No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

Policy-based routing doesn't work in S5300 due to the product not support this fueture in VPN instance

Publication Date:  2013-12-30  |   Views:  512  |   Downloads:  0  |   Author:  SU1001784671  |   Document ID:  EKB1000038444

Contents

Issue Description

The topology is as below:

As there are several different services in the customer’s current network, so the customer configured different VPN instance to separate them. As the customer’s design, all the data traffic to Mail server whose IP is 10.148.104.20 is supposed to be redirected to Anti-spam Gateway whose IP is 10.148.151.11 first.
In Switch S5300, the net segment 10.148.151.0/24 and 0.148.104.0/24 are both in VPN instance. The policy-based routing is configured in interfaceG0/0/0 which is connected to firewall.
But in the test, the policy-based routing didn’t work, all the traffic went directly to mail server, and the anti-spam Gateway received no traffic.
The regarding configuration is as follows:
#
acl number 3001
description For Web_Mail Redirection
rule 5 permit ip destination 10.148.104.20 0
#
traffic classifier email operator and
if-match acl 3001
#
traffic behavior email
redirect ip-nexthop 10.148.151.11
#
traffic policy email
classifier email behavior email
#
interface Vlanif151
ip binding vpn-instance piis
ip address 10.148.151.2 255.255.255.0
#
interface Vlanif194
ip binding vpn-instance piis
ip address 10.148.104.2 255.255.255.0
#
interface GigabitEthernet0/0/0
description Connect To Firewall
port link-type trunk
port trunk allow-pass vlan 124 195
traffic-policy email inbound
#

Alarm Information

none

Handling Process

1. In Switch S5300, ping10.148.151.11by this command (Ping 10.148.151.11), ping is unreachable.
From the ip routing table in public VPN, there is no route to Anti-spam Gateway (10.148.151.11) and Mail server(10.148.104.20)
<huawei> display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 6     Routes : 6

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   O_ASE   150  1           D   10.148.3.2      Vlanif1   
     10.148.3.0/29  Direct  0    0           D   10.148.3.4      Vlanif1
     10.148.3.1/32  OSPF    10   2           D   10.148.3.2      Vlanif1
     10.148.3.4/32  Direct  0    0           D   127.0.0.1       Vlanif1  
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

2. In Switch S5300, ping10.148.151.11by this command (ping -vpn-instance piss 1.1.1.1), ping is reachable. From the ip routing table in piss VPN instance, there exists route to Anti-spam Gateway (10.148.151.11) and Mail server(10.148.104.20)
[huawei]display ip routing-table vpn-instance piis
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: piis
         Destinations : 7       Routes : 7

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   O_ASE   150  1           D   10.148.253.2    Vlanif191 
   10.148.104.0/24  Direct  0    0           D   10.148.104.2    Vlanif194
   10.148.104.1/32  Direct  0    0           D   10.148.104.2    Vlanif194
   10.148.104.2/32  Direct  0    0           D   127.0.0.1       Vlanif194  
   10.148.151.0/24  Direct  0    0           D   10.148.151.2    Vlanif151
   10.148.151.1/32  Direct  0    0           D   10.148.151.2    Vlanif151
   10.148.151.2/32  Direct  0    0           D   127.0.0.1       Vlanif151
In the product documentation of S5300, the format of this command ” redirect ip-nexthop
” is as follows which can’t support vpn-instance parameter, that is why the policy-based routing didn’t work in this issue.
Format
redirect ip-nexthop ip-address

But in the product documentation of S9300, we can see this command ” redirect ip-nexthop” support the parameter vpn-instance, which indicates that S9300 supports policy-based routing in VPN instance.
Format
redirect [ vpn-instance vpn-instance-name ] ip-nexthop { ip-address } &<1-4> [ forced ]

There are two solutions to solve this issue:
(1)Use S9300 to replace S5300
(2) There is no need to configure vpn instance in Switch S5300 in this issue, as this Switch only connects to anti-spam and mail-server, so just cancel the vpn instance configuration in S5300. Since the vpn instance is configured on firewall, all the configuration on S5300 has no relation with VPN instance. After the test, then policy-based routing in S5300 worked

Root Cause

1. The next hop is unreachable.
2. The product doesn’t support policy-based routing in VPN instance.

Suggestions

S5300/S5700 serial Switch doesn’t support policy-based routing in vpn-instance, so you need to use other method to complete your goal in this situation.