How does MA5200G configure policy route for user side and network side?
Policy route is to decide forwarding exit according to IP source address of user’s packets. Common route is based on destination address.
1. For users packets cannot set policy route according to IP address, MA5200G sets users pass different egress of policy route. It is suggested to designate next hop address in user domain. Note: Directly use eacl or acl to designate IP address and next hop address, which is useless.
Create a new domain
[Quidway-aaa-domain-huawei]policy-route 220.127.116.11 //Designate next hop address under domain mode. All users under this domain give priority to this address.
2. For network side address, enable policy route according to IP address:
VRP3.30-22XX version can set policy route according to EACL:
[Quidway]rule 123 ip 18.104.22.168 0.0.0.255 any //Designate data traffic according to IP address.
[Quidway]flow-action xyt redirect ip 22.214.171.124 ethernet 4/0/0 //Designate behavior and next hop.
[Quidway]eacl cl 123 xyt //Use EACL to bind traffic and behavior.
[Quidway-Ethernet4/0/0]access-group eacl cl //Index EACL at the port.
Designate EACL applied in the site. Designate EACL name as global：
[Quidway]eacl global 123 xyt
[Quidway]access-group eacl global
VRP3.30-23XX version sets acl and traffic-policy to designate it:
[Quidway]acl 10001 mat auto //Configure acl
[Quidway-acl-simple-10000] rule ip source ip 126.96.36.199 0.0.0.255 destination any //designate address segment.
[Quidway]traffic classifier c1 //Designate classifier.
[Quidway-classifier-c1]if-match acl 10000 //Index acl at classifier.
[Quidway]traffic behavior c1 //Designate behavior.
[Quidway-behavior-c1]redirect ip 188.8.131.52 // Designate next hop address.
[Quidway]traffic policy c1 auto // Designate traffic policy.
[Quidway-trafficpolicy-c1]classifier c1 behavior inbound c1 //Bind classifier and behavior.
[Quidway]traffic-policy c1 //Apply this traffic policy.
For user-side packets, configure the source of rule as group number and match user packet. Then redirect matched packets and the configuration is the same as network side. Use user group number of rule but not IP address. Otherwise, it is invalid.