The User Cannot Access the Public Network Due To Policy-based Routing
Publication Date: 2012-07-17Views: 79Downloads: 0
The customer configured three egresses on a USG5360 V100R003C01SPC007 device: two fixed public IP address egresses and an ADSL dialer egress. The customer also configured a routing policy for the egresses. After performing a test, the user discovered that all intranet network segments included in the ACL 3002 cannot access the public network. Users that use the other two egresses can access the public network normally.
route-policy 1 permit node 2
if-match acl 3002
apply output-interface GigabitEthernet0/0
apply ip-address next-hop 220.127.116.11
route-policy 1 permit node 10
if-match acl 3003
apply output-interface Dialer1
route-policy 2 permit node 20
The check on the routing policy indicates that an interface and next hop IP address is used on node 2. After the customer deletes apply output-Internet GigabitEthernet0/0 and keeps only the next hop IP address setting, users of the ACL3002 can normally access the public network.
The check on the ACL3002 reveals that the ACL also has several hits. After the routing policy 1 is deleted and when one dialer egress and one fixed public IP address egress are used, users of the ACL 3002 can access the public network normally. This indicates that the basic route configurations on the Layer-3 switch and the firewall are normal. The problem originates from the routing policy.
In a routing policy, if both an interface and next hop IP address are configured for an egress, the interface is prior to the next hop IP address. However, before an interface serves as the egress, the interface must be configured in not only the routing policy but also the next hop of the static route on the firewall. If an interface is configured as the egress in the routing policy while the next hop of the static route on the firewall is an IP address, this problem occurs. The egress configuration in the routing policy and the static route must be the same.
Suggestion: You are advised to configure next hop IP address rather than an interface for an egress, because the large quantity of ARP requests sent by an interface bring down the device performance.