Method used to configure the interworking between IP-Link and policy-based routing on the USG2000 and USG5000

16

Policy-based routing modes of the USG2000 and USG5000 are as follows:
1. Networking requirement

To satisfy traffic requirements of department A and department B, the company adopts links ISP1 and ISP2 that connect to the Internet to share traffic and mutually back up, so as to ensure link continuity.
The specific requirements are as follows:
a. Department A uses network segment 10.1.0.0/16. Normally, Internet access traffic of this department is carried by link ISP1.
b. Department B uses network segment 20.1.0.0/16. Normally, Internet access traffic of this department is carried by link ISP2.
c. Links of department A and department B are mutually backed up. When the link (active link) of a department is fault, traffic is switched over to the link (standby link) of another department.

2. Configuration principles

The principles for configuring interworking between IP-Link and policy-based routing are as follows:
a. To enable different links carry different traffic, you need to configure the source address-based policy-based routing, so that Internet access traffic of department A is carried by link ISP1, and Internet access traffic of department B is carried by link ISP2.
b. To enable links of department A and department B to mutually back up each other and ensure link continuity, you need to configure as follows:
(1) Configure the interworking between policy-based routing and IP-Link. IP-Link monitors the accessibility of respective active links of department A and department B. When an active link is faulty, policy-based routing becomes invalid. The firewall looks up the backup route to ensure service continuity.
(2) Configure a static route from department A to link ISP2 and a static link from department B to link ISP1, as the backup routes of department A and department B. In addition, configure the interworking between the statics and IP-Link. IP-Link monitors the accessibility of respective standby links of department A and department B.
For specific configurations, click link url=" http://support.huawei.com/ehedex/pages/DOC100000933430002967/06/DOC100000933430002967/06/resources/cfg_ha/sec_vsp_cfg_iplink_0014.html?ft=0&id=sec_vsp_cfg_iplink_0014"> Configuring the Interworking Between IP-Link and PBR.

Other related questions:
Method used to configure interworking between BFD sessions and policy-based routing on the USG firewall
By means of interworking between policy-based routing and BFD sessions, the preceding issue is addressed, the flexibility of policy-based routing is enhanced, and the capability of policy-based routing for dynamically sensitizing the network environment is improved. By associating execution actions of policy-based routing with static BFD sessions, the firewall can rapidly monitor the link accessibility of the next hop or outbound interface specified by policy-based routing based on BFD sessions. The firewall can dynamically determine the availability of policy-based routing based on the BFD session state. Key configurations for the interworking between BFD sessions and policy-based routing on the USG firewall are as follows:# Configure BFD session 1, and set the peer IP address to 1.1.2.1, local identifier to 10, and remote identifier to 20. [USG] bfd [USG-bfd] quit [USG] bfd 1 bind peer-ip 1.1.2.1 [USG-bfd-session-1] discriminator local 10 [USG-bfd-session-1] discriminator remote 20 [USG-bfd-session-1] commit [USG-bfd-session-1] quit # Configure policy testA, set packets from source address 10.1.0.0/16 to be delivered to next hop address 1.1.2.1, and associate the next hop address with BFD session 1. [USG] policy-based-route testA permit node 5 [USG-policy-based-route-testA-5] if-match acl 3001 [USG-policy-based-route-testA-5] apply ip-address next-hop 1.1.2.1 track bfd-session 10 [USG-policy-based-route-testA-5] quit # Apply policy testA to interface GigabitEthernet 0/0/1 to process packets received at this interface. [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] ip policy-based-route testA [USG-GigabitEthernet0/0/1] quit # Configure a default route, set the next hop address to 1.1.2.1/24, and associate the next hop address with BFD session 1. [USG] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track bfd-session 1 Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations. For specific configurations, click Method used to configure interworking between BFD sessions and policy-based routing on the USG firewall.

Method used to configure the interworking between hot standby devices and IP-Link on USG firewalls
When a USG firewall works in hot standby mode, IP-Link automatically detects a link failure that affects services of the active and standby firewalls. If the VGMP management group is configured to monitor IP-Link, the USG firewall can adjust the priority of the VGMP management group to trigger the active/standby USG firewall switchover, and therefore ensuring service continuity. After the VGMP management group is configured to monitor IP-Link, IP-Link can detect the status of the interface or link that is not directly connected to the USG firewall. Key configurations for the interworking between the hot standby devices and IP-Link on USG firewall are as follows: # Add interfaces GigabitEthernet 0/0/2 and GigabitEthernet 0/0/1 to the same Link-group management group. [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] link-group 1 [USG_A-GigabitEthernet0/0/2] quit [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet0/0/1] link-group 1 [USG_A-GigabitEthernet0/0/1] quit If the USG firewalls work in hot standby mode on the OSPF network, run the following command: [USG] hrp ospf-cost adjust-enable # In the interface view, configure the Master and Slave management groups to monitor the status of the interfaces. [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] hrp track master [USG_A-GigabitEthernet0/0/2] quit [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet0/0/1] hrp track master [USG_A-GigabitEthernet0/0/1] quit # Configure IP-Link to monitor the outbound interface. [USG_A] ip-link check enable [USG_A] ip-link 1 destination 200.1.1.1 interface GigabitEthernet 0/0/1 # Configure the interworking between the hot standby firewalls and IP-Link, and set the VGMP management group to monitor IP-Link. When the outbound interface is faulty, IP-Link state is changed to Down, and the priority of the VGMP management group is degraded to 2. [USG_A] hrp track ip-link 1 master # Configure the HRP backup channel. [USG_A] hrp interface GigabitEthernet 0/0/3 # Configure the fast session backup. [USG_A] hrp mirror session enable # Enable the HRP. [USG_A] hrp enable Note: The hot standby mode involves two devices. The key configuration describes IP-Link configuration only on the master device. For details about the configurations on the slave device and USG6000, click the following link to view the specific configurations. For specific configurations, click Configuring the Interworking Between Hot Standby Devices and IP-Link on USG Firewalls.

Routing protocol types based on the used algorithm on the USG2000 and USG5000 series
Based on the type of algorithm they use, dynamic routing protocols are classified into the following types: Distance-vector routing protocol: includes RIP and BGP. BGP is also called path-vector protocol. Link-state routing protocol: includes OSPF and IS-IS.

Method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000
The method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000 is as follows: Most carriers adopt the MPLS VPN networking. However, the MPLS VPN cannot satisfy special requirements. For example: a. A user is served by a VPN and needs to access resources in another VPN. b. The carrier provides a shared LNS to enterprise users who use the MPLS VPN. Mobile users of the enterprise access the enterprise intranet over the LNS. The LNS is shared by multiple enterprise users. Therefore, the LNS needs to access different users to the corresponding VPNs. Procedure 1. Configure the LAC. a. Set the user name and password. b. Create two zones. c. Configure the domain name suffix separator. [LAC] l2tp domain suffix-separator @ d. Create the virtual interface template and bind it with the interface. e. Set two L2TP groups and configure the related attributes. 2. Configure the LNS. a. Create two VPN instances vpna and vpnb. b. Configure an interface connected to enterprise network A, and bind the interface with vpna. c. Configure an interface connected to enterprise network B, and bind the interface with vpnb. d. Create the authentication scheme. e. Configure the RADIUS template. f. Configure the domain name suffix separator. [LNS] l2tp domain suffix-separator @ g. Create two Virtual-Template templates bound with vpna and vpnb. h. Create two zones and bind the zones to the corresponding virtual templates and address pools. i. Create two L2TP groups.

Differences between policy-based routing and default routing
The operation object of policy-based routing is packets. Even if a routing table is available, packets are not forwarded according to the routing table, and they are forwarded based on a policy according to requirements. According to the conventional routing and forwarding principle, packets are forwarded according to the destination addresses of the packets. Nowadays, more and more users expect that packets are forwarded and routed according to their defined policies on the basis of the conventional routing and forwarding. Policy-based routing enables the network administrator to formulate routing policies according to the source and destination addresses of packets, packet size, and link quality in order to change the forwarding paths of packets and meet user requirements.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top