By means of interworking between policy-based routing and BFD sessions, the preceding issue is addressed, the flexibility of policy-based routing is enhanced, and the capability of policy-based routing for dynamically sensitizing the network environment is improved. By associating execution actions of policy-based routing with static BFD sessions, the firewall can rapidly monitor the link accessibility of the next hop or outbound interface specified by policy-based routing based on BFD sessions. The firewall can dynamically determine the availability of policy-based routing based on the BFD session state.
Key configurations for the interworking between BFD sessions and policy-based routing on the USG firewall are as follows:# Configure BFD session 1, and set the peer IP address to 126.96.36.199, local identifier to 10, and remote identifier to 20.
[USG] bfd 1 bind peer-ip 188.8.131.52
[USG-bfd-session-1] discriminator local 10
[USG-bfd-session-1] discriminator remote 20
# Configure policy testA, set packets from source address 10.1.0.0/16 to be delivered to next hop address 184.108.40.206, and associate the next hop address with BFD session 1.
[USG] policy-based-route testA permit node 5
[USG-policy-based-route-testA-5] if-match acl 3001
[USG-policy-based-route-testA-5] apply ip-address next-hop 220.127.116.11 track bfd-session 10
# Apply policy testA to interface GigabitEthernet 0/0/1 to process packets received at this interface.
[USG] interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/1] ip policy-based-route testA
# Configure a default route, set the next hop address to 18.104.22.168/24, and associate the next hop address with BFD session 1.
[USG] ip route-static 0.0.0.0 0.0.0.0 22.214.171.124 track bfd-session 1
Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations.
For specific configurations, click Method used to configure interworking between BFD sessions and policy-based routing on the USG firewall