Policy Based Routing HPE Aruba 3800 series

Today busy with some Policy Based Routing (PBR) routing on an HPE Aruba 3800 series switch.

Situation:

pbr-3800

The default gateway is set to 172.16.1.1 which is ISP A a line dedicated for business traffic.

So in the config of the switch

ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip routing

Let’s assume that we have another ISP, named B which needs to used for Office 365 in particular Exchange Online. Of course the best option would be to change the default gateway because Microsoft has a lot of IP addreses which are changing on regular basis. So my advice would be to set the default gateway to ISP B and make a PBR for the things that should go to ISP A. Users of VLAN 5 needs to have this in place.

We start by creating a Class which contains the IP version 4 address for Exchange Online listed on this Microsoft page. The class name is case sensitive, also please not that we can’t use normal subnetmasks (the switch accepts it, but it’s not working) we should use Wildcard masking over here.

class ipv4 “Office365-Subnets”
5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.1
10 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.1
15 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.1
20 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.1
25 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.255
30 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.255
35 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.255
40 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.255
45 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.127
50 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.255
55 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.0
60 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.127
65 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.255
70 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.255
75 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.255
80 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.255
85 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.255
90 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.255
95 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255
100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127
105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255
110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255
115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255
120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127
125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255
130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255
135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255
140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255
145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255
150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255
155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255
160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15
165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15
170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15
175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255
180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255
185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255
190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0
195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255
200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255
205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0
210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255
215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127
220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63
exit

Now we have a class we can bind it in a policy and set the next-hop to 172.16.1.2.

policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop 172.16.1.2
      exit
   exit

Since the implementation of HPE states that we need to map to a VLAN and we only created a policy but didn’t bind it anywhere we have to do the following:

vlan 5
   name “test”
   untagged 1
   ip address 192.168.1.0 255.255.255.0
   service-policy “POL-Office365-Subnets” in
   exit

Keep in mind that you only can bind one PBR to a VLAN. You can enter again the command service-policy “POL-test” in and give enter, you won’t get a warning but you simply override the PBR. Also you can only set the PBR to incoming packets on a VLAN.

Some show commands:

show policy POL-Office365-Subnets

Output
Statements for policy “POL-Office365-Subnets”
policy pbr “POL-Office365-Subnets”
     5 class ipv4 “Office365-Subnets”
      action ip next-hop 172.16.1.2
      exit
   exit

 show statistics policy POL-Office365-Subnets vlan 5 in

Output:
 Hit Counts for Policy POL-Office365-Subnets

  Total

 5 class ipv4 Office365-Subnets action ignore
(       0 )      5 match ip 0.0.0.0 255.255.255.255 13.107.6.152 0.0.0.1
(       0 )      10 match ip 0.0.0.0 255.255.255.255 13.107.9.152 0.0.0.1
(       0 )      15 match ip 0.0.0.0 255.255.255.255 13.107.18.10 0.0.0.1
(       0 )      20 match ip 0.0.0.0 255.255.255.255 13.107.19.10 0.0.0.1
(       0 )      25 match ip 0.0.0.0 255.255.255.255 23.103.160.0 0.0.15.255
(       0 )      30 match ip 0.0.0.0 255.255.255.255 23.103.224.0 0.0.31.255
(       0 )      35 match ip 0.0.0.0 255.255.255.255 40.96.0.0 0.7.255.255
(       0 )      40 match ip 0.0.0.0 255.255.255.255 40.104.0.0 0.3.255.255
(       0 )      45 match ip 0.0.0.0 255.255.255.255 70.37.151.128 0.0.0.127
(       0 )      50 match ip 0.0.0.0 255.255.255.255 111.221.112.0 0.0.7.255
(       0 )      55 match ip 0.0.0.0 255.255.255.255 131.253.33.215 0.0.0.0
(       0 )      60 match ip 0.0.0.0 255.255.255.255 132.245.1.128 0.0.0.127
(       0 )      65 match ip 0.0.0.0 255.255.255.255 132.245.2.0 0.0.1.255
(       0 )      70 match ip 0.0.0.0 255.255.255.255 132.245.4.0 0.0.3.255
(       0 )      75 match ip 0.0.0.0 255.255.255.255 132.245.8.0 0.0.7.255
(       0 )      80 match ip 0.0.0.0 255.255.255.255 132.245.16.0 0.0.15.255
(       0 )      85 match ip 0.0.0.0 255.255.255.255 132.245.32.0 0.0.31.255
(       0 )      90 match ip 0.0.0.0 255.255.255.255 132.245.64.0 0.0.31.255
(       0 )      95 match ip 0.0.0.0 255.255.255.255 132.245.96.0 0.0.15.255
(       0 )      100 match ip 0.0.0.0 255.255.255.255 132.245.113.128 0.0.0.127
(       0 )      105 match ip 0.0.0.0 255.255.255.255 132.245.114.0 0.0.1.255
(       0 )      110 match ip 0.0.0.0 255.255.255.255 132.245.116.0 0.0.3.255
(       0 )      115 match ip 0.0.0.0 255.255.255.255 132.245.120.0 0.0.7.255
(       0 )      120 match ip 0.0.0.0 255.255.255.255 132.245.129.128 0.0.0.127
(       0 )      125 match ip 0.0.0.0 255.255.255.255 132.245.130.0 0.0.1.255
(       0 )      130 match ip 0.0.0.0 255.255.255.255 132.245.132.0 0.0.3.255
(       0 )      135 match ip 0.0.0.0 255.255.255.255 132.245.136.0 0.0.7.255
(       0 )      140 match ip 0.0.0.0 255.255.255.255 132.245.144.0 0.0.15.255
(       0 )      145 match ip 0.0.0.0 255.255.255.255 132.245.160.0 0.0.31.255
(       0 )      150 match ip 0.0.0.0 255.255.255.255 132.245.192.0 0.0.63.255
(       0 )      155 match ip 0.0.0.0 255.255.255.255 134.170.68.0 0.0.1.255
(       0 )      160 match ip 0.0.0.0 255.255.255.255 157.56.96.16 0.0.0.15
(       0 )      165 match ip 0.0.0.0 255.255.255.255 157.56.96.224 0.0.0.15
(       0 )      170 match ip 0.0.0.0 255.255.255.255 157.56.106.128 0.0.0.15
(       0 )      175 match ip 0.0.0.0 255.255.255.255 157.56.232.0 0.0.7.255
(       0 )      180 match ip 0.0.0.0 255.255.255.255 157.56.240.0 0.0.15.255
(       0 )      185 match ip 0.0.0.0 255.255.255.255 191.232.96.0 0.0.31.255
(       0 )      190 match ip 0.0.0.0 255.255.255.255 191.234.6.152 0.0.0.0
(       0 )      195 match ip 0.0.0.0 255.255.255.255 191.234.140.0 0.0.3.255
(       0 )      200 match ip 0.0.0.0 255.255.255.255 191.234.224.0 0.0.3.255
(       0 )      205 match ip 0.0.0.0 255.255.255.255 204.79.197.215 0.0.0.0
(       0 )      210 match ip 0.0.0.0 255.255.255.255 206.191.224.0 0.0.31.255
(       0 )      215 match ip 0.0.0.0 255.255.255.255 207.46.150.128 0.0.0.127
(       0 )      220 match ip 0.0.0.0 255.255.255.255 207.46.203.128 0.0.0.63