PBR functions of Huawei Routers

When an unauthorized network device is connected to the network and the route protocol is updated, it may cause devices in the network to dynamically generate incorrect route entries, resulting in packet loss or being routed to a wrong place. At this time, we need to use PBR.
1. PBR is a flexible packet forwarding mechanism. By applying a policy route on the router, the router determines how to process the router data packets based on the route ing, the route ing determines the next hop forwarding router of a data packet. 2. to apply a policy route on a vro, you must specify the route ing used by the policy route and create a route ing. A route ing consists of multiple policies, each policy defines one or more matching rules and corresponding operations. Www.2cto.com
3. After an interface applies a policy route, all packets received by the interface will be checked. packets that do not conform to the rules defined in the route ing will be forwarded by normal routes, data packets that comply with the routing ing policy are processed according to the operation defined in the policy. 4. Assume that the E0/0 port of the vro is used as the gateway of the internal network and the address is 200.1.1.1. The internal network has a WEB server with the address 200.1.1.100 and one user computer in the same network segment as the WEB, there is a remote user in the external network with the IP address 199.1.1.100, which allows remote users to access the WEB server but not the computers of internal users.
Configuration: 1. Router (config) # interface Ethernet0/0; 2. Router (config-if) # ip address 200.1.1.1 255.255.255.0; 3. Router (config-if) # exit; 4. Router (config) # interface Ethernet0/1; 5. Router (config-if) # ip address 199.1.1.1 255.255.255.0; 6. Router (config-if) # exit.
Test: 1. Router # ping 200.1.1.100; 2. Type escape sequence to abort .; 3. Sending 5, 100-byte ICMP Echos to 200.1.1.100, timeout is 2 seconds; 4 ,!!!!!; 5. Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 MS; 6. Router # ping 200.1.1.10; 7. Type escape sequence to abort; 8. Sending 5, 100-byte ICMP Echos to 200.1.1.10, timeout is 2 seconds; 9 ,!!!!!; Www.2cto.com 10, Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 MS; 11, Router # ping 199.1.1.100; 12. Type escape sequence to abort; 13. Sending 5, 100-byte ICMP Echos to 199.1.1.100, timeout is 2 seconds; 14 ,!!!!!; 15. Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms. ACL: Router (config) # access-list 100 permit ip host 199.1.1.1 host 200.1.1.10. Null0 interface: 1. Router (config) # interface null 0; 2. Router (config-if) # no ip unreachables.
Ing: 1. Router (config) # route-map pbr; 2. Router (config-route-map) # match ip address 100; 3. Router (config-route-map) # set interface null 0. Enable the NETFLOW switching function on the E0/1 interface, and call PBR: 1, Router (config) # interface Ethernet0/1 on this interface; 2. Router (config-if) # ip route-cache flow; 3. Router (config-if) # ip policy route-map pbr; 4. Router (config-if) # exit.
Connectivity test: 1. ping 200.1.1.100; 2. Pinging 200.1.1.100 with 32 bytes of data; 3. Reply from 200.1.1.100: bytes = 32 time <1 ms TTL = 128; 4. Reply from 200.1.1.100: bytes = 32 time <1 ms TTL = 128; 5. Reply from 200.1.1.100: bytes = 32 time <1 ms TTL = 128; 6. Reply from 200.1.1.100: bytes = 32 time <1 ms TTL = 128; 7. Ping statistics for 200.1.1.100; 8. Packets: Sent = 4, Received = 4, Lost = 0 (0% loss ); 9. Approximate round trip times I N milli-seconds; 10, Minimum = 0 ms, Maximum = 0 ms, Average = 0 ms; 11, C: \> ping 200.1.1.10; www.2cto.com 12, Pinging 200.1.1.10 with 32 bytes of data; 13. Request timed out; 14. Request timed out; 15. Request timed out; 16. Request timed out; 17. Ping statistics for 200.1.1.10; 18. Packets: Sent = 4, pinned ED = 0, Lost = 4 (100% loss ).
At this time, remote users on the internet can no longer ping internal users, but can still ping the WEB server. Our goal is also achieved. This article is from