CLI: Example for Configuring PBR Intelligent Uplink Selection Among Multiple ISP Outbound Interfaces
This section provides an example for configuring PBR intelligent uplink selection among multiple ISP outbound interfaces.
Networking Requirements
As shown in Figure 1, the FW is deployed at the network egress as the security gateway. The enterprise has two 50M links connected respectively to ISP1 and ISP2.
Configuration Roadmap
After you configure ISP link selection and PBR intelligent uplink selection, the FW will select an outbound interface based on the ISP network of the packet destination address to forward traffic. Because ISP routes are generated, intelligent uplink selection based on policy-based routes must be configured to implement link backup or traffic load balancing. Therefore, set the intelligent uplink selection mode to active/standby backup by link priority. The FW needs to create a policy-based route respectively for the two ISP networks. In the policy-based route to ISP1 network, the destination address matching condition is an ISP1 address group, and ISP1 link has higher priority than ISP2 link. In the policy-based route to ISP2 network, the destination address matching condition is an ISP2 address group, and ISP2 link has higher priority than ISP1 link. In this case, if one link is faulty or overloaded, the other link is available to transmit follow-up traffic.
- Optional: Configure the health check function. Configure a health check respectively for ISP1 and ISP2.
Set the interface IP address, security zone, gateway, bandwidth, and overload protection threshold, and apply the health check respectively on the interfaces.
Make two ISP address files, isp1.csv and isp2.csv, write Server 1 IP address 3.3.3.3 into isp1.csv and Server 2 IP address 9.9.9.9 into isp2.csv, and upload the two ISP address files to the FW.
Configure ISP link selection to forward packets destined for Server 1 from ISP1 link and packets destined for Server 2 link from ISP2 link.
Configure intelligent uplink selection based on policy-based routes and create a policy-based route respectively to ISP1 and ISP2 networks.
Configure a basic security policy to allow intranet users to access the Internet.
This example focuses on the configuration related to intelligent uplink selection. Configure other data such as NAT based on the actual networking.
Procedure
- Optional: Enable the health check function and create a health check for ISP1 and ISP2 link respectively.
<FW> system-view [FW] healthcheck enable [FW] healthcheck name isp1_health [FW-healthcheck-isp1_health] destination 3.3.10.10 interface GigabitEthernet 0/0/1 protocol tcp-simple destination-port 10001 [FW-healthcheck-isp1_health] destination 3.3.10.11 interface GigabitEthernet 0/0/1 protocol tcp-simple destination-port 10002 [FW-healthcheck-isp1_health] quit [FW] healthcheck name isp2_health [FW-healthcheck-isp2_health] destination 9.9.20.20 interface GigabitEthernet 0/0/7 protocol tcp-simple destination-port 10003 [FW-healthcheck-isp2_health] destination 9.9.20.21 interface GigabitEthernet 0/0/7 protocol tcp-simple destination-port 10004 [FW-healthcheck-isp2_health] quit
Assume that 3.3.10.10 and 3.3.10.11 are known device addresses on the ISP1 network and that 9.9.20.20 and 9.9.20.21 are known device addresses on the ISP2 network.
If the state remains down after the health check configuration is complete, check the health check configuration.
- Configure IP addresses, gateway addresses, bandwidth, overload protection thresholds for interfaces and apply health check on the interfaces.
[FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet0/0/1] ip address 1.1.1.1 255.255.255.0 [FW-GigabitEthernet0/0/1] gateway 1.1.1.254 [FW-GigabitEthernet0/0/1] bandwidth ingress 50000 threshold 90 [FW-GigabitEthernet0/0/1] bandwidth egress 50000 threshold 90 [FW-GigabitEthernet0/0/1] healthcheck isp1_health [FW-GigabitEthernet0/0/1] quit [FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 255.255.255.0 [FW-GigabitEthernet0/0/3] quit [FW] interface GigabitEthernet 0/0/7 [FW-GigabitEthernet0/0/7] ip address 2.2.2.2 255.255.255.0 [FW-GigabitEthernet0/0/7] gateway 2.2.2.254 [FW-GigabitEthernet0/0/7] bandwidth ingress 50000 threshold 90 [FW-GigabitEthernet0/0/7] bandwidth egress 50000 threshold 90 [FW-GigabitEthernet0/0/7] healthcheck isp2_health [FW-GigabitEthernet0/0/7] quit
- Upload ISP address files to the FW using SFTP. The imported ISP address files are stored in the isp folder in the root directory.Details are omitted.
- Create ISP name isp1_ifgrp for ISP1 and ISP name isp2_ifgrp for ISP2 and associate them with the corresponding ISP address files.
[FW] isp name isp1_ifgrp set filename isp1.csv [FW] isp name isp2_ifgrp set filename isp2.csv
- Create an ISP interface group for ISP1 and ISP2 respectively and add interfaces to corresponding ISP interface groups. Then ISP routes will be delivered by default.
