Huawei 6720 Switch PBR Configuration

Note=The below configuration will not check the local routing table and it will forward all traffic to that nexthop..! 

[6720]acl number 3100

[6720-acl-adv-3100]rule 10 permit ip source 10.14.7.0 0.0.0.255

[6720]traffic classifier ABC

[6720-classifier-ABC]if-match acl 3100

[6720]traffic behavior ABC

[6720-behavior-ABC]redirect ip-nexthop 10.70.29.19

[6720]traffic policy ABC

Info: If the traffic policy has been applied to board, making modifications that are not supported by the board on the traffic policy may cause the failure to apply this traffic policy.

[6720-trafficpolicy-ABC]classifier ABC behavior ABC

[6720]traffic-policy ABC global inbound

Even if you configure it on interface still it will not check the local routing table and will forward all the traffic to that nexthop.

[6720]interface XGigabitEthernet 0/0/11

[6720-XGigabitEthernet0/0/11] traffic-policy ABC inbound

Here , i want that when there is a route not present in the routing table in that case the traffic will be forwarded to the nexthop only so i configured the acl to check the default route only..!

[6720]acl number 3100

[6720-acl-adv-3100]rule 10 permit ip source 110.14.7.0 0.0.0.255 destination 0.0.0.0 0.0.0.0

[6720]traffic-policy ABC global inbound

Interface Based PBR Configuration in Huawei Switch & Router..!

Policy-based routing PBR

Let’s assume that we have topology like this:

What we have to do is to force router CX_1 to choose interface G7/5/0 and next hop 10.0.2.2 to forward traffic from source IP 5.5.5.5 to destination IP 15.15.15.15. Rest of traffic should go through interface G7/5/7.

Configure IP addresses based on this topology.

Use OSPF protocol to ensure communication in tested network. Let’s take CX_1 as an example:

#
ospf 1 router-id 6.6.6.6
 area 0.0.0.0
  network 10.0.1.0 0.0.0.3
  network 10.0.2.0 0.0.0.3
  network 10.0.0.0 0.0.0.3
  network 6.6.6.6 0.0.0.0
#

Configure OSPF for the remaining routers.

Increase OSPF cost of one of the links between CX_1 and CX_2 to exclude load-balancing:

#
interface GigabitEthernet7/5/0
 ospf cost 100
#

Display routing-table of AR29 to check if all necessary subnets are available through OSPF (display ip routing-table).

Configure ACL on CX_1 which permits IP source 5.5.5.5 to send packets to destination IP 15.15.15.15:

[CX_1]acl number 3000
[CX_1-acl-3000}rule 5 permit ip source 5.5.5.5 0.0.0.0

Configure traffic classifier and traffic behavior for classified packets:

#
traffic classifier ABC

 if-match acl 3000
#
traffic behavior ABC

 redirect ip-nexthop 10.0.2.2 interface GigabitEthernet7/5/0
#

Configure traffic policy and assign it to interface G7/5/5 as inbound:

#
traffic policy ABC
 statistics enable
 classifier ABC behavior ABC
#
interface GigabitEthernet7/5/5
 traffic-policy ABC inbound
#

Let’s check now what the result of such traffic policy is. On AR29 router we can use tracert command to check how traffic is going to 15.15.15.15.

<AR29>tracert -a 5.5.5.5 15.15.15.15
 traceroute to  15.15.15.15(15.15.15.15), max hops: 30, packet length: 40, press CTRL_C to break
1   10.0.0.1 4 ms  2 ms  7 ms
2   10.0.2.2 3 ms  4 ms  5 ms

As we can see traffic policy is working correctly choosing 10.0.2.2 as the IP next hop.

Now we can try the same but without source IP 5.5.5.5:

<AR29>tracert 15.15.15.15
 traceroute to  15.15.15.15(15.15.15.15), max hops: 30, packet length: 40, press CTRL_C to break
1   10.0.0.1 3 ms  1 ms  1 ms
2   10.0.1.2 3 ms  2 ms  2 ms

We can see that policy-based routing is working properly for traffic classified in ACL 3000. Rest of traffic is choosing a route based on IP routing table.

