null0" when a match clause used in the route-map I get an error that a "set interface null0" ist only allowed without a match clause. 

It is not possible to use ACLs AND PBR at same VLAN interface, this is what I was told by DELL.

The first route-map has deny, that means the ACL inhere controls the packets, that should handled by the default router.

The second route-map has permit and should act as a blackhole.

The rest is internet traffic und will forwarded by the third route-map.

Since I can't use ACLs and PBR at the same VLAN interface I have to use the second route-map to drop the packets.

Or do you have another idea?

Regards,

Florian

0 Kudos
Accept as Solution
MOD
MOD
In response to BeiDerArbeit
337
‎09-14-2022 12:57 PM

Hello BeiDerArbeit

 

I think we have an example that will do what you want. If not you may be able to modify it to meet your needs.

 

==============================================================================

Create 3 ACLs based of the traffic and policies that need to be applied

block1, block2, block3

==============================================================================

 

ip access-list block1

1000 permit icmp any any

1100 permit udp any any eq 67

1200 permit tcp 10.110.112.0 0.0.0.0 eq 22 any

1300 permit tcp 10.110.0.0 0.0.255.255 10.9.16.120 0.0.0.0 eq http

1400 permit udp 10.110.0.0 0.0.255.255 10.9.16.111 0.0.0.0 eq domain

exit

 

ip access-list block2

5000 deny ip any 10.0.0.0 0.255.255.255

5100 deny ip any 172.16.0.0 0.15.255.255

5200 deny ip any 192.168.0.0 0.0.255.255

10000 permit ip any any

exit

 

ip access-list block3

1000 permit every

exit

 

==============================================================================

Create route-map == pbr. This will do policy based routing for

traffic in ACLs - block1 and block3

==============================================================================

 

route-map pbr deny 10

match ip address block1   

exit

 

route-map pbr permit 30

match ip address block3     

set ip next-hop 10.110.48.1

exit

 

 

==============================================================================

block2 traffic is going to be a regular ACL which we are going to configure

on the VLAN as vlan acl. Assuming vlan is vlan 10.

==============================================================================

 

interface vlan 10

ip policy route-map pbr

ip access-group block2 in

exit

 


Dell -Charles R
Social Media and Communities Professional
Dell Technologies | Enterprise Support Services
#IWork4Dell

Did I answer your query? Please click on ‘Accept as Solution’. ‘Kudo’ the posts you like!

0 Kudos
Accept as Solution
Latest Solutions
Load more
See More
Top Contributor