No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Unicast Routing

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of IP Unicast Routing, including IP Routing, Static Route, RIP, RIPng, OSPF, OSPFv3, IPv4 IS-IS, IPv6 IS-IS, BGP, Routing Policy, and PBR.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ACL-based Simplified PBR

Configuring ACL-based Simplified PBR

Pre-configuration Tasks

You can configure ACL-based simplified PBR to redirect Layer 3 packets that match ACL rules to a specified next-hop IP address.

Before configuring ACL-based simplified PBR, complete the following tasks:
  • Configure link layer attributes of interfaces to ensure proper operation of interfaces.

  • Configure ACL rules.

Context

To control traffic that enters a network, configure an ACL rule to match packets based on packet information including the source IP address, fragment flag, destination IP address, source port number, and source MAC address, and then configure an ACL-based simplified traffic policy to filter the packets that match the ACL rule. Compared with PBR, ACL-based simplified PBR does not require a traffic classifier, traffic behavior, or traffic policy, resulting in easy configuration. However, ACL-based simplified PBR matches packets only based on ACL rules, so it does not support so many types of matching rules as a traffic policy.

If ACL-based simplified traffic policies are configured in the system view, VLAN view, and interface view, the precedence of these policies is: interface view > VLAN view > system view.

Procedure

  • Configure redirection globally.
    1. Run system-view

      The system view is displayed.

    2. Run the following commands as required.

      • Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } * [ vpn-instance vpn-instance-name ] nexthop ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ fail-action discard ] global [ slotslot-id ] inbound

        Packets are redirected to a specified next-hop IP address.

        This action takes effect only in Layer 3 forwarding. By default, if the configured next hop is unreachable, packets are forwarded based on their destination address. If the fail-action discard parameter is configured, packets are discarded if the configured next hop is unreachable.

      • Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } * remote [ vpn-instance vpn-instance-name ] ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ exact ] global [ slot slot-id ] inbound

        Packets are redirected to a remote next hop.

        This action takes effect only in Layer 3 forwarding.

    3. Run commit

      The configuration is committed.

  • Configure redirection in a VLAN.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run the following commands as required.

      • Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } * [ vpn-instance vpn-instance-name ] nexthop ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ fail-action discard ] inbound

        Packets are redirected to a specified next-hop IP address.

        This action takes effect only in Layer 3 forwarding. By default, if the configured next hop is unreachable, packets are forwarded based on their destination address. If the fail-action discard parameter is configured, packets are discarded if the configured next hop is unreachable.

      • Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } * remote [ vpn-instance vpn-instance-name ] ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ exact ] inbound

        Packets are redirected to a specified remote next hop.

        This action takes effect only in Layer 3 forwarding.

    4. Run commit

      The configuration is committed.

  • Configure redirection on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run the following commands as required.

      • Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } * [ vpn-instance vpn-instance-name ] nexthop ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ fail-action discard ] inbound

        Packets are redirected to a specified next-hop IP address.

        This action takes effect only in Layer 3 forwarding. By default, if the configured next hop is unreachable, packets are forwarded based on their destination address. If the fail-action discard parameter is configured, packets are discarded if the configured next hop is unreachable.

      • Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } * remote [ vpn-instance vpn-instance-name ] ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ exact ] inbound

        Packets are redirected to a remote next hop.

        This action takes effect only in Layer 3 forwarding.

    4. Run commit

      The configuration is committed.

  • Configure packet filtering in a QoS group.
    1. Run system-view

      The system view is displayed.

    2. Run qos group group-name

      The QoS group view is displayed.

    3. Run the following commands as required.

      • Run the group-member interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8> command to add interfaces to the QoS group.

      • (For the CE6870EI, CE6875EI,) Run the group-member vlan { vlan-id1 [ to vlan-id2 ] } &<1-8> command to add VLANs to the QoS group.

      • (Models excluding the CE6870EI and CE6875EI) Run the group-member ip source ip-address { mask | mask-length } command to add source IP addresses to the QoS group.

    4. Run the following commands as required.

      • Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } * [ vpn-instance vpn-instance-name ] nexthop ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ fail-action discard ] inbound

        Packets are redirected to a specified next-hop IP address.

        This action takes effect only in Layer 3 forwarding. By default, if the configured next hop is unreachable, packets are forwarded based on their destination address. If the fail-action discard parameter is configured, packets are discarded if the configured next hop is unreachable.

      • Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } * remote [ vpn-instance vpn-instance-name ] ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ exact ] inbound

        Packets are redirected to a remote next hop.

        This action takes effect only in Layer 3 forwarding.

    5. Run commit

      The configuration is committed.

Verifying the Configuration

Run the display traffic-policy applied-record traffic-redirect [ [ global [ slot slot-id ] | interface interface-type interface-number | vlan vlan-id | qos group group-id ] [ inbound ] ] command to check the application records of a specified traffic policy.

Follow-up Procedure

For the CE6870EI and CE6875EI, if a low-priority traffic policy takes effect before you apply a high-priority traffic policy, ACL rules may be slow to take effect. Consequently, service processing will be delayed. You can run the traffic-policy fast-mode command in the system view to enable fast delivery of ACLs. This ensures that ACL rules take effect rapidly and services can be processed in real time.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074760

Views: 58325

Downloads: 63

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next