< Home

CLI: Example for Configuring Source IP Address-Specific PBR

This section provides an example for configuring source IP address-specific PBR to forward the data through different links.

Networking Requirements

An enterprise has a marketing department and an R&D department. As shown in Figure 1, the FW is deployed at the intranet egress. Two links, IPS-A and IPS-B, connect to the Internet. ISP-A provides quick and stable Internet services but requires high charge. ISP-B requires low charge but provides slow Internet services.

Requirements are as follows:

  • The marketing department has high requirements on the Internet service speed and therefore access the Internet through ISP-A.
  • The R&D department has low requirements on the Internet service speed and therefore access the Internet through ISP-B.
Figure 1 Configuring source IP address-specific PRB

This example focuses on the configuration related to PBR. Configure other data such as NAT based on the actual networking.

Procedure

  1. Complete interface settings, such as IP address and security zone.

    [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.10.1.1 255.255.255.0
[FW-GigabitEthernet0/0/2] quit
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.1.1.1 255.255.255.0
[FW-GigabitEthernet0/0/3] ip address 10.1.2.1 255.255.255.0 sub
[FW-GigabitEthernet0/0/3] quit
[FW] interface GigabitEthernet 0/0/4
[FW-GigabitEthernet0/0/4] ip address 10.20.1.1 255.255.255.0
[FW-GigabitEthernet0/0/4] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/2
[FW-zone-untrust] add interface GigabitEthernet 0/0/4
[FW-zone-untrust] quit

  2. Configure IP-link to detect link status.

    [FW] ip-link check enable
[FW] ip-link name pbr_1
[FW-iplink-pbr_1] destination 10.10.1.2 interface GigabitEthernet 0/0/2
[FW-iplink-pbr_1] quit
[FW] ip-link name pbr_2
[FW-iplink-pbr_2] destination 10.20.1.2 interface GigabitEthernet 0/0/4
[FW-iplink-pbr_2] quit

  3. Configure the security policy.

    # Configure a security policy between the Trust and Untrust zones to allow intranet users to access extranet resources. It is assumed that the intranet user network segments are 10.1.1.0/24 and 10.1.2.0/24. 
    [FW] security-policy
[FW-policy-security] rule name policy_sec_trust_untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.1.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.2.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] action permit
[FW-policy-security-rule-policy_sec_trust_untrust] quit
[FW-policy-security] quit

  4. Create PBR rule pbr_1 to forward packets from the marketing department to 10.10.1.2. Create PBR rule pbr_2 to forward packets from the R&D department to 10.20.1.2.

    Ensure that the FW has the route configuration that guides the transmission of the traffic from the marketing and R&D departments even if PBR is unavailable.

    [FW] policy-based-route
[FW-policy-pbr] rule name pbr_1
[FW-policy-pbr-rule-pbr_1] description pbr_1
[FW-policy-pbr-rule-pbr_1] source-zone trust
[FW-policy-pbr-rule-pbr_1] source-address 10.1.1.0 24
[FW-policy-pbr-rule-pbr_1] track ip-link pbr_1
[FW-policy-pbr-rule-pbr_1] action pbr next-hop 10.10.1.2
[FW-policy-pbr-rule-pbr_1] quit
[FW-policy-pbr] rule name pbr_2
[FW-policy-pbr-rule-pbr_2] description pbr_2
[FW-policy-pbr-rule-pbr_2] source-zone trust
[FW-policy-pbr-rule-pbr_2] source-address 10.1.2.0 24
[FW-policy-pbr-rule-pbr_2] track ip-link pbr_2
[FW-policy-pbr-rule-pbr_2] action pbr next-hop 10.20.1.2
[FW-policy-pbr-rule-pbr_2] quit
[FW-policy-pbr] quit

Configuration Scripts

#
interface GigabitEthernet0/0/2
 ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.1.1.1 255.255.255.0
 ip address 10.1.2.1 255.255.255.0 sub
#
interface GigabitEthernet0/0/4
 ip address 10.20.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
 add interface GigabitEthernet0/0/4
#
security-policy 
 rule name policy_sec_trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 24
  source-address 10.1.2.0 24
  action permit
#
 ip-link check enable
 ip-link name pbr_1
  destination 10.10.1.2 interface GigabitEthernet 0/0/2
 ip-link name pbr_2
  destination 10.20.1.2 interface GigabitEthernet 0/0/4
#
policy-based-route
 rule name pbr_1
  description pbr_1
  source-zone trust
  source-address 10.1.1.0 24
  track ip-link pbr_1
  action pbr next-hop 10.10.1.2
 rule name pbr_2
  description pbr_2
  source-zone trust
  source-address 10.1.2.0 24
  track ip-link pbr_2
  action pbr next-hop 10.20.1.2
#
return
Parent Topic: Configuring PBR and PBR-based Intelligent Uplink Selection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >