Example for Configuring ACL-based Simplified PBR
Networking Requirements
As shown in Figure 11-4, each access switch connects to N users. SwitchA functions as the forwarding device and connects to RouterA through two links: a low-speed link with the gateway address 10.1.20.1/24 and a high-speed link with the gateway address 10.1.30.1/24. Network administrators want to switch some of the packets destined for RouterA from the low-speed link to the high-speed link without compromising link reliability. To meet this requirement, configure PBR on SwitchA to redirect packets from the path SwitchA→SwitchB→RouterB (RouterA) to the path SwitchA→SwitchC→RouterC (RouterA).
Network administrators want the packets that carry the source IP address 192.168.100.0/24 and are forwarded by SwitchA to be transmitted over the high-speed link and the other packets forwarded by SwitchA to be transmitted over the low-speed link.
Configuration Roadmap
- Create VLANs, configure interfaces, and enable OSPF on each switch to connect the users to the external network device (RouterA).
- Configure an ACL to match the packets with the source IP address 192.168.100.0/24.
- Configure an ACL-based simplified traffic policy to redirect the packets that match the ACL to 10.1.30.1/24.
Procedure
- Create VLANs, add interfaces to VLANs, and configure basic OSPF functions.
# Configure SwitchA.
# Create VLANs and add interfaces to respective VLANs on SwitchA.
<HUAWEI> system-view [~HUAWEI] sysname SwitchA [*HUAWEI] commit [~SwitchA] vlan batch 100 200 300 [*SwitchA] commit [~SwitchA] interface 10ge 1/0/1 [~SwitchA-10GE1/0/1] port link-type trunk [*SwitchA-10GE1/0/1] port trunk allow-pass vlan 100 [*SwitchA-10GE1/0/1] quit [*SwitchA] interface 10ge 1/0/2 [*SwitchA-10GE1/0/2] port link-type trunk [*SwitchA-10GE1/0/2] port trunk allow-pass vlan 200 [*SwitchA-10GE1/0/2] quit [*SwitchA] interface 10ge 1/0/3 [*SwitchA-10GE1/0/3] port link-type trunk [*SwitchA-10GE1/0/3] port trunk allow-pass vlan 300 [*SwitchA-10GE1/0/3] quit [*SwitchA] commit
# Configure an IP address for each VLANIF interface on SwitchA.
[~SwitchA] interface vlanif 100 [*SwitchA-Vlanif100] ip address 172.16.1.2 24 [*SwitchA-Vlanif100] quit [*SwitchA] interface vlanif 200 [*SwitchA-Vlanif200] ip address 172.16.2.2 24 [*SwitchA-Vlanif200] quit [*SwitchA] interface vlanif 300 [*SwitchA-Vlanif300] ip address 172.16.3.2 24 [*SwitchA-Vlanif300] quit [*SwitchA] commit
# Enable OSPF on SwitchA.
[~SwitchA] router id 10.1.1.1 [*SwitchA] ospf 1 [*SwitchA-ospf-1] area 0 [*SwitchA-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [*SwitchA-ospf-1-area-0.0.0.0] network 172.16.2.0 0.0.0.255 [*SwitchA-ospf-1-area-0.0.0.0] network 172.16.3.0 0.0.0.255 [*SwitchA-ospf-1-area-0.0.0.0] quit [*SwitchA-ospf-1] quit [*SwitchA] commit
# Configure a default route on SwitchA to enable all packets to be forwarded through SwitchB and arrive at RouterA through the gateway 10.1.20.1/24.
