After PBR is configured, the communication between intranets is unavailable

1

The solution is as follows:
If traffic between intranets matches PBR and the traffic behavior is applied to the traffic, the traffic between intranets is abnormal. The solution is to create a new traffic classifier and configure an empty traffic behavior. In this situation, packets can be forwarded properly because they do not match other traffic behaviors.
The matching order is the configuration order in the traffic policy. If the traffic between intranets needs to be matched first, adjust the order in the traffic policy.
Example: Add the traffic policy for the traffic between intranets. In this example, two internal network segments are 192.168.1.0 and 192.168.2.0 respectively and the original traffic classifier and traffic behavior are c and b respectively. You need to create a traffic classifier for traffic between intranets, reference an ACL in the traffic policy, and configure an empty traffic behavior. Delete the configured traffic policy, configure the traffic classifier for traffic between intranets, and then configure other classifiers.
system-view
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[Huawei-acl-adv-3001]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[Huawei]traffic classifier neiwang
[Huawei-classifier-neiwang]if-matchacl 3001
[Huawei]traffic behavior neiwang
[Huawei-behavior-neiwang]q
[Huawei]traffic policy p
[Huawei-trafficpolicy-p] undo classifier neiwang
[Huawei-trafficpolicy-p]classifier neiwang behavior neiwang
[Huawei-trafficpolicy-p]classifier c behavior b

Other related questions:
How to configure policy route on S switch?
For example: we will redirect the traffic will will enter GE2/0/1,the source ip is 192.168.100.0/24, the nexthop will be redirected to 10.1.20.1,the source ip is 192.168.101.0/24, the nexthop will be redirected to 10.1.30.1�?working flow�?1. Configure acl to match the traffic which need be redirected. [Switch] acl 3001 [Switch-acl-adv-3001] rule permit ip source 192.168.100.0 0.0.0.255 [Switch-acl-adv-3001] quit [Switch] acl 3002 [Switch-acl-adv-3002] rule permit ip source 192.168.101.0 0.0.0.255 [Switch-acl-adv-3002] quit 2. Configure traffic classification. [Switch] traffic classifier c1 operator or [Switch-classifier-c1] if-match acl 3001 [Switch-classifier-c1] quit [Switch] traffic classifier c2 operator or [Switch-classifier-c2] if-match acl 3002 [Switch-classifier-c2] quit 3. Configure traffic behavior. [Switch] traffic behavior b1 [Switch-behavior-b1] redirect ip-nexthop 10.1.20.1 [Switch-behavior-b1] quit [Switch] traffic behavior b2 [Switch-behavior-b2] redirect ip-nexthop 10.1.30.1 [Switch-behavior-b2] quit 4. Configure traffic policy. [Switch] traffic policy p1 [Switch-trafficpolicy-p1] classifier c1 behavior b1 [Switch-trafficpolicy-p1] classifier c2 behavior b2 [Switch-trafficpolicy-p1] quit 5. Apply the traffic policy on the interface. [Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] traffic-policy p1 inbound [Switch-GigabitEthernet2/0/1] return Notes�?we can configure multiple classifier and behavior in one policy.

IPSec is unavailable when both IPSec and NAT are configured on an interface of the AR
If NAT is configured on the interface to which an IPSec policy is applied, IPSec does not take effect because the device executes the NAT configuration first. Use either of the following methods: -Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec. - Ensure that the ACL rule referenced by IPSec matches the NAT-translated IP address. Note: After the deny rule is defined, you are advised to run the reset session all or reset nat session all command to reestablish the flow table, ensuring that there are no incorrect NAT entries. If services are transmitted unidirectionally, check whether the NAT policy is applied to the device. If so, perform operations according to the preceding method.

PPTP VPN service is unavailable after NAT is configured on an AR
No matter whether the PPTP server is on the public or private network, a NAT-enabled AR cannot translate the Data field that contains IP addresses or port numbers. To resolve this problem, enable the NAT ALG function.
For example, enable the NAT ALG function for PPTP as follows:
<Huawei> system-view  
[Huawei] nat alg pptp enable
NAT supported by PPTP is used in either of the following scenarios: PPTP client on the private network or PPTP server on the private network.
When the PPTP client is on the private network and the PPTP server is on the public network, the Client-Call-ID field is translated.
When the PPTP server is on the private network and the PPTP client is on the public network, the Server-Call-ID field is translated.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top