S5700-EI PBR Support

Created: Aug 12, 2015 10:58:24Latest reply: Aug 12, 2015 14:28:40 1705 1 0 0

Hi,

We are planning to configure PBR (policy based routing) on 2x S5700-28C-PWR-EI switches (interconnected with Ethernet Stack Interface Card) to redirect the traffic on 2 different peers based on VLAN/ IP range but could not get through as the documentation doesn't specify detailed configuration for PBR.

Can you please share the detailed guide for PBR configuration on S5700-EI models and confirm if it is supported?

Regards,
Vikas Shukla
+91-9999853600

  • x
  • convention:

Busy_with_lazy_mind     Created Aug 12, 2015 14:28:40 Helpful(0) Helpful(0)

You can download a new Product Documentation on  support.huawei.com

the download link is:

 http://support.huawei.com/enterprise/docinforeader.action?contentId=DOC1000057609&idPath=7919710|9856733|7923144|6691579

here is a  PBR configuration example in the Documentation

 

Example for Configuring PBR Based on IP Addresses

Networking Requirements

As shown in Figure 1, the Switch on the aggregation layer serves as the Layer 3 forwarding device, and an LSW on the access layer serves as the user gateway. There is a reachable route between the Switch and LSW. The Switch is connected to two core routers through two links: low-speed link with the gateway 10.1.20.1/24 and high-speed link with the gateway 10.1.30.1/24.

The enterprise requires that the Switch forward packets from 192.168.100.0/24 and 192.168.101.0/24 to the core layer through the high-speed link and low-speed link, respectively.

Figure 1 Networking diagram for configuring PBR
http://localhost:7890/pages/DED1107D/03/DED1107D/03/resources/dc/images/fig_dc_cfg_pbr_004102.png

Configuration Roadmap

Implement PBR based on redirection to provide differentiated services. The configuration roadmap is as follows:
  1. Create VLANs and configure interfaces to implement interconnection between the company and external networks.
  2. Configure ACL rules to match packets with source IP addresses 192.168.100.0/24 and 192.168.101.0/24.
  3. Configure traffic classifiers to match ACL rules so that the switch can differentiate packets.
  4. Configure traffic behaviors to redirect the packets matching different rules to 10.1.20.1/24 or 10.1.30.1/24.
  5. Configure traffic policies, bind them to traffic classifiers and traffic behaviors, and apply the traffic policies to the inbound direction of GE0/0/3 to implement PBR.

Procedure

  1. Create VLANs and configure interfaces.

    # Create VLANs 100 and 200 on the Switch.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] vlan batch 100 200

    Configure GE0/0/1, GE0/0/2, and GE0/0/3 on the Switch as trunk interfaces, and add them to VLANs 100 and 200.

    [Switch] interface gigabitethernet 0/0/1
    [Switch-GigabitEthernet0/0/1] port link-type trunk
    [Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200
    [Switch-GigabitEthernet0/0/1] quit
    [Switch] interface gigabitethernet 0/0/2
    [Switch-GigabitEthernet0/0/2] port link-type trunk
    [Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 200
    [Switch-GigabitEthernet0/0/2] quit
    [Switch] interface gigabitethernet 0/0/3
    [Switch-GigabitEthernet0/0/3] port link-type trunk
    [Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200
    [Switch-GigabitEthernet0/0/3] quit

    # Create VLANIF 100 and VLANIF 200, and configure IP addresses for them.

    [Switch] interface vlanif 100
    [Switch-Vlanif100] ip address 10.1.20.2 24
    [Switch-Vlanif100] quit
    [Switch] interface vlanif 200
    [Switch-Vlanif200] ip address 10.1.30.2 24
    [Switch-Vlanif200] quit

  2. Configure ACL rules.

    # On the Switch, create advanced ACLs 3001 and 3002 that respectively allow packets with source IP addresses 192.168.100.0/24 and 192.168.101.0/24 to pass through.

    [Switch] acl 3001
    [Switch-acl-adv-3001] rule permit ip source 192.168.100.0 0.0.0.255
    [Switch-acl-adv-3001] quit
    [Switch] acl 3002
    [Switch-acl-adv-3002] rule permit ip source 192.168.101.0 0.0.0.255
    [Switch-acl-adv-3002] quit

  3. Configure traffic classifiers.

    # On the Switch, create traffic classifiers c1 and c2. Bind c1 to ACL 3001 and c2 to ACL 3002.

    [Switch] traffic classifier c1 operator or
    [Switch-classifier-c1] if-match acl 3001
    [Switch-classifier-c1] quit
    [Switch] traffic classifier c2 operator or
    [Switch-classifier-c2] if-match acl 3002
    [Switch-classifier-c2] quit

  4. Configure traffic behaviors.

    # On the Switch, create traffic behaviors b1 and b2, which redirect traffic to 10.1.20.1/24 and 10.1.30.1/24, respectively.

    [Switch] traffic behavior b1
    [Switch-behavior-b1] redirect ip-nexthop 10.1.20.1
    [Switch-behavior-b1] quit
    [Switch] traffic behavior b2
    [Switch-behavior-b2] redirect ip-nexthop 10.1.30.1
    [Switch-behavior-b2] quit

  5. Configure traffic policies and apply them to the interfaces.

    # On the Switch, create traffic policy p1 and bind it to the traffic classifiers and traffic behaviors.

    [Switch] traffic policy p1
    [Switch-trafficpolicy-p1] classifier c1 behavior b1
    [Switch-trafficpolicy-p1] classifier c2 behavior b2
    [Switch-trafficpolicy-p1] quit

    # Apply p1 to the inbound direction of GE0/0/3.

    [Switch] interface gigabitethernet 0/0/3
    [Switch-GigabitEthernet0/0/3] traffic-policy p1 inbound
    [Switch-GigabitEthernet0/0/3] return

  6. Verify the configuration.

    # Check the ACL configurations.

    <Switch> display acl 3001
    Advanced ACL 3001, 1 rule
    Acl's step is 5
     rule 5 permit ip source 192.168.100.0 0.0.0.255 (match-counter 0)
    <Switch> display acl 3002
    Advanced ACL 3002, 1 rule
    Acl's step is 5
     rule 5 permit ip source 192.168.101.0 0.0.0.255 (match-counter 0)

    # Check the traffic classifier configurations.

    <Switch> display traffic classifier user-defined
      User Defined Classifier Information:
        Classifier: c2
         Operator: OR
         Rule(s) :if-match acl 3002
            
        Classifier: c1
          Operator: OR
          Rule(s) : if-match acl 3001
    
    Total classifier number is 2   
    

    # Check the traffic policy configurations.

    <Switch> display traffic policy user-defined p1
      User Defined Traffic Policy Information:
      Policy: p1
       Classifier: c1
        Operator: OR
         Behavior: b1
          Redirect: no forced
            Redirect ip-nexthop
            10.1.20.1
       Classifier: c2
        Operator: OR
         Behavior: b2
          Redirect: no forced
            Redirect ip-nexthop
            10.1.30.1

Configuration Files

  • Configuration file of the Switch

    #
    sysname Switch
    #
    vlan batch 100 200 
    #
    acl number 3001
     rule 5 permit ip source 192.168.100.0 0.0.0.255
    acl number 3002
     rule 5 permit ip source 192.168.101.0 0.0.0.255
    #
    traffic classifier c1 operator or
     if-match acl 3001
    traffic classifier c2 operator or
     if-match acl 3002
    #
    traffic behavior b1
     redirect ip-nexthop 10.1.20.1
    traffic behavior b2
     redirect ip-nexthop 10.1.30.1
    #
    traffic policy p1 match-order config
     classifier c1 behavior b1
     classifier c2 behavior b2
    #
    interface Vlanif100
     ip address 10.1.20.2 255.255.255.0
    #
    interface Vlanif200
     ip address 10.1.30.2 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type trunk
     port trunk allow-pass vlan 100 200
    #
    interface GigabitEthernet0/0/2
     port link-type trunk
     port trunk allow-pass vlan 100 200
    #
    interface GigabitEthernet0/0/3
     port link-type trunk
     port trunk allow-pass vlan 100 200
     traffic-policy p1 inbound
    #
    return
    
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top