How to make sure Parts of the traffic forwarded by routing in PBR policy

Latest reply: Nov 25, 2015 04:07:41 1482 1 1 0
Issue Description

In some case  when configuring the PBR , the requirement is to make sure the traffic from segment A ,for example  10.1.1.0 0.0.0.255  follow the PBR policy and redirect to  other Next hop ,but only the traffic from segment A to the specific servers , such as  192.168.1.68 and 192.168.35.15 to be forward by the routing ,if the configuration is shown as below ,all the traffic were forwarded by PBR and cannot work .

 

acl 3000

rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 192.168.1.68 0

rule 10 deny ip source 10.1.1.0 0.0.0.255 destination 192.168.35.15 0

rule 100 permit ip source 10.1.1.0 0.0.0.255

#

traffic classifier ForInternet operator or precedence 10

if-match acl 3000

#

traffic behavior ForInternet

redirect ip-nexthop 192.168.20.253

#

traffic policy ForInternet match-order config

classifier ForInternet behavior ForInternet

#

traffic-policy ForInternet global inbound

Solution

It is necessary to create a another Classifier and behaviors to permit the servers and make it  forward by routing ,

 

#

acl 3000

rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.1.68 0

rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.35.15 0

acl 3001

rule 100 permit ip source 10.1.1.0 0.0.0.255

#

traffic classifier DenyServer operator or precedence 5  //the Denyserver must be with high priority

if-match acl 3000

traffic classifier ForInternet operator or precedence 10

if-match acl 3001

#

traffic behavior DenyServer

permit

#

traffic behavior ForInternet

redirect ip-nexthop 192.168.20.253

#

traffic policy ForInternet match-order config  //here the match-order should be “config” ,  in this way the traffic to the server will be forwarded following the routing table.

classifier DenyServer  behavior DenyServer

classifier ForInternet behavior ForInternet

#

traffic-policy ForInternet global inbound

 

 

  • x
  • convention:

user_2790689
Created Nov 25, 2015 04:07:41 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login