Huawei USG Firewall ip-link interacts with static routing and PBR (Policy routing) 01/19 Update SLTechnology News&Howtos

Huawei USG Firewall ip-link interacts with static routing and PBR (Policy routing)

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

InterfaceGigabitEthernet0/0/0.2

Vlan-type dot1q 2 / / Gateway of vlan2 / /

Ip address 192.168.2.254 255.255.255.0

InterfaceGigabitEthernet0/0/0.3

Vlan-type dot1q 3 / / Gateway of vlan3 / /

Ip address 192.168.3.254 255.255.255.0

InterfaceGigabitEthernet0/0/1

Ip address 202.100.1.1 255.255.255.0

Trust

Priority is 85

Interface of the zone is (3):

GigabitEthernet0/0/0.2

GigabitEthernet0/0/0.3

Ctc

Priority is 10

Interface of the zone is (1):

GigabitEthernet0/0/1

Cnc

Priority is 20

Interface of the zone is (1):

GigabitEthernet0/0/2

Policy interzonetrust ctc outbound

Policy 0

Action permit

Policy source 192.168.2.0 mask 24

Policy source 192.168.3.0 mask 24

Policy interzonetrust cnc outbound

Policy 0

Action permit

Policy source 192.168.2.0 mask 24

Policy source 192.168.3.0 mask 24

Nat-policy interzonetrust ctc outbound

Policy 0

Action source-nat

Policy source 192.168.2.0 mask 24

Policy source 192.168.3.0 mask 24

Easy-ip GigabitEthernet0/0/1

Nat-policy interzonetrust cnc outbound

Policy 0

Action source-nat

Policy source 192.168.2.0 mask 24

Policy source 192.168.3.0 mask 24

Easy-ip GigabitEthernet0/0/2

Policy-based-routePBR1 permit node 1

If-match acl 3001

Apply ip-address next-hop 202.100.1.2 Traffic setting for matching acl3001 next hop is 202.100.1.2

Policy-based-route PBR2 permit node 2

If-match acl 3002

Apply ip-address next-hop 202.100.2.2 the traffic matching acl3001 sets the next hop to 202.100.2.2

Acl number 3001

Rule 5 deny ip destination192.168.3.0 0.0.0.255 Route mismatch Policy for destination reaching 192.168.3.0

Rule 10 permit ip source 192.168.2.0 0.0.0.255

Acl number 3002

Rule 1 deny ip destination192.168.2.0 0.0.0.255 Route mismatch Policy for destination reaching 192.168.2.0

Rule 5 permit ip source 192.168.3.0 0.0.0.255

Ip-link 2destination 202.100.2.2 interface GigabitEthernet 0/0/2 mode icmp

Ip-link 1destination 202.100.1.2 interface GigabitEthernet 0/0/1 mode icmp

Ip route-static 0.0.0.0 0.0.0.0 202.100.1.2track ip-link 1

Ip route-static 0.0.0.0 0.0.0.0 202.100.2.2track ip-link 2

InterfaceGigabitEthernet0/0/0.2

Ip policy-based-route PBR1

InterfaceGigabitEthernet0/0/0.3

Ip policy-based-route PBR2

Assuming that ip-link detects that the target 202.100.1.2 fails, the corresponding static route fails and the corresponding PBR1 policy route also fails. So the source address

The 192.168.2.0 network segment chooses the next hop 202.100.2.2 as the egress route. When ip-link detects the target 202.100.1.2 successfully, the corresponding static route takes effect, and the corresponding PBR1 policy route also takes effect, so the source address 192.168.2.0 network segment still chooses the next 202.100.1.2 as the egress route.

Summary: ip-link detection affects static routing, static routing affects policy routing.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.