Method used to configure the routing policy on USG firewalls

4

The method used to configure the routing policy on USG2000, USG5000, and USG6000 is as follows:
1. Create a routing policy.
2. Configure the If-match sub-sentence.
3. Configure the Apply sub-sentence.
4. Filter the routes upon receiving, publishing, and introducing routes.

Other related questions:
Method used to configure the static route on USG firewalls
The method used to configure the static route on USG firewalls is as follows: For example: ip route-static 1.1.1.0 255.255.255.0 1.1.5.1 //ip rout-static indicates the static route, 1.1.1.0 indicates the destination address, 255.255.255.0 indicates the mask, and 1.1.5.1 indicates the next-hop address.

Method used to configure reverse route injection on USG firewalls
Method used to configure IPSec reverse route injection on USG firewalls 1. Method used to configure IPSec reverse route injection In the IPSec policy template view, run the reverse-route enable [ nexthop nexthop-address | preference preference ] command. 2. Note: When multiple tunnels are established between the HQ network and branch networks, the reverse route injection function can be configured for the HQ gateway, so that routing information of the branch networks is automatically added to the HQ gateway. This function is equivalent to an intranet static route destined for the branch intranet, with the next hop address set to the interface IP address of the branch tunnel. In IPSec tunneling mode, this function is equivalent to specifying the outbound interface as the tunnel interface. Each branch network accesses the HQ gateway over the IPSec tunnel. Communication traffic between the branch network and the HQ network is protected by IPSec. Therefore, static routes must to be configured for the branch gateways and the HQ gateway to lead the traffic to the IPSec tunnel. When a large number of branch networks exist, a large number of static router entries are configured on the HQ gateway. If the intranet planning of the enterprise is changed, the workload for adjusting the static route configuration on the HQ gateway is huge. The reverse route injection function can inject routing information of private network segments of each branch network to the HQ gateway, and therefore achieving automatic route adding and being free from manual configuration. 3. Configuration example: system-view //Enter the system view. [sysname] ipsec policy-template abc 1 //Enter the IPSec policy template view. [sysname-ipsec-policy-template-abc-1] reverse-route enable //Enable the reverse route injection function.

Method used to configure interworking between BFD sessions and policy-based routing on the USG firewall
By means of interworking between policy-based routing and BFD sessions, the preceding issue is addressed, the flexibility of policy-based routing is enhanced, and the capability of policy-based routing for dynamically sensitizing the network environment is improved. By associating execution actions of policy-based routing with static BFD sessions, the firewall can rapidly monitor the link accessibility of the next hop or outbound interface specified by policy-based routing based on BFD sessions. The firewall can dynamically determine the availability of policy-based routing based on the BFD session state. Key configurations for the interworking between BFD sessions and policy-based routing on the USG firewall are as follows:# Configure BFD session 1, and set the peer IP address to 1.1.2.1, local identifier to 10, and remote identifier to 20. [USG] bfd [USG-bfd] quit [USG] bfd 1 bind peer-ip 1.1.2.1 [USG-bfd-session-1] discriminator local 10 [USG-bfd-session-1] discriminator remote 20 [USG-bfd-session-1] commit [USG-bfd-session-1] quit # Configure policy testA, set packets from source address 10.1.0.0/16 to be delivered to next hop address 1.1.2.1, and associate the next hop address with BFD session 1. [USG] policy-based-route testA permit node 5 [USG-policy-based-route-testA-5] if-match acl 3001 [USG-policy-based-route-testA-5] apply ip-address next-hop 1.1.2.1 track bfd-session 10 [USG-policy-based-route-testA-5] quit # Apply policy testA to interface GigabitEthernet 0/0/1 to process packets received at this interface. [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] ip policy-based-route testA [USG-GigabitEthernet0/0/1] quit # Configure a default route, set the next hop address to 1.1.2.1/24, and associate the next hop address with BFD session 1. [USG] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track bfd-session 1 Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations. For specific configurations, click Method used to configure interworking between BFD sessions and policy-based routing on the USG firewall.

Method used to configure the router-on-a-stick on USG firewalls

The router-on-a-stick can address the limited physical interface resources issue. By configuring multiple subinterfaces, corresponding to different VLANs, for a physical interface, a physical interface can enable different VLANs to communicate with each other. For example, you can configure the router-on-a-stick on the USG2000, USG5000, and USG6000 as follows: [USG] interface GigabitEthernet1/0/3.1//Configure subinterface 1. [USG-GigabitEthernet1/0/3.1] vlan-type dot1q 10//Terminate VLAN 10. [USG-GigabitEthernet1/0/3.1] ip address 10.3.1.1 255.255.255.0//Configure the IP address for the subinterface. [USG-GigabitEthernet1/0/3.1] quit [USG] interface GigabitEthernet1/0/3.2//Configure subinterface 2. [USG-GigabitEthernet1/0/3.2] vlan-type dot1q 20//Terminate VLAN 20. [USG-GigabitEthernet1/0/3.2] ip address 10.3.1.1 255.255.255.0//Configure the IP address for the subinterface.


Method used to modify the cost value of the static route on USG firewalls
The cost value of the static route on the USG2000, USG5000, and USG6000 cannot be changed. By default, it is 0.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top