Association between PBR and IP-link on a USG firewall
PBR cannot detect the reachability of the links of the next hop and default next hop. If the link of the next hop or default next hop configured on the firewall is unreachable, packet forwarding may fail.
Associating PBR with IP-link can solve this problem and improve PBR application flexibility as well as PBR's capability of dynamically detecting network environments. When you configure IP-link, ensure that the destination IP address of the monitored link is consistent with the specified next hop or default next hop of PBR and associate PBR with IP-link. IP-link monitors the reachability of the links of the next hop and default next hop and dynamically determines the availability of PBR.
Key configurations for association between PBR and IP-link on a USG firewall:
1. Configure PBR.
# Configure rule A_2, so that packets sent from 10.1.0.0/16 are sent to next-hop 220.127.116.11.
[USG] policy-based-route testA permit node 5
[USG-policy-based-route-testA-5] if-match acl 3001
[USG-policy-based-route-testA-5] apply ip-address next-hop 18.104.22.168
# Configure policy-based route testB, so that packets from 22.214.171.124/16 are sent to the next hop 126.96.36.199.
[USG] policy-based-route testB permit node 5
[USG-policy-based-route-testB-5] if-match acl 3002
[USG-policy-based-route-testB-5] apply ip-address next-hop 188.8.131.52
# Apply policy-based route testA to GigabitEthernet 0/0/1 to process the packets received by this interface.
[USG] interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/1] ip policy-based-route testA
# Apply policy-based route testB to GigabitEthernet 0/0/2 to process the packets received by this interface.
[USG] interface GigabitEthernet 0/0/2
[USG-GigabitEthernet0/0/2] ip policy-based-route testB
2. To ensure association between PBR and IP-link, ensure that the destination IP address detected by IP-link is consistent with the setting of the next hop for packets.
# Enable IP-link.
[USG] ip-link check enable
# Create IP-link 1 for detecting link reachability from the USG to 184.108.40.206.
[USG] ip-link 1 destination 220.127.116.11 mode icmp
# Create IP-link 2 for detecting link reachability from the USG to 18.104.22.168.
[USG] ip-link 2 destination 22.214.171.124 mode icmp
3. Configure default routes and associate them with IP-links.
# Configure a default route, set the next hop to 126.96.36.199/24, and associate the route with IP-link 1.
[USG] ip route-static 0.0.0.0 0.0.0.0 188.8.131.52 track ip-link 1
# Configure a default route, set the next hop to 184.108.40.206/24, and associate the route with IP-link 2.[USG] ip route-static 0.0.0.0 0.0.0.0 220.127.116.11 track ip-link 2