[FW] interface-group 1 isp isp1_ifgrp [FW-interface-isp-group-1] add interface GigabitEthernet 0/0/1 [FW-interface-isp-group-1] quit [FW] interface-group 2 isp isp2_ifgrp [FW-interface-isp-group-2] add interface GigabitEthernet 0/0/7 [FW-interface-isp-group-2] quit
- Assign the interfaces to security zones.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/3 [FW-zone-trust] quit [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/1 [FW-zone-untrust] add interface GigabitEthernet 0/0/7 [FW-zone-untrust] quit
- Configure a Trust-to-Untrust interzone security policy to allow enterprise network users to access Internet resources. Assume that enterprise network users reside on 10.3.0.0/24.
[FW-policy-security] rule name policy_sec_trust_untrust [FW-policy-security-rule-policy_sec_trust_untrust] source-zone trust [FW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust [FW-policy-security-rule-policy_sec_trust_untrust] source-address 10.3.0.0 24 [FW-policy-security-rule-policy_sec_trust_untrust] action permit [FW-policy-security-rule-policy_sec_trust_untrust] quit [FW-policy-security] quit
- Configure PBR intelligent uplink selection for ISP1 and set the destination address to the ISP address of ISP1 so that packets destined for server 1 will be forwarded over ISP1 link.
Set the priority of ISP interface group isp1_ifgrp to 2 and the priority of ISP interface group isp2_ifgrp to 1. A larger priority value indicates a higher priority.
[FW] policy-based-route [FW-policy-pbr] rule name isp1_pbr [FW-policy-pbr-rule-isp1_pbr] ingress-interface GigabitEthernet0/0/3 [FW-policy-pbr-rule-isp1_pbr] destination-address isp isp1_ifgrp [FW-policy-pbr-rule-isp1_pbr] action pbr egress-interface multi-interface [FW-policy-pbr-rule-isp1_pbr-multi-inter] mode priority-of-userdefine [FW-policy-pbr-rule-isp1_pbr-multi-inter] add interface isp isp1_ifgrp priority 2 [FW-policy-pbr-rule-isp1_pbr-multi-inter] add interface isp isp2_ifgrp [FW-policy-pbr-rule-isp1_pbr-multi-inter] quit [FW-policy-pbr-rule-isp1_pbr] quit
- Configure PBR intelligent uplink selection for ISP2 and set the destination address to the ISP address of ISP2 so that packets destined for server 2 will be forwarded over ISP2 link.
Set the priority of ISP interface group isp2_ifgrp to 2 and the priority of ISP interface group isp1_ifgrp to 1. A larger priority value indicates a higher priority.
[FW-policy-pbr] rule name isp2_pbr [FW-policy-pbr-rule-isp2_pbr] ingress-interface GigabitEthernet0/0/3 [FW-policy-pbr-rule-isp2_pbr] destination-address isp isp2_ifgrp [FW-policy-pbr-rule-isp2_pbr] action pbr egress-interface multi-interface [FW-policy-pbr-rule-isp2_pbr-multi-inter] mode priority-of-userdefine [FW-policy-pbr-rule-isp2_pbr-multi-inter] add interface isp isp1_ifgrp [FW-policy-pbr-rule-isp2_pbr-multi-inter] add interface isp isp2_ifgrp priority 2 [FW-policy-pbr-rule-isp2_pbr-multi-inter] quit [FW-policy-pbr-rule-isp2_pbr] quit
Configuration Scripts
# isp name isp1_ifgrp set filename isp1.csv isp name isp2_ifgrp set filename isp2.csv # healthcheck enable healthcheck name isp1_health destination 3.3.10.10 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10001 destination 3.3.10.11 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10002 healthcheck name isp2_health destination 9.9.20.20 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10003 destination 9.9.20.21 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10004 # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 gateway 1.1.1.254 bandwidth ingress 50000 threshold 90 bandwidth egress 50000 threshold 90 healthcheck isp1_health # interface GigabitEthernet0/0/3 ip address 10.3.0.1 255.255.255.0 # interface GigabitEthernet0/0/7 ip address 2.2.2.2 255.255.255.0 gateway 2.2.2.254 bandwidth ingress 50000 threshold 90 bandwidth egress 50000 threshold 90 healthcheck isp2_health # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 add interface GigabitEthernet0/0/7 # security-policy rule name policy_sec_trust_untrust source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0 action permit # interface-group 1 isp isp1_ifgrp add interface GigabitEthernet0/0/1 # interface-group 2 isp isp2_ifgrp add interface GigabitEthernet0/0/7 # policy-based-route rule name isp1_pbr ingress-interface GigabitEthernet0/0/3 destination-address isp isp1_ifgrp action pbr egress-interface multi-interface mode priority-of-userdefine add interface isp isp1_ifgrp priority 2 add interface isp isp2_ifgrp rule name isp2_pbr ingress-interface GigabitEthernet0/0/3 destination-address isp isp2_ifgrp action pbr egress-interface multi-interface mode priority-of-userdefine add interface isp isp1_ifgrp add interface isp isp2_ifgrp priority 2 # return