We can also check statistics for this traffic policy. We can use ping for such purposes. Use ping from AR29 and check statistics on CX_1:

<AR29>ping -a 5.5.5.5 -c 100 -m 100 15.15.15.15
<CX_1>display traffic policy statistics interface g 7/5/5 inbound
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet7/5/5
Traffic policy inbound: labnario
Traffic policy applied at 2012-02-06 16:15:04
Statistics enabled at 2012-02-06 16:15:16
Statistics last cleared: 2012-02-06 20:14:59
Rule number: 4 IPv4, 0 IPv6
Current status: OK!
Item                             Packets                      Bytes
-------------------------------------------------------------------
Matched                              100                     10,200
  +--Passed                          100                     10,200
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                                19                      2,640
Last 30 seconds rate
Item                                 pps                        bps
-------------------------------------------------------------------
Matched                                0                          0
  +--Passed                            0                          0
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                                 0                        288
<AR29>ping -c 100 -m 100 15.15.15.15
<CX_1>dis traffic policy statistics interface g 7/5/5 inbound
Info: The statistics is shared because the policy is shared.
Interface: GigabitEthernet7/5/5
Traffic policy inbound: labnario
Traffic policy applied at 2012-02-06 16:15:04
Statistics enabled at 2012-02-06 16:15:16
Statistics last cleared: 2012-02-06 20:14:59
Rule number: 4 IPv4, 0 IPv6
Current status: OK!
Item                             Packets                      Bytes
-------------------------------------------------------------------
Matched                              100                     10,200
  +--Passed                          100                     10,200
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                               126                     13,956
Last 30 seconds rate
Item                                 pps                        bps
-------------------------------------------------------------------
Matched                                0                          0
  +--Passed                            0                          0
  +--Dropped                           0                          0
    +--Filter                          0                          0
    +--URPF                            0                          0
    +--CAR                             0                          0
Missed                                 3                      2,648

You can also configure policy-based routing in MPLS L3VPN to allow some IP traffic (based on ACL) from one VPN to be redirected to another VPN. Maybe I will show you such configuration in the future.

Interface Based PBR Configuration in Huawei router..!

Step 1: As we verified the connectivity between PCs and the path taken by the traffic from PC2 to PC4 and PC3 to PC5.

Traffic from PC2 to PC4 passes through R4

Traffic from PC3 to PC5 also passes through R4.

The objective of this lab is to use Policy based routing to ensure traffic from PC2 to PC4 passes through R4 while traffic from PC3 to PC5 passes through R5.

Step 2: Configure ACLs to match traffic from PC2 and PC3 as follows on R3. We use extended ACLs to be able to match the source IP addresses.

***************************R3
#
acl number 3000
 rule 5 permit ip source 40.40.40.0 0.0.0.1
#
acl number 3002
 rule 5 permit ip source 50.50.50.0 0.0.0.1
#

Step 3: Configure PBR and apply it on the interfaces facing PCs on R3.

**************************R3
#
policy-based-route TEST_PBR permit node 5
 if-match acl 3000
 apply output-interface Serial0/0/0
policy-based-route TEST_PBR permit node 10
 if-match acl 3002
 apply output-interface Serial0/0/1
#
interface Ethernet0/0/0
 ip policy-based-route TEST_PBR
#
interface Ethernet0/0/1
 ip policy-based-route TEST_PBR
#

Step 4: Verify the path taken by traffic from PC2 and PC3.

Traffic from PC3 now follows the path through R5 and R7.

Note: The PBR configured on R3 doe not affect the path for the return traffic from PC4 and PC5. You must configure same PBR on R6 to be able to control the flow of the return traffic.

Return traffic from PC5 still goes through R4.

This is how you can use PBR to control traffic flow in your network. Thank You for reading and please leave your comments below. Check out other related articles on our page. 

HUawei Global PBR Configuration in Switch...!

 Traffic routing with Policy-based routing (PBR)

Packet routing is generally carried out by equipment by consulting its routing table where they look for the best routes based on their destination address.

However, what I intend to show is that there are other forms of packet routing, such as PBR, which allows routes to be changed based on other criteria such as source addresses, packet size or next hop.

 

To show one of the ways to configure packet forwarding based on PBR, I will use an example:

 

In the company we have two departments that have different access to the Internet due to the needs of the IT Team who need better access to the Internet. What we are going to show is a way to configure the routing of each network for its Internet access, and both teams access the DMZ and can also communicate with each other.

 

 

 

The first step will be to carefully configure an ACL to select only the traffic we want to redirect. As we want to redirect all traffic destined for the Internet, we make the following configuration:

 

ACL name IT_TEAM number 3001 rule 10 permit ip source 192.168.0.0 0.0.0.255 destination any rule 15 permit ip source 192.168.1.0 0.0.0.255 destination any  # ACL Name COM_TEAM number 3002 rule 10 permit ip source 192.168.2.0 0.0.0.255 destination any rule 15 permit ip source 192.168.3.0 0.0.0.255 destination any

 

After defining the ACLs, they configured the traffic classifiers

 

traffic classifier TC_IT_TEAM type or   if-match acl 3001  # traffic classifier TC_COM_TEAM type or   if-match acl 3002

 

 

The next step was to choose what to do with the traffic they had just categorized.

