No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring PBR

Configuring PBR

Applicable Products and Versions

This example applies to the CE12800/CE6800/CE5800 V100R001C00 or later, CE12800E V200R002C50 or later, CE8800 V100R006C00 or later, and CE7800 V100R003C00 or later.

Networking Requirements

As shown in Figure 2-48, servers in the service area need to access the Internet. The data server and video server in the service area connect to the gateway router through access switch SwitchB and core switch SwitchA and communicate with the Internet through the gateway Router.

A firewall connects to core switch SwitchA in bypass mode to ensure security of traffic exchanged between servers and the Internet. Then all traffic passing through SwitchA is redirected to the firewall through PBR. The firewall filters the traffic to ensure security of internal and external networks.

Figure 2-48 PBR networking

Table 2-10 describes the network plan of devices shown in Figure 2-48.

Table 2-10 Network plan

Item

Data

Data Server

VLAN that the server belongs to: VLAN 100

Video Server

VLAN that the server belongs to: VLAN 200

SwitchA

VLAN that 10GE1/0/1 belongs to: VLAN 100 and VLAN 200

VLAN that 10GE1/0/2 belongs to: VLAN 500

VLAN that 10GE1/0/3 belongs to: VLAN 300

VLAN that 10GE1/0/4 belongs to: VLAN 400

VLANIF 100 IP address: 192.168.1.1/24

VLANIF 200 IP address: 192.168.2.1/24

VLANIF 300 IP address: 192.168.3.1/24

VLANIF 400 IP address: 192.168.4.1/24

VLANIF 500 IP address: 192.168.10.1/24

SwitchB

VLAN that 10GE1/0/1 belongs to: VLAN 100 and VLAN 200

VLAN that 10GE1/0/2 belongs to: VLAN 100

VLAN that 10GE1/0/3 belongs to: VLAN 200

USG

10GE1/0/3

  • Address: 192.168.3.2/24
  • Security zone: trust

10GE1/0/4

  • Address: 192.168.4.2/24
  • Security zone: untrust
Table 2-11 Data preparation

Item

Data

Remarks

SwitchA

Default route: ip route-static 0.0.0.0 0.0.0.0 192.168.10.2

-

Firewall

IP address of the interface connected to 10GE1/0/3 on SwitchA: 192.168.3.2 24

-

Router

IP address of the interface connected to 10GE1/0/2 on SwitchA: 192.168.10.2 24

-

Requirement Analysis

  • For security purposes, connect a core firewall to SwitchA in bypass mode to filter traffic.
  • Configure the USG to filter traffic exchanged between servers and the Internet.

Procedure

  1. Configure SwitchB. The CE5800 is used as an example.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchB  //Change the device name to SwitchB.
    [~HUAWEI] commit 
    [~SwitchB] vlan batch 100 200  //Create VLAN 100 and VLAN 200 on SwitchB.
    [~SwitchB] commit 
    [~SwitchB] interface 10ge 1/0/1  //Enter the view of the interface connecting SwitchB to SwitchA.
    [~SwitchB-10GE1/0/1] port link-type trunk  //Configure the link type of the interface as trunk.
    [~SwitchB-10GE1/0/1] port trunk allow-pass vlan 100 200  //Add the interface to VLAN 100 and VLAN 200 so that packets from VLAN 100 and VLAN 200 can pass through.
    [~SwitchB-10GE1/0/1] quit
    [~SwitchB] interface GE 1/0/2  //Enter the view of the interface connecting SwitchB to the data server.
    [~SwitchB-GE1/0/2] port default vlan 100  //Set the default VLAN ID of the interface to VLAN 100 so that packets from VLAN 100 can pass through.
    [~SwitchB-GE1/0/2] quit
    [~SwitchB] interface GE 1/0/3  //Enter the view of the interface connecting SwitchB to the video server.
    [~SwitchB-GE1/0/3] port default vlan 200  //Set the default VLAN ID of the interface to VLAN 200 so that packets from VLAN 200 can pass through.
    [~SwitchB-GE1/0/3] quit
    [~SwitchB] commit 

  2. Configure SwitchA. The CE12800 is used as an example.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA  //Change the device name to SwitchA.
    [~HUAWEI] commit 
    [~SwitchA] vlan batch 100 200 300 400 500  //Create VLAN 100, VLAN 200, VLAN 300, VLAN 400, and VLAN 500 on SwitchA.
    [~SwitchA] commit 
    [~SwitchA] interface 10ge 1/0/1  //Enter the view of the interface connecting SwitchA to SwitchB.
    [~SwitchA-10GE1/0/1] port link-type trunk  //Configure the link type of the interface as trunk.
    [~SwitchA-10GE1/0/1] port trunk allow-pass vlan 100 200  //Add the interface to VLAN 100 and VLAN 200 so that packets from VLAN 100 and VLAN 200 can pass through.
    [~SwitchA-10GE1/0/1] quit
    [~SwitchA] interface 10ge 1/0/2  //Enter the view of the interface connecting SwitchA to Router.
    [~SwitchA-10GE1/0/2] port default vlan 500  //Set the default VLAN ID of the interface to VLAN 500.
    [~SwitchA-10GE1/0/2] quit
    [~SwitchA] interface 10ge 1/0/3  //Enter the view of the interface connecting SwitchA to the core firewall.
    [~SwitchA-10GE1/0/3] port default vlan 300  //Set the default VLAN ID of the interface to VLAN 300.
    [~SwitchA-10GE1/0/3] quit
    [~SwitchA] interface 10ge 1/0/4  //Enter the view of another interface connecting SwitchA to the core firewall.
    [~SwitchA-10GE1/0/4] port default vlan 400  //Set the default VLAN ID of the interface to VLAN 400.
    [~SwitchA-10GE1/0/4] quit
    [~SwitchA] commit 
    [~SwitchA] interface vlanif 100
    [~SwitchA-Vlanif100] ip address 192.168.1.1 24  //Configure the IP address of VLANIF 100 as 192.168.1.1 and mask as 24.
    [~SwitchA-Vlanif100] quit
    [~SwitchA] interface vlanif 200
    [~SwitchA-Vlanif200] ip address 192.168.2.1 24  //Configure the IP address of VLANIF 200 as 192.168.2.1 and mask as 24.
    [~SwitchA-Vlanif200] quit
    [~SwitchA] interface vlanif 300
    [~SwitchA-Vlanif300] ip address 192.168.3.1 24  //Configure the IP address of VLANIF 300 as 192.168.3.1 and mask as 24.
    [~SwitchA-Vlanif300] quit
    [~SwitchA] interface vlanif 400
    [~SwitchA-Vlanif400] ip address 192.168.4.1 24  //Configure the IP address of VLANIF 400 as 192.168.4.1 and mask as 24.
    [~SwitchA-Vlanif400] quit
    [~SwitchA] interface vlanif 500
    [~SwitchA-Vlanif500] ip address 192.168.10.1 24  //Configure the IP address of VLANIF 500 as 192.168.10.1 and mask as 24.
    [~SwitchA-Vlanif500] quit
    [~SwitchA] commit 
    [~SwitchA] ip route-static 0.0.0.0 0.0.0.0 192.168.10.2  //Configure the default route so that the server can access the Internet.
    [~SwitchA] commit 
    [~SwitchA] acl 3001  //Create ACL 3001.
    [~SwitchA-acl4-advance-3001] rule 5 permit ip source 192.168.1.2 24  //Configure a rule in ACL 3001 to match packets from 192.168.1.0.
    [~SwitchA-acl4-advance-3001] rule 10 permit ip source 192.168.2.2 24  //Configure a rule in ACL 3001 to match packets from 192.168.2.0.
    [~SwitchA-acl4-advance-3001] commit 
    [~SwitchA-acl4-advance-3001] quit
    [~SwitchA] traffic classifier c1  //Create a traffic classifier named c1.
