No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Association Between PBR and IP-Link on a USG Firewall

Publication Date:  2019-01-22 Views:  345 Downloads:  0

Issue Description

Association between PBR and IP-link on a USG firewall

Handling Process

PBR cannot detect the reachability of the links of the next hop and default next hop. If the link of the next hop or default next hop configured on the firewall is unreachable, packet forwarding may fail.

Associating PBR with IP-link can solve this problem and improve PBR application flexibility as well as PBR's capability of dynamically detecting network environments. When you configure IP-link, ensure that the destination IP address of the monitored link is consistent with the specified next hop or default next hop of PBR and associate PBR with IP-link. IP-link monitors the reachability of the links of the next hop and default next hop and dynamically determines the availability of PBR.

 

Key configurations for association between PBR and IP-link on a USG firewall:

1. Configure PBR.

# Configure rule A_2, so that packets sent from 10.1.0.0/16 are sent to next-hop 1.1.2.1.

[USG] policy-based-route testA permit node 5

[USG-policy-based-route-testA-5] if-match acl 3001

[USG-policy-based-route-testA-5] apply ip-address next-hop 1.1.2.1

[USG-policy-based-route-testA-5] quit

# Configure policy-based route testB, so that packets from 20.1.0.0/16 are sent to the next hop 1.1.3.1.

[USG] policy-based-route testB permit node 5

[USG-policy-based-route-testB-5] if-match acl 3002

[USG-policy-based-route-testB-5] apply ip-address next-hop 1.1.3.1

[USG-policy-based-route-testB-5] quit

# Apply policy-based route testA to GigabitEthernet 0/0/1 to process the packets received by this interface.

[USG] interface GigabitEthernet 0/0/1

[USG-GigabitEthernet0/0/1] ip policy-based-route testA

[USG-GigabitEthernet0/0/1] quit

# Apply policy-based route testB to GigabitEthernet 0/0/2 to process the packets received by this interface.

[USG] interface GigabitEthernet 0/0/2

[USG-GigabitEthernet0/0/2] ip policy-based-route testB

[USG-GigabitEthernet0/0/2] quit

2. To ensure association between PBR and IP-link, ensure that the destination IP address detected by IP-link is consistent with the setting of the next hop for packets.

# Enable IP-link.

[USG] ip-link check enable

# Create IP-link 1 for detecting link reachability from the USG to 1.1.2.1.

[USG] ip-link 1 destination 1.1.2.1 mode icmp

# Create IP-link 2 for detecting link reachability from the USG to 1.1.3.1.

[USG] ip-link 2 destination 1.1.3.1 mode icmp

3. Configure default routes and associate them with IP-links.

# Configure a default route, set the next hop to 1.1.2.1/24, and associate the route with IP-link 1.

[USG] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track ip-link 1

# Configure a default route, set the next hop to 1.1.3.1/24, and associate the route with IP-link 2.

[USG] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track ip-link 2

END