 

traffic behavior TB_IT_TEAM redirect nexthop 192.168.0.147  # traffic behavior TB_COM_TEAM redirect nexthop 192.168.0.149

 

As you know after the classifier and traffic behavior are configured they need to be put together to make sense. And that's what they did too.

 

traffic policy TP_IT_TEAM classifier TC_IT_TEAM behavior TB_IT_TEAM # traffic policy TP_COM_TEAM classifier TC_COM_TEAM behavior TB_COM_TEAM

 

Finally, the traffic policies were configured. The only thing left to do was to apply the traffic policies on the switch.

 

traffic-policy TP_IT_TEAM global inbound # traffic-policy TP_COM_TEAM global inbound

 

After that, traffic destined for the internet was redirected according to the policy.

Difference Between Access Port vs Trunk Port vs Hybrid Port

 

Ethernet Layer 2 Port Type

Interface-based VLAN division depends on the following switch port types:

Access port

• An access port is used to connect to a user terminal (such as a user PC or server) that cannot identify a tag or distinguish VLAN members.

• The NICs of these devices connected to the Access port tend to send and receive only untagged frames.

• An Access port can be added to only one VLAN.

Trunk port

• A trunk port allows data frames of multiple VLANs to pass through. These data frames are differentiated by 802.1Q tags.

• A trunk port is used to connect devices such as switches, routers, firewalls, and APs.

Hybrid port

• A hybrid port can be used to connect user terminals (such as user hosts and servers) that cannot identify tags, switches, routers, voice terminals, and APs that can send and receive tagged and untagged frames at the same time.

• Users can specify whether a hybrid port carries a tag when sending data frames of a certain VLAN or some VLANs. The default port type of Huawei devices is hybrid, and only Huawei switches have the hybrid port.

Introduction of Access Port

As shown in the preceding figure, four scenarios are described.

• Scenario 1: The interface receives untagged frames.

The switch adds a PVID tag to the frame and forwards the tagged frame(flooding, forwarding, discarding).

• Scenario 2: The interface receives tagged frames.

The switch checks whether the VID in the tag of the frame is the same as the PVID.

If they are the same, the Tagged frame is received or forwarded.

If they are different, the Tagged frame is discarded.

• Scenario 3: The VLAN ID of the frame is the same as the port PVID.

First, strip the label of the frame, and then send it out of that interface.

• Scenario 4: The VLAN ID of the frame is different from the port PVID

Disables sending the frame out of the interface.

Features of the access port

Only the data frames with the same VLAN ID as the port PVID are allowed to pass.

Introduction of the Trunk port

As shown in the preceding figure, four scenarios are described.

• Scenario 1: The interface receives untagged frames.

The switch adds the PVID to the frame and checks whether the PVID is in the list of allowed VLAN IDs. 

If yes, the Tagged frame is received or forwarded.

If not, the label frame is directly discarded.

• Scenario 2: The interface receives tagged frames.

The switch checks whether the VID in the tag of the frame is in the list of allowed VLAN IDs. 

If yes, the Tagged frame is received or forwarded.

If not, the Tagged frame is discarded.

• Scenario 3: The VLAN ID of the frame is the same as the port PVID.

When a tagged frame arrives at a trunk port from another port on the switch, if the VID in the tag of the frame is in the list of allowed VLAN IDs, the system compares whether the VID in the tag is the same as the PVID of the port.

If they are the same, the switch removes the tag of the tagged frame and sends the untagged frame out of the link.

Note: If the VLAN ID is not in the list of allowed VLANs, the frame cannot be sent from the interface.

• Scenario 4: The VLAN ID of the frame is different from the port PVID.

When a tagged frame arrives at a trunk port from another port on the switch, if the VID in the tag of the frame is in the list of allowed VLAN IDs, the system compares whether the VID in the tag is the same as the PVID of the port.

If they are different, the switch does not strip the tag of the tagged frame but sends it directly off the link.

Note: If the VLAN ID is not in the list of allowed VLANs, the frame cannot be sent from the interface.

For the trunk port, you must configure a list of allowed VLAN IDs in addition to PVIDs. VLAN 1 exists by default.

Working Procedure of a Layer 2 Switch with VLAN and Trunk Functions

When a switch interface receives a data frame:

1. Construct a MAC address table by learning source MAC addresses.

   
   

2. Add PVID (Tag)

   
   

3. Forwarding Data Frames Based on the Destination MAC Address (VLAN Range)

   
   

   MAC address table changes:

   1) If the data frame is broadcast or multicast, the switch floods the data frame.

   2) For unicast data frames, the switch queries the MAC address table and forwards the frames.

