PDA

View Full Version : PBR for Management Interface



fadler
2013-08-08, 07:20
I'm running two HA clusters with Gaia R76 (2 * 4800 / 2 * 4600).
For the management I'm trying to set up PBR that traffic which is coming in through the mgmt interface is also going out through the mgmt interface...

What I have configured is:

PBR has 1 table
PBR table Management (ID=1) has 1 route
Default route, nexthop gateway
gateway Mgmt
preference 1

PBR has 1 rule
PBR rule 1 interface Mgmt table 1

Unfortunately this doesn't work as expected... Any ideas?

melipla
2013-08-08, 14:08
I guess I'm not understanding why you couldn't add a route for the network that's arriving on your management interface to go out your management interface?

Regardless your Gaia commands seem way off. According to this document (https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_Advanced_Routing_AdminGuide/92490.htm) it should be like so:


set pbr table PBRtable1 static-route 10.1.1.0/24 nexthop gateway logical Mgmt on
set pbr rule priority 1 match interface Mgmt
set pbr rule priority 1 action table PBRtable1
save config

fadler
2013-08-09, 04:12
What you see in my post is the output of "show pbr summary"
What I have configured is a default route which has the mgmt interface as nexthop and it should apply for traffic coming in on the mgmt interface.



set pbr table Management static-route default nexthop gateway logical Mgmt on
set pbr rule priority 1 match interface Mgmt
set pbr rule priority 1 action table Management


For any reason, this doesn't work.

melipla
2013-08-09, 11:56
So the only thing I could come up with was that priority 1 isn't valid--it has to be 2 or higher. The GUI will let you set it to 1, however if you go back in and edit it you'll get an error / warning saying it has to be 2 or higher.

Everything else looks good...there is one SK regarding using default as not working, so maybe try using a network instead of default as a test.

fadler
2013-08-12, 11:17
tried with a higher priority and also 10.0.0.0/8 as destination network instead of default.... still no luck...