< Home

Web: Example for Configuring PBR Intelligent Uplink Selection Among Multiple ISP Outbound Interfaces

This section provides an example for configuring PBR intelligent uplink selection among multiple ISP outbound interfaces.

Networking Requirements

As shown in Figure 1, the FW is deployed at the network egress as the security gateway. The enterprise has two 50M links connected separately to ISP1 and ISP2.

  • The enterprise requires that packets to Server 1 be forwarded on ISP1 link and packets to Server 2 be forwarded on ISP2 link.

  • When one link is overloaded (the threshold is 90%), follow-up traffic will be forwarded on the other link to ensure transmission availability.

Figure 1 Networking diagram for configuring PBR intelligent uplink selection among multiple ISP outbound interfaces

Configuration Roadmap

After you configure ISP link selection and PBR intelligent uplink selection, the FW will select an outbound interface based on the ISP network of the packet destination address to forward traffic. Because ISP routes are generated, intelligent uplink selection based on policy-based routes must be configured to implement link backup or traffic load balancing. Therefore, set the intelligent uplink selection mode to active/standby backup by link priority. You need to create policy-based routes separately for the two ISP networks on the FW. In the policy-based route to ISP1 network, the destination address matching condition is an ISP1 address group, and ISP1 link has higher priority than ISP2 link. In the policy-based route to ISP2 network, the destination address matching condition is an ISP2 address group, and ISP2 link has higher priority than ISP1 link. In this case, if one link is faulty or overloaded, the other link is available to transmit follow-up traffic.

  1. Optional: Configure the health check function. Configure health check tasks for ISP1 and ISP2.

  2. Set the interface IP address, security zone, gateway, bandwidth, and overload protection threshold, and apply the health check task on the interfaces.

  3. Make two ISP address files, isp1.csv and isp2.csv, write Server 1 IP address 3.3.3.3 into isp1.csv and Server 2 IP address 9.9.9.9 into isp2.csv, and upload the two ISP address files to the FW.

  4. Configure ISP link selection to forward packets destined for Server 1 from ISP1 link and packets destined for Server 2 link from ISP2 link.

  5. Configure intelligent uplink selection based on policy-based routes and create policy-based routes to ISP1 and ISP2 networks.

  6. Configure a basic security policy to allow intranet users to access the Internet.

This example focuses on the configuration related to intelligent uplink selection. Configure other data such as NAT based on the actual networking.

Procedure

  1. Optional: Enable the health check function and create health check tasks for ISP1 and ISP2 links.

    Choose Object > Health Check. Click Add in the Health Check List area to create a health check task for ISP1 link.

    Click Add to create a health check task for ISP2 link.

    Assume that 3.3.10.10 and 3.3.10.11 are known device addresses on the ISP1 network and that 9.9.20.20 and 9.9.20.21 are known device addresses on the ISP2 network.

    If the state remains down after the health check configuration is complete, check the health check configuration.

  2. Make two ISP address files, isp1.csv and isp2.csv, write Server 1 IP address 3.3.3.3 into isp1.csv and Server 2 IP address 9.9.9.9 into isp2.csv, and upload the two ISP address files to the FW.

    Choose Network > Route > Intelligent Uplink Selection, click the Carrier Address Library tab, and click Import.

    Create carrier names isp1_ifgroup and isp2_ifgroup for ISP 1 and ISP 2, respectively, and import the ISP address files.

    After creating carriers, you also create ISP interface groups with the same names. You need to add interfaces to these ISP interface groups.

  3. Configure IP, gateway addresses, bandwidth, and overload protection for GigabitEthernet 0/0/1 and GigabitEthernet 0/0/7, assign the interfaces to the Untrust zone, select carriers, enable ISP routes, and apply health check tasks.

    Choose Network > Interface and click on the line of the interface to be configured.

    Binding the interface with a carrier equals to adding this interface to a corresponding ISP interface group.

  4. Configure an IP address for GigabitEthernet 0/0/3 and assign the interface to the Trust zone.

    Choose Network > Interface and click on the line of the interface to be configured.

  5. Configure a Trust-to-Untrust interzone security policy to allow enterprise network users to access Internet resources. Assume that enterprise network users reside on 10.3.0.0/24.

    Choose Policy > Security Policy > Security Policy and click Add Security Policy to create a security policy.

  6. Configure PBR intelligent uplink selection for ISP1 and set the destination address to the ISP address of ISP1 so that packets destined for server 1 will be forwarded over ISP1 link.

    Set the priority of ISP interface group isp1_ifgroup to 2 and the priority of ISP interface group isp2_ifgroup to 1. A larger priority value indicates a higher priority.

  7. Configure PBR intelligent uplink selection for ISP2 and set the destination address to the ISP address of ISP2 so that packets destined for server 2 will be forwarded over ISP2 link.

    Set the priority of ISP interface group isp2_ifgroup to 2 and the priority of ISP interface group isp1_ifgroup to 1. A larger priority value indicates a higher priority.

Configuration Scripts

#
 isp name isp1_ifgroup set filename isp1.csv
 isp name isp2_ifgroup set filename isp2.csv
#
healthcheck enable
healthcheck name isp1_health
 destination 3.3.10.10 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10001
 destination 3.3.10.11 interface GigabitEthernet0/0/1 protocol tcp-simple destination-port 10002
healthcheck name isp2_health
 destination 9.9.20.20 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10003
 destination 9.9.20.21 interface GigabitEthernet0/0/7 protocol tcp-simple destination-port 10004
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
 gateway 1.1.1.254
 bandwidth ingress 50000 threshold 90
 bandwidth egress 50000 threshold 90
 healthcheck isp1_health
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet0/0/7
 ip address 2.2.2.2 255.255.255.0
 gateway 2.2.2.254
 bandwidth ingress 50000 threshold 90
 bandwidth egress 50000 threshold 90
 healthcheck isp2_health
#
 firewall zone trust
  set priority 85
  add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/7
#
security-policy
 rule name policy_sec_trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action permit
#
interface-group 1 isp isp1_ifgroup
 add interface GigabitEthernet0/0/1
#
interface-group 2 isp isp2_ifgroup
 add interface GigabitEthernet0/0/7
#
policy-based-route
 rule name isp1_pbr
  ingress-interface GigabitEthernet0/0/3
  destination-address isp isp1_ifgroup
  action pbr egress-interface multi-interface
   mode priority-of-userdefine
   add interface isp isp1_ifgroup priority 2
   add interface isp isp2_ifgroup
 rule name isp2_pbr
  ingress-interface GigabitEthernet0/0/3
  destination-address isp isp2_ifgroup
  action pbr egress-interface multi-interface
   mode priority-of-userdefine
   add interface isp isp1_ifgroup
   add interface isp isp2_ifgroup priority 2
#
return
Parent Topic: Configuring PBR and PBR-based Intelligent Uplink Selection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >