Configuring Interface PBR
Context
By configuring the redirection action, the device redirects the packets matching traffic classification rules to a specified next hop address or an interface. When redirection becomes invalid, you can configure the device to discard packets or forward packets based on the original forwarding path.
A traffic policy containing the redirection action can only be used on an interface in the inbound direction.
Pre-configuration Tasks
Configuring IP addresses and routing protocols for interfaces to ensure connectivity
Configuring an ACL if the ACL needs to be used to classify traffic
(Optional) Uploading a Smart Application Control (SAC) signature file to the router and storing it to the storage media
Procedure
Configure a traffic classifier.
Run system-view
The system view is displayed.
Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed.
and indicates that rules are ANDed with each other.If a traffic classifier contains ACL rules, packets match the traffic classifier only when they match one ACL rule and all the non-ACL rules.
If a traffic classifier does not contain ACL rules, packets match the traffic classifier only when the packets match all the non-ACL rules.
By default, the relationship between rules in a traffic classifier is OR.
- Run the following commands as required.
Matching Rule
Command
Outer VLAN ID
if-match vlan-id start-vlan-id [ to end-vlan-id ] Inner VLAN IDs in QinQ packets
if-match cvlan-id start-vlan-id [ to end-vlan-id ] 802.1p priority in VLAN packets
if-match 8021p 8021p-value &<1-8> Inner 802.1p priority in QinQ packets
if-match cvlan-8021p 8021p-value &<1-8> EXP priority in MPLS packets (AR1200&AR2200&AR3200&AR3600 series)
if-match mpls-exp exp-value &<1-8> Destination MAC address
if-match destination-mac mac-address [ mac-address-mask mac-address-mask ] Source MAC address
if-match source-mac mac-address [ mac-address-mask mac-address-mask ] DLCI value in FR packets
if-match dlci start-dlci-number [ to end-dlci-number ] DE value in FR packets
if-match fr-de Protocol type field encapsulated in the Ethernet frame header
if-match l2-protocol { arp | ip | mpls | rarp | protocol-value } All packets
if-match any DSCP priority in IP packets
if-match [ ipv6 ] dscp dscp-value &<1-8> NOTE:If DSCP priority matching is configured in a traffic policy, the SAE220 (WSIC) and SAE550 (XSIC) cards do not support redirect ip-nexthop ip-address post-nat.
IP precedence in IP packets
if-match ip-precedence ip-precedence-value &<1-8> NOTE:if-match [ ipv6 ] dscp and if-match ip-precedence cannot be configured simultaneously in a traffic classifier where the relationship between rules is AND.
Layer 3 protocol type
if-match protocol { ip | ipv6 } QoS group index of packets
if-match qos-group qos-group-value NHRP group name of packets
if-match nhrp-group nhrp-group-name NOTE:This configuration is supported in V300R003C10 and later versions.
IPv4 packet length
if-match packet-length min-length [ to max-length ] PVC information in ATM packets
if-match pvc vpi-number/vci-number RTP port number
if-match rtp start-port start-port-number end-port end-port-number SYN Flag in the TCP packet header
if-match tcp syn-flag { ack | fin | psh | rst | syn | urg } *
Inbound interface
if-match inbound-interface interface-type interface-number Outbound interface
if-match outbound-interface Cellular interface-number:channel ACL rule
if-match acl { acl-number | acl-name } NOTE:Before defining a matching rule for traffic classification based on an ACL, create the ACL.
To use an ACL in a traffic classifier to match the source IP address, run the qos pre-nat command on an interface to configure NAT pre-classification. NAT pre-classification enables the NAT-enabled device to carry the private IP address before translation on the outbound interface so that the NAT-enabled device can classify IP packets based on private IP addresses and provide differentiated services.
ACL6 rule
if-match ipv6 acl { acl-number | acl-name } NOTE:Before defining a matching rule for traffic classification based on an ACL, create the ACL.
To use an ACL in a traffic classifier to match the source IP address, run the qos pre-nat command on an interface to configure NAT pre-classification. NAT pre-classification enables the NAT-enabled device to carry the private IP address before translation on the outbound interface so that the NAT-enabled device can classify IP packets based on private IP addresses and provide differentiated services.
Application protocol
if-match application application-name [ user-set user-set-name ] [ time-range time-name ]
NOTE:Before defining a matching rule based on an application protocol, enable Smart Application Control (SA) and load the signature file.
SA group
if-match category category-name [ user-set user-set-name ] [ time-range time-name ]
NOTE:- Before defining a matching rule based on an application protocol, enable Smart Application Control (SA) and load the signature file.
User group
if-match user-set user-set-name [ time-range time-range-name ]
Run quit
Exit from the traffic classifier view.
Configure a traffic behavior.
Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or the view of an existing traffic behavior is displayed.
Run the following commands as required.
Run redirect ip-nexthop ip-address [ vpn-instance vpn-instance-name ] [ track { nqa admin-name test-name | ip-route ip-address { mask | mask-length } | } ] [ post-nat ] [ discard ] [ sfc-nsh spi spi-index si si-index ]
The device is configured to redirect packets matching traffic classification rules to the specified next-hop address and association between redirection and the NQA test instance, VRRP state or IP route is configured.
Network quality analysis (NQA) diagnoses and locates network faults. The route status indicates whether a destination IP address is reachable. Association between NQA or routing and redirection implements rapid link switchover and ensures correct forwarding of data traffic when the destination IP address is unreachable.- If the NQA test instance or routing module detects a reachable destination IP address, packets are forwarded based on the specified IP address and redirection takes effect.
When the NQA test instance or routing module detects a reachable destination IP address, redirection is invalid. The device forwards packets based on the original forwarding path if discard is not specified. If discard is specified, the device discards packets.
NOTE:
The type of the NQA test instance that is associated with redirection must be ICMP. For details, see Configuring an ICMP Test Instance in the Huawei AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series Enterprise Routers Configuration Guide - NQA Configuration.
Redirection is invalid for IPv6 hop-by-hop packets.
- (Optional) After you run the redirect ip-nexthop ip-address [ vpn-instance vpn-instance-name ] [ track { nqa admin-name test-name | ip-route ip-address { mask | mask-length } | vrrp vrid interface interface-type interface-number | interface interface-type interface-number } ] [ post-nat ] [ discard ] [ sfc-nsh spi spi-index si si-index ] command to redirect the packets matching traffic classification rules to the specified next-hop address, you can run the redirect backup-nexthop ip-address [ [ vpn-instance vpn-instance-name ] [ track { interface interface-type interface-number | nqa admin-name test-name } ] ] command to create an action of redirecting packets to the backup next-hop IP address in the traffic behavior.
Run redirect ipv6-nexthop ipv6-address [ track { nqa nqa-admin nqa-name | ipv6-route ipv6–address masklen } ] [ discard ]
The device is configured to redirect IPv6 packets matching traffic classification rules to the next hop.
Run redirect interface interface-type interface-number [ track { nqa admin-name test-name | ip-route ip-address { mask | mask-length } | ipv6-route ipv6-address mask-length } ] [ discard ]
The device is configured to redirect packets matching traffic classification rules to a specified interface.
NOTE:
The device supports only redirection to 3G Cellular and dialer interfaces. In MPoEoA scenarios, the device does not support redirection to a dialer interface.
(Optional) Run statistic enable
The traffic statistics function is enabled.
Run quit
Exit from the traffic behavior view.
Run quit
Exit from the system view.
Configure a traffic policy.
Run system-view
The system view is displayed.
Run traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.
By default, no traffic policy is created in the system.
Run classifier classifier-name behavior behavior-name [ precedence precedence-value ]
A traffic behavior is bound to a traffic classifier in a traffic policy.
By default, no traffic classifier or traffic behavior is bound to a traffic policy.
Run quit
Exit from the traffic policy view.
Run quit
Exit from the system view.
Apply the traffic policy.
Run system-view
The system view is displayed.
Run interface interface-type interface-number [.subinterface-number ]
The interface or sub-interface view is displayed.
Run traffic-policy policy-name inbound
A traffic policy is applied to the interface or sub-interface in the inbound direction.
Currently, the traffic policy can be applied to only incoming traffic on interfaces.
Verifying the Configuration
- Run the display traffic classifier user-defined [ classifier-name ] command to check the traffic classifier configuration.
- Run the display traffic behavior { system-defined | user-defined } [ behavior-name ] command to check the traffic behavior configuration.
Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ] command to check the traffic policy configuration.
Run the display traffic-policy applied-record [ policy-name ] command to check the application record of a specified traffic policy.