[~SwitchA] ip route-static 0.0.0.0 0.0.0.0 172.16.1.1 [*HUAWEI] commit
# Configure SwitchB.
# Create VLANs and add interfaces to respective VLANs on SwitchB.
<HUAWEI> system-view [~HUAWEI] sysname SwitchB [*HUAWEI] commit [~SwitchB] vlan batch 100 [*SwitchB] quit [*SwitchB] interface 10ge 1/0/1 [*SwitchB-10GE1/0/1] port link-type trunk [*SwitchB-10GE1/0/1] port trunk allow-pass vlan 100 [*SwitchB-10GE1/0/1] quit [*SwitchB] interface vlanif 100 [*SwitchB-Vlanif100] ip address 172.16.1.1 24 [*SwitchB-Vlanif100] quit [*SwitchB] router id 10.2.2.2 [*SwitchB] ospf 1 [*SwitchB-ospf-1] area 0 [*SwitchB-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [*SwitchB-ospf-1-area-0.0.0.0] quit [*SwitchB] interface 10ge 1/0/2 [*SwitchB-10GE1/0/2] undo portswitch [*SwitchB-10GE1/0/2] ip address 10.1.20.2 24 [*SwitchB-10GE1/0/2] ospf enable 1 area 0 [*SwitchB-10GE1/0/2] quit [*SwitchB] commit
# The configurations of SwitchC and SwitchD are similar to that of SwitchB, and are not provided here.
- Configure an ACL.
# Create an advanced ACL 3001 on SwitchA to allow packets with the source IP address 192.168.100.0/24 to pass through.
[~SwitchA] acl 3001 [*SwitchA-acl4-advance-3001] rule permit ip source 192.168.100.0 0.0.0.255 [*SwitchA-acl4-advance-3001] quit [*SwitchA] commit
- Configure ACL-based simplified PBR to redirect packets to a specified remote next hop.
# Create an ACL-based simplified traffic policy on SwitchA. The traffic policy uses ACL 3001 to match packets.
[~SwitchA] traffic-redirect acl 3001 remote 10.1.30.1 global inbound [*SwitchA] commit
- Verify the configuration.
# Verify the ACL configuration.
[~SwitchA] display acl 3001 Advanced ACL 3001, 1 rule ACL's step is 5 rule 5 permit ip source 192.168.100.0 0.0.0.255 (0 times matched)
# Check the use records of the traffic policy.
[~SwitchA] display traffic-policy applied-record Total records : 1 ------------------------------------------------------------------------------- Policy Type/Name Apply Parameter Slot State ------------------------------------------------------------------------------- traffic-redirect Global inbound 4 success ------------------------------------------------------------------------------
Configuration files
SwitchA configuration file
# sysname SwitchA # router id 10.1.1.1 # vlan batch 100 200 300 # acl number 3001 rule 5 permit ip source 192.168.100.0 0.0.0.255 # traffic-redirect acl 3001 remote 10.1.30.1 global inbound # interface Vlanif100 ip address 172.16.1.2 255.255.255.0 # interface Vlanif200 ip address 172.16.2.2 255.255.255.0 # interface Vlanif300 ip address 172.16.3.2 255.255.255.0 # interface GE1/0/1 port link-type trunk port trunk allow-pass vlan 100 # interface GE1/0/2 port link-type trunk port trunk allow-pass vlan 200 # interface GE1/0/3 port link-type trunk port trunk allow-pass vlan 300 traffic-policy p1 inbound # ospf 1 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 172.16.2.0 0.0.0.255 network 172.16.3.0 0.0.0.255 # ip route-static 0.0.0.0 0.0.0.0 172.16.1.1 # returnSwitchB configuration file
# sysname SwitchB # router id 10.2.2.2 # vlan batch 100 # interface Vlanif100 ip address 172.16.1.1 255.255.255.0 # interface GE1/0/1 port link-type trunk port trunk allow-pass vlan 100 # interface GE1/0/2 undo portswitch ip address 10.1.20.2 255.255.255.0 ospf enable 1 area 0.0.0.0 # ospf 1 area 0.0.0.0 network 172.16.1.0 0.0.0.255 # returnSwitchC configuration file
# sysname SwitchC # router id 10.3.3.3 # vlan batch 200 # interface Vlanif200 ip address 172.16.2.1 255.255.255.0 # interface GE1/0/1 port link-type trunk port trunk allow-pass vlan 200 # interface GE1/0/2 undo portswitch ip address 10.1.30.2 255.255.255.0 ospf enable 1 area 0.0.0.0 # ospf 1 area 0.0.0.0 network 172.16.2.0 0.0.0.255 # returnSwitchD configuration file
# sysname SwitchD # router id 10.4.4.4 # vlan batch 300 # interface Vlanif300 ip address 172.16.3.1 255.255.255.0 # interface GE1/0/1 port link-type trunk port trunk allow-pass vlan 300 # ospf 1 area 0.0.0.0 network 172.16.3.0 0.0.0.255 # return