No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Policy-based Routing Does Not Take Effect in Dual-Egress Networking

Publication Date:  2019-01-24 Views:  83 Downloads:  0
Issue Description

usg5150 v100r005c00spc500

The customer's internal network has two network segments (10.85.199.0 and 10.85.194.0). China Telecom (10.157.230.227) and China Netcom (183.220.237.254). Policy-based routing and default routes are used. After policy-based routing is configured, the 10.85.199.0 network segment still uses the default route.

Handling Process

The configuration is as follows:

acl number 3030

rule 5 permit ip source 10.85.199.222 0

 

policy-based-route aa permit node 5

if-match acl 3030

apply ip-address next-hop 10.157.230.254

 

interface Vlanif10

ip address 192.168.0.254 255.255.255.0

ip policy-based-route aa

 

It is found that policy-based routing does not apply to 10.85.199.222.

[USG5100]dis firewall session table verbose source inside 10.85.199.222

17:04:00 2013/03/29

Current Total Sessions : 34

dns VPN:public --> public

Zone: trust--> untrust TTL: 00:02:00 Left: 00:00:17

Interface: GigabitEthernet0/0/0 NextHop: 183.220.237.1 MAC: 28-6e-d4-46-9e-52

<--packets:1 bytes:88 -->packets:1 bytes:72

10.85.199.222:57354[183.220.237.252:63102]-->211.137.96.205:53

 

This command output indicates that policy-based routing has forwarding data.

[USG5100]dis ip policy-based-route statistics interface Vlanif 10

17:01:53 2013/03/29

Interface Vlanif10 policy based routing information:

policy-based-route: aa

permit node 5

apply ip-address next-hop 10.157.230.254

Denied: 0,

Forwarded: 249

Total denied: 0, forwarded: 249

 

 

Delete the configuration:

undo ip-link 3 destination 10.157.230.254 mode icmp

 

Run this command to view the result:

[USG5100]dis firewall session table verbose source inside 10.85.199.222

17:08:27 2013/03/29

Current Total Sessions : 21

http VPN:public --> public

Zone: trust--> unstrust2 TTL: 00:00:05 Left: 00:00:03

Interface: GigabitEthernet0/0/2 NextHop: 10.157.230.254 MAC: 00-16-4d-26-e7-26

<--packets:0 bytes:0 -->packets:2 bytes:104

10.85.199.222:51021[10.157.230.227:2073]-->173.208.214.233:80

Root Cause

The configuration is incorrect.

Suggestions
In V100R005, policy-based routing is automatically associated with IP-link. Pay attention to this point during configuration.

END