    [~SwitchA-classifier-c1] if-match acl 3001  //Reference ACL 3001 in the traffic classifier c1 so that packets from 192.168.1.0 or 192.168.2.0 are matched, that is, packets from servers to the Internet.
    [~SwitchA-classifier-c1] quit
    [~SwitchA] commit 
    [~SwitchA] traffic behavior b1  //Create a traffic behavior named b1.
    [~SwitchA-behavior-b1] redirect nexthop 192.168.3.2  //Configure the device to redirect matching packets to the core firewall at 192.168.3.2.
    [~SwitchA-behavior-b1] quit
    [~SwitchA] commit 
    [~SwitchA] traffic policy p1  //Create a traffic policy named p1.
    [~SwitchA-trafficpolicy-p1] classifier c1 behavior b1  //Bind the traffic classifier c1 and traffic behavior b1 to the traffic policy p1. That is, all packets from servers to the Internet are redirected to the core firewall.
    [~SwitchA-trafficpolicy-p1] quit
    [~SwitchA] commit 
    [~SwitchA] interface 10ge 1/0/1  //Enter the view of the interface connecting SwitchA to SwitchB.
    [~SwitchA-10GE1/0/1] traffic-policy p1 inbound  //Apply the traffic policy p1 to the interface connecting SwitchA to SwitchB in the inbound direction to filter packets from servers to the Internet.
    [~SwitchA-10GE1/0/1] quit
    [~SwitchA] commit 
    [~SwitchA] acl 3002  //Create ACL 3002.
    [~SwitchA-acl4-advance-3002] rule 5 permit ip destination 192.168.1.2 24  //Configure a rule in ACL 3002 to match packets destined for 192.168.1.0.
    [~SwitchA-acl4-advance-3002] rule 10 permit ip destination 192.168.2.2 24  //Configure a rule in ACL 3002 to match packets destined for 192.168.2.0.
    [~SwitchA-acl4-advance-3002] commit 
    [~SwitchA-acl4-advance-3002] quit
    [~SwitchA] traffic classifier c2  //Create a traffic classifier named c2.
    [~SwitchA-classifier-c2] if-match acl 3002  //Reference ACL 3002 in the traffic classifier c1 so that packets destined for 192.168.1.0 or 192.168.2.0 are matched, that is, packets from the Internet to servers.
    [~SwitchA-classifier-c2] quit
    [~SwitchA] commit 
    [~SwitchA] traffic behavior b2  //Create a traffic behavior named b2.
    [~SwitchA-behavior-b2] redirect nexthop 192.168.3.2  //Configure the device to redirect matching packets to the core firewall at 192.168.3.2.
    [~SwitchA-behavior-b2] quit
    [~SwitchA] commit 
    [~SwitchA] traffic policy p2  //Create a traffic policy named p2.
    [~SwitchA-trafficpolicy-p2] classifier c2 behavior b2  //Bind the traffic classifier c2 and traffic behavior b2 to the traffic policy p2. That is, all packets from servers to the Internet are redirected to the core firewall.
    [~SwitchA-trafficpolicy-p2] quit
    [~SwitchA] commit 
    [~SwitchA] interface 10ge 1/0/2  //Enter the view of the interface connecting SwitchA to Router.
    [~SwitchA-10GE1/0/2] traffic-policy p1 inbound  //Apply the traffic policy p1 to the interface connecting SwitchA to Router in the inbound direction to filter packets from the Internet to servers.
    [~SwitchA-10GE1/0/2] quit
    [~SwitchA] commit 

