Hi guys,
I've got a small network set up where I'm trying to test a traffic inspection machine. I've got it working to an extent that it works, but I would like to know if I can make it better.
Currently, there are 3 parts to this network:
- TOR Switches. Connected to Brocade MLX 8
- Brocade MLX. Connected to Upstream, TOR Switch, and Traffic Inspection
- Traffic Inspection. Connected to Brocade MLX
The Brocade MLX announces a set of IPs to its upstream. My ideal traffic flow is, traffic comes in from the Upstream to the Brocade. The Brocade sends most traffic directly to the TOR Switches, but for certain IPs, traffic is sent to the Traffic Inspection machine. The Traffic Inspection machine's return traffic is sent back to the Brocade MLX and flows to the TOR Switches naturally.
What I've done to currently get this to work is utilize a PBR where traffic coming from Upstream AND matches ACL 150, is next-hopped to the Traffic Inspection machine. That way, when returning traffic from the Traffic Inspection box comes, since it is not coming from the Upstream, it flows to the TOR Switches naturally. What I did is on the Brocade, create ACL 150 with a list of IPs. Then, I have a route-map like so, which is applied to the Upstream:
route-map INSPECTION permit 5 match ip address 150 set ip next-hop 1.2.3.4
1.2.3.4 is the IP of the Traffic Inspection box.
This works - however, I would like to be able to do this a little more dynamically. Is it possible to have the PBR pull from a BGP speaking neighbor, rather than having to statically define an ACL? As far as I know this is not possible because if a BGP speaking neighbor announced a route to the Brocade MLX-8, then the return traffic from the Traffic Inspection box would just get routed back to itself, creating a route loop. Is there a way that I can make this work?
Thanks in advance! Apologies if it's a little hard to understand, I'm by no means a networking expert! I have only got this far through many hours of Googling.
No comments:
Post a Comment