MHO security group PBR

Lantm · ‎2020-05-25

Hi Guys,

I'm using MHO solution: 2 MHO 140 + 2 6800 CP GW. I have configure PBR for management interface but it doesn't work. Anyone has encountered this problem yet ?

My configuration:

set pbr table Mgmt static-route default nexthop gateway address 172.17.10.1 priority 1

set pbr rule priority 10 match from 172.17.10.216/32 to 172.16.0.68/32
set pbr rule priority 10 action table Mgmt

Best regards.

Anatoly · ‎2020-05-28

Hi,

It looks like you're creating pbr on orchestrator itself.

I guess you should do it on Security Group from its Global Clish. Mgmt interface of the orchestrator is not related to the policy.

Management interfaces of Security Group are eth1-Mgmt1, eth1-Mgmt2, etc...

Lantm · ‎2020-05-28

Hi,

I created pbr on Security group

Output when i show configuration pbr on security group, it pushed to 2 GW 6800.

[Global] FW-SRV-MC-ch01-01 > show configuration pbr
1_01:
set pbr table Mgmt static-route 172.16.0.68/32 nexthop gateway logical eth1-Mgmt 1 on
set pbr rule priority 10 match from 172.17.10.0/24 to 172.16.0.68/32
set pbr rule priority 10 action table Mgmt

1_02:
set pbr table Mgmt static-route 172.16.0.68/32 nexthop gateway logical eth1-Mgmt 1 on
set pbr rule priority 10 match from 172.17.10.0/24 to 172.16.0.68/32
set pbr rule priority 10 action table Mgmt

Best regards.

Anatoly · ‎2020-05-28

So, that is what it should be. Does it work for you?

Lantm · ‎2020-05-28

Hi,
It doesn't work.
If i want to connect from 172.16.0.68/32 to MGT interface of security group, i must add static route to 172.16.0.68/32 via eth1-Mgmt 1. Only 1 routing table for both data and management.

Anatoly · ‎2020-05-28

Correct, there's only one routing table here.