  3. Configure the firewall. The USG is used as an example.

    <USG> system-view
    [USG] interface GigabitEthernet 1/0/3  //Enter the view of the interface connecting the USG and SwitchA.
    [USG-GigabitEthernet1/0/3] ip address 192.168.3.2 24  //Configure the interface IP address.
    [USG-GigabitEthernet1/0/3] quit
    [USG] interface GigabitEthernet 1/0/4    //Enter the view of another interface connecting the USG and SwitchA.
    [USG-GigabitEthernet1/0/4] ip address 192.168.4.2 24  /Configure the interface IP address.
    [USG-GigabitEthernet1/0/4] quit
    [USG] firewall zone trust  //Enter the trust zone view.
    [USG-zone-trust] add interface GigabitEthernet 1/0/3  //Add GigabitEthernet 1/0/3 to the trust zone.
    [USG-zone-trust] quit
    [USG] firewall zone untrust  //Enter the untrust zone view.
    [USG-zone-untrust] add interface GigabitEthernet 1/0/4  //Add GigabitEthernet 1/0/4 to the untrust zone.
    [USG-zone-untrust] quit
    [USG] policy interzone trust untrust outbound  //Enter the interzone security policy view.
    [USG-policy-interzone-trust-untrust-outbound] policy 1   //Create a security policy and enter the view of security policy 1.
    [USG-policy-interzone-trust-untrust-outbound-1] policy source 192.168.1.0 0.0.0.255  //Specify the source address 192.168.1.0/24.
    [USG-policy-interzone-trust-untrust-outbound-1] policy source 192.168.2.0 0.0.0.255  //Specify the source address 192.168.2.0/24.
    [USG-policy-interzone-trust-untrust-outbound-1] policy destination 192.168.1.0 0.0.0.255  //Specify the destination address 192.168.1.0/24.
    [USG-policy-interzone-trust-untrust-outbound-1] policy destination 192.168.2.0 0.0.0.255  //Specify the destination address 192.168.2.0/24.
    [USG-policy-interzone-trust-untrust-outbound-1] action permit  //Configure the device to permit packets matching the packet filtering action.
    [USG-policy-interzone-trust-untrust-outbound-1] quit
    [USG-policy-interzone-trust-untrust-outbound] quit
    [USG] firewall blacklist enable  //Enable the blacklist.
    [USG] firewall defend ip-sweep enable  //Enable defense against IP address sweeping attacks.
    [USG] firewall defend ip-spoofing enable  //Enable defense against IP spoofing attacks.
    [USG] ip route-static 0.0.0.0 0.0.0.0 192.168.4.1  //Configure a route, with the next hop address as the IP address of VLANIF 400 on SwitchA so that packets from servers to the Internet and from the Internet to servers are sent from GigabitEthernet 1/0/4 on the firewall to SwitchA.

Verifying the Configuration

  1. Run the display traffic policy command on SwitchA to check whether the traffic policy configuration is correct.
    <SwitchA> display traffic policy
      Traffic Policy Information:
        Policy: p1
          Classifier: c1
            Type: OR
          Behavior: b1
            Redirect:
              Redirect nexthop
              192.168.3.2
    
        Policy: p2
          Classifier: c2
            Type: OR
          Behavior: b2
            Redirect:
              Redirect nexthop
              192.168.3.2
    
    Total policy number is 2
  2. Run the display traffic classifier command on SwitchA to check whether the traffic classifier configuration is correct.
    <SwitchA> display traffic classifier 
      Traffic Classifier Information:
        Classifier: c1
          Type: OR
          Rule(s):
            if-match acl 3001
    
        Classifier: c2
          Type: OR
          Rule(s):
            if-match acl 3002
    
    Total classifier number is 2
  3. Run the display traffic behavior command on SwitchA to check whether the traffic behavior configuration is correct.
    <SwitchA> display traffic behavior
    
      Traffic Behavior Information:
        Behavior: b1
          Redirect:
            Redirect nexthop
            192.168.3.2
    
        Behavior: b2
          Redirect:
            Redirect nexthop
            192.168.3.2
    
    Total behavior number is 2
  4. Run the display traffic-policy applied-record command on SwitchA to check the State field. If the value of the State field is success, the traffic policy is applied successfully.
    <SwitchA> display traffic-policy applied-record
    Total records : 2                                                               
    ------------------------------------------------------------------------------- 
    Policy Name                      Apply Parameter           Slot     State       
    ------------------------------------------------------------------------------- 
    p1                               10GE1/0/1 inbound            1     success     
    ------------------------------------------------------------------------------- 
    p2                               10GE1/0/2 inbound            1     success     
    ------------------------------------------------------------------------------- 

Configuration Notes

  • In this example, after redirection to the firewall is configured, traffic exchanged between servers and the Internet goes out of 10GE1/0/3 on SwitchA and return from 10GE1/0/4, causing low bandwidth use efficiency. It is recommended that the network be flexibly deployed according to the actual situation.
  • If PBR becomes invalid, packets are forwarded based on the default route.
  • In V100R200C00 and later, you can run the undo portswitch command to switch the Layer 2 interface to the Layer 3 interface. Then you can configure IP addresses for Layer 3 interfaces.
  • If an ACL rule referenced in a traffic classifier defines the deny action for packets of a type, the device directly discards the packets of the type.
  • In this example, the firewall blacklist, defense against IP address sweeping attacks, and defense against IP spoofing attacks are enabled. You can enable different functions on the firewall to filter traffic.
Download
Updated: 2019-10-14

Document ID: EDOC1000039339

Views: 149079

Downloads: 7852

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next