On Thu, Apr 3, 2014 at 12:46 PM, Jesse Rink <[email protected]> wrote: > Curious if there's anyone on the list here that is good at implementing > Policy Based Routing, in this case on HP Procuve switches.
I've done policy routing before, although not on ProCurve. > Might need to take the discussion offline to not litter the list with > back and forth discussion... I don't do one-on-one support for free. :) I participate in forums like this because it's a community resource. Many give, and many more reap the benefits. Archives can even benefit those in the future. The public discussion also allows multiple people to contribute, check, correct, and build on each others' ideas. I've gotten a tremendous wealth of help and knowledge from this list, and I want to pay it forward. Helping one person, off-list, does none of that. > routing ONLY for port 80 and port 443 traffic through a web > appliance instead of routing it to the firewall. What does the web appliance do? Where does it send the traffic once it's done doing whatever it does? > I have this working, but am curious if perhaps my settings are slightly 'off' > because I'm > not quite seeing the results I'd expect. What are your expected results, and what are your actual results? In general, where people usually go wrong with this stuff is they forget that by default, IP routing is stateless and forward-only. The *only* thing that a router normally looks at is the destination address of each individual packet. The protocol is irrelevant, the port is irrelevant, the source address is irrelevant. The fact that a packet is part of a TCP stream is irrelevant. The fact that a packet is "in response" to another packet is irrelevant. The fact that a previous routing decision was made for a related packet is irrelevant. Only the destination address matters. Policy routing changes this, of course, but people often make assumptions that because they make a policy routing rule on one router, all other traffic will follow suit everywhere. For example, if a datagram is fragmented, and the policy router keeps no state, then only the first packet will be routed via the policy rule, and the rest will be routed per normal. (Because only the first fragment has the protocol/ports in the header.) -- Ben
