Configuring PBR to redirect traffic on S7700(V200R010C00SPC600) doesn't take effect Highlighted

Latest reply: Nov 28, 2018 08:19:51 627 13 3 0
This post was last edited by cWX611640 at 2018-10-26 04:15. After configured PBR on S7700(V200R010C00SPC600),tracert results show PBR not taking effect.


To solve this problem,here we offer a method to troubleshoot this problem.

First of all,making sure that traffic-policy is configured correctly,also ACL and applying traffic-policy in the appropriate interface.Especially the direction used in traffic-policy,inbound direction only effect the traffic enter the port,outbound only influence the traffic forwarded out of the interface.
eg: 
#    
acl 3001  
  rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
traffic classifier to_inbound
  if-match acl 3001
traffic behavior to_inbound
  redirect ip-nexthop 172.16.1.1
traffic policy to_inbound
  classifier to_inbound behavior to_inbound
int g0/0/1
  traffic-policy to_inbound inbound
#
this configuration will redirect traffic,those from 192.168.1.0/24 to 10.1.1.0/24,to 172.16.1.1,
But if the traffic-policy is used as :
int g0/0/1
traffic-policy to_inbound outbound
this wouldn't help anything.
Particularly, when configured with outbound,but swap the source IP address and destination IP address in ACL,this may be valid,just like
acl 3001  
  rule 5 permit ip source 10.1.1.0 0.0.0.255 destination  192.168.1.0 0.0.0.255
traffic classifier to_inbound
  if-match acl 3001
traffic behavior to_inbound
  redirect ip-nexthop 172.16.1.1
traffic policy to_inbound
  classifier to_inbound behavior to_inbound
int g0/0/1
  traffic-policy to_inbound outbound
Althrough this two scenarios may have same result,but in fact,they  work completely differently.

In the first situation,traffics are inspected before traveling through device.
In the second secnario,traffics are inspected when the forward out of the device,in some situation,this may happen when traffic on their return trip.

NOTE:some guys has figured out that redirect ip-nexthop wouldn't take effcet on the outbound direction,I have noticed this problem, and sorry for the mistake that I made.
Thanks for figuring this out.What I want to expression is process of the device processing the traffic, but I chosed wrong example,sorry for that. 

After checking the configuration,we'd better test if the redirected IP address is accessible.
    we can do the test by ping or checking if the device has learned the MAC address of the redirected adddress.

Then,we can inspect the interface configuration,checking if there is other command that will influence the traffic forwarding.
eg: traffic-filter
  traffic-filter is added from V200R002C00 when traffic-filter and traffic-policy both configured under the very same interface,traffic-filter will take effect first.
When traffic matches traffic-filter,it wouldn't check if it matches traffic-policy.
This problem is quite concealed.
What's more, when traffic-filter configured,if the traveling traffic doesn't match any rules in traffic-filter,it will be forwarded as usual,quite different with ACL.


If you guys find any errors in this post,plz figure it out,and it's pleasure to see you sharing your thoughts~ 
  • x
  • convention:

chenhui
Admin Created Nov 9, 2018 00:48:25 Helpful(0) Helpful(0)

Posted by Torrent at 2018-11-06 03:35 Hi, author, can I ask a question? is this avalanche for AR router and USG firewall?because we usual ...
If you mean if it's possiable to implenment PBR on AR or USG firewall, absolutely yes.
During your configuration process, please, pay attention, don't make mistakes like I did.
  • x
  • convention:

Mysterious.color
MVE Created Nov 28, 2018 08:19:51 Helpful(0) Helpful(0)

thank for sharing Configuring PBR to redirect traffic on S7700(V200R010C00SPC600) doesn't take effect-2810091-1
  • x
  • convention:

Core%20Engineer%2C%20Technical%20Department.%20High%20experience%20in%20Networking
12
Back to list

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login