Configuring ACL-based Simplified PBR

CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - IP Unicast Routing

This document describes the configurations of IP Unicast Routing, including IP Routing, Static Route, RIP, RIPng, OSPF, OSPFv3, IPv4 IS-IS, IPv6 IS-IS, BGP, Routing Policy, and PBR.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Configuring ACL-based Simplified PBR

Pre-configuration Tasks

You can configure ACL-based simplified PBR to redirect Layer 3 packets that match ACL rules to a specified next-hop IP address.

Before configuring ACL-based simplified PBR, complete the following tasks:

Configure link layer attributes of interfaces to ensure proper operation of interfaces.
Configure ACL rules.

Context

To control traffic that enters a network, configure an ACL rule to match packets based on packet information including the source IP address, fragment flag, destination IP address, source port number, and source MAC address, and then configure an ACL-based simplified traffic policy to filter the packets that match the ACL rule. Compared with PBR, ACL-based simplified PBR does not require a traffic classifier, traffic behavior, or traffic policy, resulting in easy configuration. However, ACL-based simplified PBR matches packets only based on ACL rules, so it does not support so many types of matching rules as a traffic policy.

If ACL-based simplified traffic policies are configured in the system view, VLAN view, and interface view, the precedence of these policies is: interface view > VLAN view > system view.

Procedure

Configure redirection globally.
1. Run system-view
  The system view is displayed.
2. Run the following commands as required.
  - Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } ^* [ vpn-instance vpn-instance-name ] nexthop ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ fail-action discard ] global [ slotslot-id ] inbound
    Packets are redirected to a specified next-hop IP address.
    
    This action takes effect only in Layer 3 forwarding. By default, if the configured next hop is unreachable, packets are forwarded based on their destination address. If the fail-action discard parameter is configured, packets are discarded if the configured next hop is unreachable.
  - Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } ^* remote [ vpn-instance vpn-instance-name ] ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ exact ] global [ slot slot-id ] inbound
    Packets are redirected to a remote next hop.
    
    This action takes effect only in Layer 3 forwarding.
3. Run commit
  The configuration is committed.
Configure redirection in a VLAN.
1. Run system-view
  The system view is displayed.
2. Run vlan vlan-id
  The VLAN view is displayed.
3. Run the following commands as required.
  - Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } ^* [ vpn-instance vpn-instance-name ] nexthop ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ fail-action discard ] inbound
    Packets are redirected to a specified next-hop IP address.
    
    This action takes effect only in Layer 3 forwarding. By default, if the configured next hop is unreachable, packets are forwarded based on their destination address. If the fail-action discard parameter is configured, packets are discarded if the configured next hop is unreachable.
  - Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } ^* remote [ vpn-instance vpn-instance-name ] ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ exact ] inbound
    Packets are redirected to a specified remote next hop.
    
    This action takes effect only in Layer 3 forwarding.
4. Run commit
  The configuration is committed.
Configure redirection on an interface.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The interface view is displayed.
3. Run the following commands as required.
  - Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } ^* [ vpn-instance vpn-instance-name ] nexthop ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ fail-action discard ] inbound
    Packets are redirected to a specified next-hop IP address.
    
    This action takes effect only in Layer 3 forwarding. By default, if the configured next hop is unreachable, packets are forwarded based on their destination address. If the fail-action discard parameter is configured, packets are discarded if the configured next hop is unreachable.
  - Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } ^* remote [ vpn-instance vpn-instance-name ] ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ exact ] inbound
    Packets are redirected to a remote next hop.
    
    This action takes effect only in Layer 3 forwarding.
4. Run commit
  The configuration is committed.
Configure packet filtering in a QoS group.
1. Run system-view
  The system view is displayed.
2. Run qos group group-name
  The QoS group view is displayed.
3. Run the following commands as required.
  - Run the group-member interface { interface-type interface-number1 [ to interface-type interface-number2 ] } &<1-8> command to add interfaces to the QoS group.
4. Run the following commands as required.
  - Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } ^* [ vpn-instance vpn-instance-name ] nexthop ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ fail-action discard ] inbound
    Packets are redirected to a specified next-hop IP address.
    
    This action takes effect only in Layer 3 forwarding. By default, if the configured next hop is unreachable, packets are forwarded based on their destination address. If the fail-action discard parameter is configured, packets are discarded if the configured next hop is unreachable.
  - Run traffic-redirect acl { { { basic-acl | acl-name } | { advanced-acl | acl-name } } | { l2-acl | acl-name } } ^* remote [ vpn-instance vpn-instance-name ] ip-address [ track nqa admin-name test-name [ reaction probe-failtimes fail-times ] ] [ exact ] inbound
    Packets are redirected to a remote next hop.
    
    This action takes effect only in Layer 3 forwarding.
5. Run commit
  The configuration is committed.

Verifying the Configuration

Run the display traffic-policy applied-record traffic-redirect [ [ global [ slot slot-id ] | interface interface-type interface-number | vlan vlan-id | qos group group-id ] [ inbound ] ] command to check the application records of a specified traffic policy.

Follow-up Procedure

For the CE12800, if a low-priority traffic policy takes effect before you apply a high-priority traffic policy, ACL rules may be slow to take effect. Consequently, service processing will be delayed. You can run the traffic-policy fast-mode command in the system view to enable fast delivery of ACLs. This ensures that ACL rules take effect rapidly and services can be processed in real time.

Translation

简体中文

Download

Updated: 2021-09-17

Document ID: EDOC1100075354

Downloads: 114

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate