This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Enterprise
Community Forums Switches
Configuring PBR to redire...

Configuring PBR to redirect traffic on S7700(V200R010C00SPC600) doesn't take effect Highlighted

Latest reply: Nov 28, 2018 08:19:51 653 13 3 0
display all floors #1
After configured PBR on S7700(V200R010C00SPC600),tracert results show PBR not taking effect.


To solve this problem,here we offer a method to troubleshoot this problem.

First of all,making sure that traffic-policy is configured correctly,also ACL and applying traffic-policy in the appropriate interface.Especially the direction used in traffic-policy,inbound direction only effect the traffic enter the port,outbound only influence the traffic forwarded out of the interface.
eg: 
#    
acl 3001  
  rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
traffic classifier to_inbound
  if-match acl 3001
traffic behavior to_inbound
  redirect ip-nexthop 172.16.1.1
traffic policy to_inbound
  classifier to_inbound behavior to_inbound
int g0/0/1
  traffic-policy to_inbound inbound
#
this configuration will redirect traffic,those from 192.168.1.0/24 to 10.1.1.0/24,to 172.16.1.1,
But if the traffic-policy is used as :
int g0/0/1
traffic-policy to_inbound outbound
this wouldn't help anything.
Particularly, when configured with outbound,but swap the source IP address and destination IP address in ACL,this may be valid,just like
acl 3001  
  rule 5 permit ip source 10.1.1.0 0.0.0.255 destination  192.168.1.0 0.0.0.255
traffic classifier to_inbound
  if-match acl 3001
traffic behavior to_inbound
  redirect ip-nexthop 172.16.1.1
traffic policy to_inbound
  classifier to_inbound behavior to_inbound
int g0/0/1
  traffic-policy to_inbound outbound
Althrough this two scenarios may have same result,but in fact,they  work completely differently.

In the first situation,traffics are inspected before traveling through device.
In the second secnario,traffics are inspected when the forward out of the device,in some situation,this may happen when traffic on their return trip.

NOTE:some guys has figured out that redirect ip-nexthop wouldn't take effcet on the outbound direction,I have noticed this problem, and sorry for the mistake that I made.
Thanks for figuring this out.What I want to expression is process of the device processing the traffic, but I chosed wrong example,sorry for that. 

After checking the configuration,we'd better test if the redirected IP address is accessible.
    we can do the test by ping or checking if the device has learned the MAC address of the redirected adddress.

Then,we can inspect the interface configuration,checking if there is other command that will influence the traffic forwarding.
eg: traffic-filter
  traffic-filter is added from V200R002C00 when traffic-filter and traffic-policy both configured under the very same interface,traffic-filter will take effect first.
When traffic matches traffic-filter,it wouldn't check if it matches traffic-policy.
This problem is quite concealed.
What's more, when traffic-filter configured,if the traveling traffic doesn't match any rules in traffic-filter,it will be forwarded as usual,quite different with ACL.


If you guys find any errors in this post,plz figure it out,and it's pleasure to see you sharing your thoughts~ 
This post was last edited by cWX611640 at 2018-10-26 04:15.
  • x
  • convention:

Helpful (3) Favorite(0) Share Report
faysalji
Created Oct 25, 2018 11:01:07 Helpful(0) Helpful(0)

Thank You..
  • x
  • convention:

chenhui
chenhui Created Oct 26, 2018 00:53:25
hope this can provide some ideas during troubleshooting.  
If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
Mysterious.color
MVE Created Oct 25, 2018 21:59:25 Helpful(0) Helpful(0)

Thank You
  • x
  • convention:

chenhui
chenhui Created Oct 26, 2018 00:54:48
hope you enjoy this article,and plz sharing your any ideas about this .  
Core%20Engineer%2C%20Technical%20Department.%20High%20experience%20in%20Networking
chenhui
Admin Created Oct 26, 2018 04:16:45 Helpful(0) Helpful(0)

NOTE:some guys has figured out that redirect ip-nexthop wouldn't take effcet on the outbound direction,I have noticed this problem, and sorry for the mistake that I made.
Thanks for figuring this out.What I want to expression is process of the device processing the traffic, but I chosed wrong example,sorry for that.
  • x
  • convention:
faysalji
Created Oct 26, 2018 05:51:34 Helpful(0) Helpful(0)

Posted by cWX611640 at 2018-10-26 01:16 NOTE:some guys has figured out that redirect ip-nexthop wouldn't take effcet on the outbound direct ...
Thanks for correction
  • x
  • convention:
If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
Skay
Created Oct 31, 2018 01:43:34 Helpful(0) Helpful(0)

HI author , i have one question , about the redirect ip-nexthop , if the ip address we cannot find it in the routing-table , whether the redirect traffic will be forwarding to the ip address ? or the redirect ip-nexthop ip address must be found in the arp table ?
if you know this , kindly share to me a good example .
  • x
  • convention:
chenhui
Admin Created Oct 31, 2018 08:50:34 Helpful(0) Helpful(0)

Posted by Skay at 2018-10-31 01:43 HI author , i have one question , about the redirect ip-nexthop , if the ip address we cannot find i ...
about the redirect ip-nexthop,when the next-hop is unreachable(eg:no route path to the next-hop or there is route-path to the next-hop,but without downloading to the routing-table),device will forward traffic refer to routing-table,just like skip the route policy(in fact,not like this,device will check route policy first,we can learn that through experiment).when next-hop is reachable and direct connected,through we can't find corresponding item in arp table,when route policy matches traffic,device will triger ARP learning,if it takes too long to learn the ARP,device will forward traffic as default.
what's more, when the nexthop is not direct connected,we need replace redirect ip-nexthop with redirect remote which command supported by partial devices.
Hope this can help you.Configuring PBR to redirect traffic on S7700(V200R010C00SPC600) doesn't take effect-2791709-1
  • x
  • convention:
Torrent
Created Nov 6, 2018 03:35:40 Helpful(0) Helpful(0)

Hi, author, can I ask a question? is this avalanche for AR router and USG firewall?
because we usually meet this issue in other device.

thanks for sharingConfiguring PBR to redirect traffic on S7700(V200R010C00SPC600) doesn't take effect-2795637-1
  • x
  • convention:
wissal
MVE Created Nov 7, 2018 15:09:56 Helpful(0) Helpful(0)

Thanks for sharing
  • x
  • convention:
I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I'm%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.%3Cbr%2F%3EAt%20the%20same%20time%2C%20I%20give%20courses%20in%20universities%20as%20a%20temporary%2C%20to%20bring%20the%20operational%20side%20of%20telecommunication%20technologies%20to%20students%2C%20for%20network%20supervision%20systems%2C%20mobile%20radio%20networks%20and%20access%20networks%20etc.
chenhui
Admin Created Nov 9, 2018 00:40:13 Helpful(0) Helpful(0)

Posted by wissal at 2018-11-07 15:09 Thanks for sharing
hope this can help youConfiguring PBR to redirect traffic on S7700(V200R010C00SPC600) doesn't take effect-2797453-1
  • x
  • convention:
12
Back to list

Comment

Reply
Advanced
B Color Image Link Quote Code Smilies
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy Terms of Use
Huawei Enterprise Huawei Carrier Forum Training & Certification

Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.

APP