Transperent PBR in huawei

Created: Jun 27, 2019 16:14:42Latest reply: Jul 3, 2019 00:57:13 102 4 0 0
  Rewarded Hi-coins: 0 (problem resolved)

Hi,

We are trying to forward all the HTTP traffic to our cache box, using below configuration


WAN_IFACE = XGigabitEthernet 0/0/19

LAN_IFACE = XGigabitEthernet 0/0/14

CACHE_BOX_IFACE = XGigabitEthernet 0/0/11


On WAN side:


acl name test_wan_acl 3556

rule permit tcp destination any source-port eq 80


traffic classifier test_wan_classifier operator or

if-match acl test_wan_acl


traffic behavior test_wan_behaviour

redirect ip-nexthop 10.200.2.2(cache box IP)


traffic policy test_wan_policy match-order config

classifier test_wan_classifier behavior test_wan_behaviour


interface XGigabitEthernet 0/0/19

traffic-policy test_wan_policy inbound


ON LAN side:


acl name test_lan_acl 3555

rule permit tcp source any destination-port eq 80


traffic classifier test_lan_classifier operator or

if-match acl test_lan_acl


traffic behavior test_lan_behaviour

redirect ip-nexthop 10.200.2.2(cache box IP)


traffic policy test_lan_policy match-order config

classifier test_lan_classifier behavior test_lan_behaviour


interface XGigabitEthernet 0/0/14

traffic-policy test_lan_policy inbound



The Problem:

The traffic been forwarded to cache_box, while debugging we found the destination ip of the packets retains its original address, hence cache_box drops the packets.

we need to modify the PBR configuration to change the destination ip to the cache_box ip ( static routing )


Regards,

Tamil



  • x
  • convention:

Featured Answers
chenhui
Admin Created Jun 29, 2019 00:40:07 Helpful(0) Helpful(0)

@stamil Hi,
The switch is unable to do the NAT based on destination IP address, I would appreciate it if you could confirm the question I asked previous, or you can try to adjust the network topology, connect the cache box cascade rather than bypass.
  • x
  • convention:

All Answers
chenhui
chenhui Admin Created Jun 28, 2019 02:22:50 Helpful(0) Helpful(0)

@stamil Hi,
I got a question. Assume the user want to browse the content on the server 20.1.1.1, so the HTTP packets are sent to 20.1.1.1, the router redirects the traffic to the cache box, if the destination IP address was modifyed from the 20.1.1.1 to 10.200.2.2(cache box IP), how could the cache box distinguish which parts of content should it provides to the user?
  • x
  • convention:

chenhui
chenhui Admin Created Jun 29, 2019 00:40:07 Helpful(0) Helpful(0)

@stamil Hi,
The switch is unable to do the NAT based on destination IP address, I would appreciate it if you could confirm the question I asked previous, or you can try to adjust the network topology, connect the cache box cascade rather than bypass.
  • x
  • convention:

stamil
stamil Created Jul 2, 2019 11:30:59 Helpful(0) Helpful(0)

Posted by chenhui at 2019-06-28 02:22 @stamil Hi, I got a question. Assume the user want to browse the content on the server 20.1.1.1, so ...
dear chenhui ,
Yes, you’re correct. The cache box somehow should know how to route packet. Since we are capturing http packet and processing with our http proxy server we are having access to HTTP Header which is having an enough details to communicate with origin server.
Hence modifing the destination address to reach the cache box might not have any impact. can you please help me to route the packet to cache_box by modifing the destination address of the packet

Thanks,
Tamil
  • x
  • convention:

chenhui
chenhui Admin Created Jul 3, 2019 00:57:13 Helpful(0) Helpful(0)

Posted by stamil at 2019-07-02 11:30 dear chenhui ,Yes, you’re correct. The cache box somehow should know how to route packet. Since w ...
@stamil Hi,
Are there any examples in the cachebox help documentation?
I googled the cachebox, only found the appliansys cachebox, but there isn't a detailed example on their webpages, only introduction information. So if you could search the cachebox help documentation and find some detailed examples, it would be helpful.
Anyway, since the AR router cannot NAT the destination address, if there isn't any devices by your side which could do this, you can try to reinstall the cachebox cascade rather than bypass, in which way, the destination address NAT is not necessary any more.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login