< Home

CLI: Example for Configuring Protocol-Specific PBR

This section provides an example for configuring protocol-specific PBR to forward the data through different links.

Networking Requirements

As shown in Figure 1, the FW is deployed at the intranet egress. The FW can access the Internet through Router_A of ISP-A or Router_B of ISP-B. ISP-A provides quick and stable Internet service but requires high charge. ISP-B requires low charge but provides slow Internet service.

The GE0/0/2 interface forwards service traffic to the Internet through ISP-A. The GE0/0/4 interface forwards entertainment traffic to the Internet through ISP-B.

Figure 1 Networking diagram of protocol-specific PBR

This example focuses on the configuration related to PBR. Configure other data such as NAT based on the actual networking.

Procedure

  1. Set an IP address for each interface and assign the interfaces to security zones.

    [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.10.1.1 255.255.255.0
[FW-GigabitEthernet0/0/2] quit
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.1.1.1 255.255.255.0
[FW-GigabitEthernet0/0/3] quit
[FW] interface GigabitEthernet 0/0/4
[FW-GigabitEthernet0/0/4] ip address 10.20.1.1 255.255.255.0
[FW-GigabitEthernet0/0/4] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/2
[FW-zone-untrust] add interface GigabitEthernet 0/0/4
[FW-zone-untrust] quit

  2. Configure IP-link to detect link status.

    [FW] ip-link check enable
[FW] ip-link name pbr_1
[FW-iplink-pbr_1] destination 10.10.1.2 interface GigabitEthernet 0/0/2
[FW-iplink-pbr_1] quit
[FW] ip-link name pbr_2
[FW-iplink-pbr_2] destination 10.20.1.2 interface GigabitEthernet 0/0/4
[FW-iplink-pbr_2] quit

  3. Configure the security policy.

    # Configure a security policy between the Trust and Untrust zones to allow intranet users to access extranet resources. It is assumed that the intranet user network segment is 10.1.1.0/24.
    [FW] security-policy
[FW-policy-security] rule name policy_sec_trust_untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.1.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] action permit
[FW-policy-security-rule-policy_sec_trust_untrust] quit
[FW-policy-security] quit

  4. Create PBR rule pbr_1 to allow the GE0/0/2 interface to forward service traffic to the Internet through ISP-A. Create PBR rule pbr_2 to allow the GE0/0/4 interface to forward entertainment traffic to the Internet through ISP-B.

    Ensure that the FW has the route configuration that guides service traffic and entertainment traffic transmission even if PBR is unavailable.

    [FW] policy-based-route
[FW-policy-pbr] rule name pbr_1
[FW-policy-pbr-rule-pbr_1] description pbr_1
[FW-policy-pbr-rule-pbr_1] source-zone trust
[FW-policy-pbr-rule-pbr_1] application category Business_Systems
[FW-policy-pbr-rule-pbr_1] track ip-link pbr_1
[FW-policy-pbr-rule-pbr_1] action pbr egress-interface GigabitEthernet 0/0/2 next-hop 10.10.1.2
[FW-policy-pbr-rule-pbr_1] quit
[FW-policy-pbr] rule name pbr_2
[FW-policy-pbr-rule-pbr_2] description pbr_2
[FW-policy-pbr-rule-pbr_2] source-zone trust
[FW-policy-pbr-rule-pbr_2] application category Entertainment
[FW-policy-pbr-rule-pbr_2] track ip-link pbr_2
[FW-policy-pbr-rule-pbr_2] action pbr egress-interface GigabitEthernet 0/0/4 next-hop 10.20.1.2
[FW-policy-pbr-rule-pbr_2] quit

Configuration Scripts

#
interface GigabitEthernet0/0/2
 ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/4
 ip address 10.20.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
 add interface GigabitEthernet0/0/4
#
security-policy 
 rule name policy_sec_trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 24
  action permit
#
 ip-link check enable
 ip-link name pbr_1
  destination 10.10.1.2 interface GigabitEthernet 0/0/2
 ip-link name pbr_2
  destination 10.20.1.2 interface GigabitEthernet 0/0/4
#
policy-based-route
 rule name pbr_1
  description pbr_1
  source-zone trust
  application category Business_Systems
  track ip-link pbr_1
  action pbr egress-interface GigabitEthernet0/0/2 next-hop 10.10.1.2
 rule name pbr_2
  description pbr_2
  source-zone trust
  application category Entertainment
  track ip-link pbr_2
  action pbr egress-interface GigabitEthernet0/0/4 next-hop 10.20.1.2
#
return
Parent Topic: Configuring PBR and PBR-based Intelligent Uplink Selection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >