Got it

Policy based routing+static routing - unexpected behaviour

Created: Nov 18, 2020 08:59:54Latest reply: Jan 26, 2022 15:16:33 501 10 0 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hi there!


For some kind of traffic i need to pass it through a special device - gray box on a scheme.  For this purpose i added a Policy-Based-Rule which has an ingress interface Eth-trunk1.3 and egress interface Eth-Trunk1.4 , And it does work .  It forwards traffic towards the 172.31.2.2 and then to the Gray box

PBR



When i run PacketCapture on interface Eth-Trunk1.5 . I can capture all traffix soursed the group 1C-server and destined the group 1C-list.  The next thing i expected from Huawei USG is to pass this packets to static routing process and following the line ip route static 10.77.77.0 255.255.255.0 eth-trunk1.6 172.31.6.17   put this packets to Eth-Trunk1.6.  But it doesnt do this. Instead , this Thaffic again comes into interface eth-trunk1.4 forming a routing loop.


I tried to find a mistake  with Packet Tracing in diagnostic menu - it showed an absoluttely  correct way of the traffic  

(exported file shows traffic with the source 10.0.0.15 and the destination 10.77.77.58 coming out of the interface eth-trunk1.5)

  

flow:1

    packet:1

        FORWARD

            Layer 3 dispatch--------PASS: New packet arrived. 2618454562  interface:Eth-Trunk1.5 zone:dmz VRF:public -> public TCP  flag:SYN  10.0.0.15:22222 -> 10.77.77.58:445 pkt-id:160 

            Hook station process--------The process before the session table matching is passed

            Server map--------Server map: Session info, code:0x0, vsys ID:0, protocol:0x6

            User-manage ipv4 pre-fib identity--------UserId[0xffffffff]

            fib info--------Search fib info process done

            routing table--------Routing table process pass

            Interface access control process---Service manage of ipv4 packet process:next-hop=172.31.6.17, value=136

            User-manage ipv4 post-fib identity--------User management authentication pass (portal authentication)

            Layer 3 process--------packet filter recv packet

            Layer 3 process--------Layer 3 process pass: packet filter process done, rule name:rt-traffic

            Flow create--------Create session process

            Layer 3 process--------PASS: Layer 3 Flow process done


But in real life situation this traffic newer come to Eth-trunk1.6


My first suggestion was that PBR can not destinguish traffic between subinterfaces belonging to one physical interface. For this task i changed ingress interface to another one Eth-trunk1.19 and PBR stops forwarding this traffic. As i expected traffic was handled by the routing process and was  forwarded to the Eth-trunk1.6


Any suggestions? What could be done to resolve this problem?  


my version is: 


Huawei Versatile Routing Platform Software

VRP (R) Software, Version 5.170 (Eudemon200E-G V600R007C00SPC200)



Featured Answers

Recommended answer

Popeye_Wang
Admin Created Nov 18, 2020 09:39:51

Hi,
PBR is directly applied to the forwarding table and has a higher priority than the routing table. If a route matches both the PBR and the routing table, the route is forwarded along the path specified by the PBR. Therefore, all traffic from Eth-Trunk 1.6 is forwarded to Eth-Trunk 1.4 instead of along the routing table.
View more
  • x
  • convention:

andrey.rychkov
andrey.rychkov Created Nov 18, 2020 12:46:31 (0) (0)
Hi,

The idea was to send traffic to the interface Eth-trunk1.4 , then receive this traffic from interafce Eth-trunk1.5 and finally send it to interface Eth-trunk1.6
Yes, I understand that pbr has a higher priority then static routing, but to my mind pbr must be applied to traffic from SPECIFIC INTERFACE, in my case its interface Eth-trunk 1.3 as ingress interface , but interface Eth-trunk1.5 is not an ingress interface. Why PBR handles this traffic again?  
Popeye_Wang
Popeye_Wang Reply andrey.rychkov  Created Nov 19, 2020 09:54:25 (0) (0)
Ok, it's indeed a strange behavior. Have you tried to change the ingress-interface to the source-address?  
All Answers
DDSN
DDSN Admin Created Nov 18, 2020 09:01:56

Hi andrey.rychkov,
Please wait patiently. Our engineers are looking for answers to your questions.
View more
  • x
  • convention:

Hi,
PBR is directly applied to the forwarding table and has a higher priority than the routing table. If a route matches both the PBR and the routing table, the route is forwarded along the path specified by the PBR. Therefore, all traffic from Eth-Trunk 1.6 is forwarded to Eth-Trunk 1.4 instead of along the routing table.
View more
  • x
  • convention:

andrey.rychkov
andrey.rychkov Created Nov 18, 2020 12:46:31 (0) (0)
Hi,

The idea was to send traffic to the interface Eth-trunk1.4 , then receive this traffic from interafce Eth-trunk1.5 and finally send it to interface Eth-trunk1.6
Yes, I understand that pbr has a higher priority then static routing, but to my mind pbr must be applied to traffic from SPECIFIC INTERFACE, in my case its interface Eth-trunk 1.3 as ingress interface , but interface Eth-trunk1.5 is not an ingress interface. Why PBR handles this traffic again?  
Popeye_Wang
Popeye_Wang Reply andrey.rychkov  Created Nov 19, 2020 09:54:25 (0) (0)
Ok, it's indeed a strange behavior. Have you tried to change the ingress-interface to the source-address?  

Hi!
It has no such option. As i understand, source and desctination are described by statemets: 

 source-address address-set NAME
 

 destination-address address-set NAME


and this functions are working perfectly


and the only options which describes input interface are : 


ingress-interface  and source-zone


FW-policy-pbr-rule-1C-out]?

policy-pbr-rule view commands:

   ingress-interface            Indicate the ingress-interface for the rule

 and possibly 

  source-zone                  Specify the source-zone for the rule

 because i can put this interface into different zone


Also i have an access to NE40e platforms , its could be possible to check PBR on Ne40. But again it has a different syntax which does not have an ingress interface as an option. Do you have an idea how to set ingress interface in PBR on NE40e platform??  


 

View more
  • x
  • convention:

I have checked similar function in NE40 , it called traffic policy , and it does work well .
View more
  • x
  • convention:

Popeye_Wang
Popeye_Wang Created Nov 23, 2020 02:48:13 (0) (0)
That's great.  
Awesome!
View more
  • x
  • convention:

GOOD
View more
  • x
  • convention:

Good
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.