Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Transperent PBR in huawei

Transperent PBR in huawei

Created: Jun 27, 2019 16:14:42Latest reply: Jul 3, 2019 00:57:13 412 4 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi,

We are trying to forward all the HTTP traffic to our cache box, using below configuration


WAN_IFACE = XGigabitEthernet 0/0/19

LAN_IFACE = XGigabitEthernet 0/0/14

CACHE_BOX_IFACE = XGigabitEthernet 0/0/11


On WAN side:


acl name test_wan_acl 3556

rule permit tcp destination any source-port eq 80


traffic classifier test_wan_classifier operator or

if-match acl test_wan_acl


traffic behavior test_wan_behaviour

redirect ip-nexthop 10.200.2.2(cache box IP)


traffic policy test_wan_policy match-order config

classifier test_wan_classifier behavior test_wan_behaviour


interface XGigabitEthernet 0/0/19

traffic-policy test_wan_policy inbound


ON LAN side:


acl name test_lan_acl 3555

rule permit tcp source any destination-port eq 80


traffic classifier test_lan_classifier operator or

if-match acl test_lan_acl


traffic behavior test_lan_behaviour

redirect ip-nexthop 10.200.2.2(cache box IP)


traffic policy test_lan_policy match-order config

classifier test_lan_classifier behavior test_lan_behaviour


interface XGigabitEthernet 0/0/14

traffic-policy test_lan_policy inbound



The Problem:

The traffic been forwarded to cache_box, while debugging we found the destination ip of the packets retains its original address, hence cache_box drops the packets.

we need to modify the PBR configuration to change the destination ip to the cache_box ip ( static routing )


Regards,

Tamil



Like (0) Dislike (0) Favorite(0) Share Report
Previous: Forgot all passwords and need to reset the console password for NetEngine20E V8R9 but no option to reset available
Next: Huawei router B525s-95a port forwarding
Featured Answers

Recommended answer

(0) (0)
chenhui
Admin Created Jun 29, 2019 00:40:07

@stamil Hi,
The switch is unable to do the NAT based on destination IP address, I would appreciate it if you could confirm the question I asked previous, or you can try to adjust the network topology, connect the cache box cascade rather than bypass.
View more
  • x
  • convention:
All Answers
(0) (0)
2#
chenhui
chenhui Admin Created Jun 28, 2019 02:22:50

@stamil Hi,
I got a question. Assume the user want to browse the content on the server 20.1.1.1, so the HTTP packets are sent to 20.1.1.1, the router redirects the traffic to the cache box, if the destination IP address was modifyed from the 20.1.1.1 to 10.200.2.2(cache box IP), how could the cache box distinguish which parts of content should it provides to the user?
View more
  • x
  • convention:
(0) (0)
3#
chenhui
chenhui Admin Created Jun 29, 2019 00:40:07

@stamil Hi,
The switch is unable to do the NAT based on destination IP address, I would appreciate it if you could confirm the question I asked previous, or you can try to adjust the network topology, connect the cache box cascade rather than bypass.
View more
  • x
  • convention:
(0) (0)
4#
stamil
stamil Created Jul 2, 2019 11:30:59

Posted by chenhui at 2019-06-28 02:22 @stamil Hi, I got a question. Assume the user want to browse the content on the server 20.1.1.1, so ...
dear chenhui ,
Yes, you’re correct. The cache box somehow should know how to route packet. Since we are capturing http packet and processing with our http proxy server we are having access to HTTP Header which is having an enough details to communicate with origin server.
Hence modifing the destination address to reach the cache box might not have any impact. can you please help me to route the packet to cache_box by modifing the destination address of the packet

Thanks,
Tamil
View more
  • x
  • convention:
(0) (0)
5#
chenhui
chenhui Admin Created Jul 3, 2019 00:57:13

Posted by stamil at 2019-07-02 11:30 dear chenhui ,Yes, you’re correct. The cache box somehow should know how to route packet. Since w ...
@stamil Hi,
Are there any examples in the cachebox help documentation?
I googled the cachebox, only found the appliansys cachebox, but there isn't a detailed example on their webpages, only introduction information. So if you could search the cachebox help documentation and find some detailed examples, it would be helpful.
Anyway, since the AR router cannot NAT the destination address, if there isn't any devices by your side which could do this, you can try to reinstall the cachebox cascade rather than bypass, in which way, the destination address NAT is not necessary any more.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.