< Home

CLI: Example for Configuring User-Specific PBR

This section provides an example for configuring user-specific PBR to allow users to access the Internet through different links.

Networking Requirements

An enterprise has three major departments, namely, the president's department, marketing department, and R&D department. As shown in Figure 1, the FW is deployed at the intranet egress. Two links, ISP-A and ISP-B, connect to the Internet. ISP-A provides quick and stable Internet services but requires high charge. ISP-B requires low charge but provides slow Internet services.

Requirements are as follows:

  • The president's department and marketing department require quick Internet service and therefore access the Internet through ISP-A.
  • The R&D department has low requirements on the Internet service speed and therefore access the Internet through ISP-B.
Figure 1 Configuring user-specific PBR

This example focuses on the configuration related to PBR. Configure other data such as NAT based on the actual networking.

Procedure

  1. Set an IP address for each interface and assign the interfaces to security zones.

    [FW] interface GigabitEthernet 0/0/2
[FW-GigabitEthernet0/0/2] ip address 10.10.1.1 255.255.255.0
[FW-GigabitEthernet0/0/2] quit
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.1.1.1 255.255.255.0
[FW-GigabitEthernet0/0/3] quit
[FW] interface GigabitEthernet 0/0/4
[FW-GigabitEthernet0/0/4] ip address 10.20.1.1 255.255.255.0
[FW-GigabitEthernet0/0/4] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/2
[FW-zone-untrust] add interface GigabitEthernet 0/0/4
[FW-zone-untrust] quit

  2. Configure IP-link to detect link status.

    [FW] ip-link check enable
[FW] ip-link name pbr_1
[FW-iplink-pbr_1] destination 10.10.1.2 interface GigabitEthernet 0/0/2
[FW-iplink-pbr_1] quit
[FW] ip-link name pbr_2
[FW-iplink-pbr_2] destination 10.20.1.2 interface GigabitEthernet 0/0/4
[FW-iplink-pbr_2] quit

  3. Configure the security policy.

    # Configure a security policy between the Trust and Untrust zones to allow intranet users to access extranet resources. It is assumed that the intranet user network segment is 10.1.1.0/24.
    [FW] security-policy
[FW-policy-security] rule name policy_sec_trust_untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust
[FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.1.1.0 24
[FW-policy-security-rule-policy_sec_trust_untrust] action permit
[FW-policy-security-rule-policy_sec_trust_untrust] quit
[FW-policy-security] quit

  4. Create PBR rules pbr_1 and pbr_2, so that the packets from the marketing and president's departments are sent from GE0/0/2 to the Internet through ISP-A link, and the packets from the R&D department are sent from GE0/0/4 to the Internet through ISP-B link.

    Users in the marketing department belong to user group marketing, users in the president's department belong to user group president, and users in the R&D department belong to user group research. All users need to be authenticated to access network resources. The configurations of the user groups and authentication policies are omitted.

    Ensure that the FW has the route configuration that guides the transmission of traffic from the president's, marketing, and R&D departments even if PBR is unavailable.

    [FW] policy-based-route
[FW-policy-pbr] rule name pbr_1
[FW-policy-pbr-rule-pbr_1] description pbr_1
[FW-policy-pbr-rule-pbr_1] source-zone trust
[FW-policy-pbr-rule-pbr_1] track ip-link pbr_1
[FW-policy-pbr-rule-pbr_1] user user-group /default/marketing
[FW-policy-pbr-rule-pbr_1] user user-group /default/president
[FW-policy-pbr-rule-pbr_1] action pbr egress-interface GigabitEthernet 0/0/2 next-hop 10.10.1.2
[FW-policy-pbr-rule-pbr_1] quit
[FW-policy-pbr] rule name pbr_2
[FW-policy-pbr-rule-pbr_2] description pbr_2
[FW-policy-pbr-rule-pbr_2] source-zone trust
[FW-policy-pbr-rule-pbr_2] track ip-link pbr_2
[FW-policy-pbr-rule-pbr_2] user user-group /default/research
[FW-policy-pbr-rule-pbr_2] action pbr egress-interface GigabitEthernet 0/0/4 next-hop 10.20.1.2
[FW-policy-pbr-rule-pbr_2] quit

Configuration Scripts

#
interface GigabitEthernet0/0/2
 ip address 10.10.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/4
 ip address 10.20.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/2
 add interface GigabitEthernet0/0/4
#
security-policy 
 rule name policy_sec_trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 24
  action permit
#
 ip-link check enable
 ip-link name pbr_1
  destination 10.10.1.2 interface GigabitEthernet 0/0/2
 ip-link name pbr_2
  destination 10.20.1.2 interface GigabitEthernet 0/0/4
#
policy-based-route
 rule name pbr_1
  description pbr_1
  source-zone trust
  track ip-link pbr_1
  user user-group /default/marketing
  user user-group /default/president
  action pbr egress-interface GigabitEthernet0/0/2 next-hop 10.10.1.2
 rule name pbr_2
  description pbr_2
  source-zone trust
  track ip-link pbr_2
  user user-group /default/research
  action pbr egress-interface GigabitEthernet0/0/4 next-hop 10.20.1.2
#
return
Parent Topic: Configuring PBR and PBR-based Intelligent Uplink Selection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >