Association between PBR and IP-link on a USG firewall
PBR cannot detect the reachability of the links of the next hop and default next hop. If the link of the next hop or default next hop configured on the firewall is unreachable, packet forwarding may fail.
Associating PBR with IP-link can solve this problem and improve PBR application flexibility as well as PBR's capability of dynamically detecting network environments. When you configure IP-link, ensure that the destination IP address of the monitored link is consistent with the specified next hop or default next hop of PBR and associate PBR with IP-link. IP-link monitors the reachability of the links of the next hop and default next hop and dynamically determines the availability of PBR.
Key configurations for association between PBR and IP-link on a USG firewall:
1. Configure PBR.
# Configure rule A_2, so that packets sent from 10.1.0.0/16 are sent to next-hop 18.104.22.168.
[USG] policy-based-route testA permit node 5
[USG-policy-based-route-testA-5] if-match acl 3001
[USG-policy-based-route-testA-5] apply ip-address next-hop 22.214.171.124
# Configure policy-based route testB, so that packets from 126.96.36.199/16 are sent to the next hop 188.8.131.52.
[USG] policy-based-route testB permit node 5
[USG-policy-based-route-testB-5] if-match acl 3002
[USG-policy-based-route-testB-5] apply ip-address next-hop 184.108.40.206
# Apply policy-based route testA to GigabitEthernet 0/0/1 to process the packets received by this interface.
[USG] interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/1] ip policy-based-route testA
# Apply policy-based route testB to GigabitEthernet 0/0/2 to process the packets received by this interface.
[USG] interface GigabitEthernet 0/0/2
[USG-GigabitEthernet0/0/2] ip policy-based-route testB
2. To ensure association between PBR and IP-link, ensure that the destination IP address detected by IP-link is consistent with the setting of the next hop for packets.
# Enable IP-link.
[USG] ip-link check enable
# Create IP-link 1 for detecting link reachability from the USG to 220.127.116.11.
[USG] ip-link 1 destination 18.104.22.168 mode icmp
# Create IP-link 2 for detecting link reachability from the USG to 22.214.171.124.
[USG] ip-link 2 destination 126.96.36.199 mode icmp
3. Configure default routes and associate them with IP-links.
# Configure a default route, set the next hop to 188.8.131.52/24, and associate the route with IP-link 1.
[USG] ip route-static 0.0.0.0 0.0.0.0 184.108.40.206 track ip-link 1
# Configure a default route, set the next hop to 220.127.116.11/24, and associate the route with IP-link 2.[USG] ip route-static 0.0.0.0 0.0.0.0 18.104.22.168 track ip-link 2