Got it

Configure traffic-policy with redirect ip-nexthop don’t be effective for BRAS users on NE40E

1735 0 0 0 0

Issue Description

Here is the topo:
Microtik router is connecting with BRAS GE1/0/3 interface

d6ca02e4656d4af0aaff3f2c9250c397

Customer have configured traffic-policy with redirect ip-nexthop for BRAS users on NE40E
acl number 6091
 description "Expired-User"
 rule 5 permit ip source ip-address 10.1.0.0 0.0.3.255
 rule 10 permit ip source ip-address 10.1.0.0 0.0.3.255 destination ip-address any
#
traffic classifier expired operator or
 if-match acl 6091
#
traffic behavior expired
 redirect ip-nexthop 172.18.32.22
#
traffic policy expired
 share-mode
 classifier expired behavior expired precedence 101
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 172.18.32.21 255.255.255.252
 traffic-policy expired outbound
 dcn
As customer expectation, they need the green color traffic, 10.1.0.0/22 segment should go via Microtik, normal user will take mpls ring to reach IGW
e.g.: 10.1.3.X -> BRAS(172.18.32.21) -> Microtik router(172.18.32.22)
other segment e.g.: 100.106.X.X -> BRAS -> MPLS Network -> IGW
But the traffic-policy didn’t work, the 10.1.0.0/22 segment also go to IGW via mpls network.

Handling Process

1. Since these users who want to redirect are BRAS users, cannot match these users with ip address, need match these users with user-group
2. Since the interface GE1/0/3 is outbound interface to Microtik router, so cannot apply the traffic-policy on this interface, and checked the inbound interface is BRAS port, so only apply the traffic-policy on global.

Root Cause

In fact, this is a configuration problem. Need note that traffic-policy should match user-group for BRAS users, and need apply the traffic-policy on flow inbound interface or global.

Solution

Create a new user-group named “suspend” for these users who want to redirect, then create a new domain to ensure users can be online normally, then modify the traffic-policy as follow:
acl number 6091
 description "Expired-User"
 rule 5 permit ip source user-group suspend
 rule 10 permit tcp source user-group suspend
 rule 15 permit udp source user-group suspend
 rule 20 permit icmp source user-group suspend
#
traffic classifier expired operator or
 if-match acl 6091
#
traffic behavior expired
 redirect ip-nexthop 172.18.32.22
#
traffic policy expired
 share-mode
 classifier expired behavior expired precedence 101
#
traffic-policy expired inbound

  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.