No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The difference of policy-based routing between USG9100 and USG2000

Publication Date:  2012-10-17 Views:  67 Downloads:  0
Issue Description

Customer asked when the IP message from extranet if the source address is 10.150.. 0.0/16, then the next hop is 10.150.222.1, if the source address is other IP address, the next hop is 10.150.224.1, here we use PBR to realize this demand. The following configuration are in the FWA:


In the beginning we use SRG20-31 to make configuration:
#
acl number 3000
rule 0 deny ip source 10.150.0.0 0.0.255.255 destination 10.0.0.0 0.255.255.255                                    
rule 3 deny ip source 10.84.0.0 0.0.255.255 destination 23.10.0.0 0.0.0.255     
rule 4 deny ip destination 23.10.0.0 0.0.0.255                                 
rule 5 permit ip
#
traffic classifier class1
if-match acl 3000
#
traffic behavior behavior1
redirect ip-nexthop 10.150.224.1 interface GigabitEthernet3/1/6                                         
#
qos policy mypolicy
classifier class1 behavior behavior1
The PBR is applied in the FWA extranet port.
This kind of circumstance, PBR become effective, and message from downstream port can ping passably to FWA.
Because the customer flow increased, need replace SRG20-31 to USG9100, directly copy the configuration to the USG9100, found that the extranet can normally access to the intranet server, but the extranet cannot ping passably to FWA.
Alarm Information
none
Handling Process
Need add a rule in the ACL3000, in order to the message as USG910 to be destination address does not go PBR.
acl number 3000
rule 0 deny ip source 10.150.0.0 0.0.255.255 destination 10.0.0.0 0.255.255.255 
rule 2 deny ip destination 23.10.255.254 0  // the message as USG910 to be destination address is do not go PBR 
rule 3 deny ip source 10.84.0.0 0.0.255.255 destination 23.10.0.0 0.0.0.255     
rule 4 deny ip destination 23.10.0.0 0.0.0.255                                  
rule 5 permit ip。
Root Cause
After analysis, what is the difference of PBR effective way among FW such as USG9100 USG2000 and USG3000 and so on. The PBR of USG2000 and USG3000 is that own message doesn't work to the destination address, but USG9100 PBR are effective to all message, and the message ping to USG9100 was also sent to the IP 10.150.222.1.
Suggestions
none

END