Got it

Redirecting the traffic with policy-based routing on CE6800 Highlighted

Latest reply: Mar 17, 2020 14:55:58 4874 4 2 0

Hello guys!

I want to present a little case of policy-based routing .

We all know that traditionally, devices search routing tables for routes of packets based on their destination addresses and then forward the packets, but sometimes this is not enough. More often, users require that devices route packets based on other policies. Here comes in handy PBR, allowing us to change packet routes based on other criteria as source addresses, packet size or next hop.

To exemplify the use of policy-based routing I chose the following example.

Here JIM & TIM are part of the same company but they do not want to overwhelm one firewall with all their torrent downloads, web browsing and other traffic. So, after a while and some fierce discussions on this subject, they decided to use a different firewall each for the internet browsing, but still be able to access each other or the DMZ zone. They thought that PBR could be a good solution in this scenario.

  

traffic with policy based routing


Here is the configuration they applied on the CE6800:


First they carefully configured an ACL to select just the traffic they wanted to redirect. Since they wanted to redirect all the traffic destined to the internet, they made the following configuration:

#
acl name JIM_NETWORKS number 3001
rule 10 permit ip source 192.168.0.0 0.0.0.255 destination any
rule 15 permit ip source 192.168.1.0 0.0.0.255 destination any
#
acl name TIM_NETWORKS number 3002
rule 10 permit ip source 192.168.2.0 0.0.0.255 destination any
rule 15 permit ip source 194.168.3.0 0.0.0.255 destination any
After they defined the ACLs they configured the traffic classifiers
#
traffic classifier JIM_NETWORKS type or
if-match acl 3001
#
traffic classifier TIM_NETWORKS type or
if-match acl 3002
#



The next step was to choose what to do with the traffic they have just classified.

#
traffic behavior GO_TO_JIMFW
redirect nexthop 192.168.0.147
#
traffic behavior GO_TO_TIMFW
redirect nexthop 192.168.0.149
#


 

As you know after the classifier and the traffic behaviour are configured they have to be put together to make sense. And that is what they did as well.

#
traffic policy JIM_NETWORK_GOES_TO_JIMFW
classifier JIM_NETWORKS behavior GO_TO_JIMFW
#
traffic policy TIM_NETWORK_GOES_TO_TIMFW
classifier TIM_NETWORKS behavior GO_TO_TIMFW
#



Finally, the traffic policies were configured . The only thing that remained to do was to apply the traffic policies on the switch.

#
traffic-policy JIM_NETWORK_GOES_TO_JIMFW global inbound
#
traffic-policy TIM_NETWORK_GOES_TO_TIMFW global inbound
#


After this, the traffic destined to the internet was redirected according to the policy. Now, if you wonder what happened to JIM and TIM I don’t really know, lol.

Anyway, hope you enjoy this post.

If you get any questions, I would be glad to help you.

Thanks.

  • x
  • convention:

Sophoni
Created Jun 3, 2014 07:42:15 Helpful(0) Helpful(0)

thanks
View more
  • x
  • convention:

sashokltd2
Created Sep 25, 2015 11:39:31 Helpful(0) Helpful(0)

Hi! 

Will work on this scheme on s6324?

Thank you

View more
  • x
  • convention:

user_3445655
Created Mar 17, 2020 13:12:41 Helpful(0) Helpful(0)

It's kindly a little interesting.
I mean Jim and Tim.
LOL
View more
  • x
  • convention:

LuizPuppin
MVE Created Mar 17, 2020 14:55:58 Helpful(0) Helpful(0)

Congrats. It is the same configuration used on NE routers.
View more
  • x
  • convention:

I%20have%2020%20years%20working%20with%20telecom%20market.%20On%20all%20this%20time%20I%20worked%20always%20in%20great%20projects.%20The%20biggest%20was%20the%202014%20World%20Cup%20Command%20and%20Control%20Centre%2C%20where%20I%20was%20the%20Soluction%20Architect%20and%20Implementation%20Manager%20of%20Network%20and%20security%20Solution.%3Cbr%2F%3EI%20work%20with%20Huawei%20s%20products%20to%20ISP%20Market%20since%202015%20and%20in%202017%20started%20to%20present%20trainnings%20customized%20to%20this%20market%2C%20focused%20in%20BGP%20and%20MPLS%20solution.%20I%20had%20more%20than%20400%20students%20and%20more%20than%20100%20ISP%20on%20my%20classes%20on%20last%2018%20mount

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.