   
   

4. Forwards data frames through the outbound interface.

   
   

   1) Remove PVID (tag).

   2) Keep label forwarding. - Trunk port

Introduction of Hybrid port

As shown in the preceding figure, four scenarios are described.

• Scenario 1: The interface receives untagged frames.

The switch adds a PVID tag to the frame and checks whether the PVID is in the untagged or tagged VLAN ID list.

If yes, the Tagged frame is received or forwarded.

If not, the Tagged frame is discarded.

• Scenario 2: The interface receives tagged frames.

The switch checks to see if the VID in the tag of this frame is in the list of untagged or tagged VLAN IDs.

If yes, the Tagged frame is received or forwarded.

If not, the Tagged frame is discarded.

Summarize scenario 3 and scenario 4. The hybrid port transmits data frames:

• When a tagged frame arrives at a hybrid port from another interface on the switch, if the VID in the tag of the frame is neither in the untagged VLAN ID list nor in the tagged VLAN ID list, the tagged frame is discarded.

  
  

• When a tagged frame arrives at a hybrid port from another interface on the switch, if the VID in the tag of the frame is in the untagged VLAN ID list, the switch removes the tag from the tagged frame. Then, the untagged frame is sent out over the link.

  
  

• When a tagged frame arrives at a hybrid port from another interface on the switch, if the VID in the tag of the frame is in the tagged VLAN ID list, the switch does not remove the tag from the tagged frame but directly sends the tagged frame over the link.

For a hybrid port, you need to configure the PVID and two VLAN ID lists that allow packets to pass through. One is the untagged VLAN ID list and the other is the tagged VLAN ID list. By default, VLAN 1 is in the untagged VLAN list. The frames of all VLANs in the two allowed lists are allowed to pass through the hybrid port.

Features of the Hybrid port

• A hybrid port allows only the data frames whose VLAN IDs are in the allowed list to pass through.

• A hybrid port can allow tagged frames from multiple VLANs to pass through, and allow frames from certain VLANs to be tagged and frames from certain VLANs to be untagged.

• The main difference between a Hybrid port and a Trunk port is that the Hybrid port supports data frames of multiple VLANs without tags.

Configuration of different port types

As shown in the preceding figure: Both G0/0/1 and G0/0/2 of SW1 are connected to PCs. Therefore, G0/0/1 and G0/0/2 of SW1 are configured as access ports, and G0/0/24 of SW1 is connected to SW2, and this link needs to carry two different VLANs. Therefore, G0/0/24 of SW1 is configured as a trunk port.

The configuration of SW1 is as follows:

• Configuring an Access Port

[SW1] VLAN batch 10 20 --- Creating VLANs in Batches

[SW1] interface GigabitEthernet 0/0/1 --- Enter the interface view.

[SW1-GigabitEthernet0/0/1] port link-type access --- Set the link type of the interface to Access. 

[SW1-GigabitEthernet0/0/1] port default VLAN 10 --- Configure the default VLAN for the interface and add the interface to the VLAN.

[SW1] interface GigabitEthernet 0/0/2

[SW1-GigabitEthernet0/0/2] port link-type access

[SW1-GigabitEthernet0/0/2] port default VLAN 20

• Configuring a Trunk Port

[SW1] interface GigabitEthernet 0/0/24

[SW1-GigabitEthernet0/0/24] port link-type trunk--- Set the link type of the interface to Trunk. 

[SW1-GigabitEthernet0/0/24] port trunk pvid vlan 1--- Configuring the Default VLAN for a Trunk Interface 

[SW1-GigabitEthernet0/0/24] port trunk allow-pass vlan 10 20--- Adding a Trunk Interface to a VLAN

• Configuring a Hybrid Port

Now let's think about whether it is possible to replace access and trunk ports with hybrid ports, and how?

Replacing Access Port Configurations with Hybrid Ports

[SW1] interface GigabitEthernet 0/0/1

[SW1-GigabitEthernet0/0/1] Port link-type hybrid --- Set the link type of the interface to hybrid. 

[SW1-GigabitEthernet0/0/1] Port hybrid pvid vian 10 --- Configuring the Default VLAN for a Hybrid Interface 

[SW1-GigabitEthernet0/0/1] Port untagged vian 10 --- Configure the VLANs to which the hybrid interface is added and the frames from the VLANs pass through the interface in untagged mode.

Replacing Trunk Port Configurations with Hybrid Ports

[SW1] interface GigabitEthernet 0/0/24

[SW1-GigabitEthernet0/0/24] Port link-type hybrid

[SW1-GigabitEthernet0/0/24] Port hybrid pvid vian 10

[SW1-GigabitEthernet0/0/24] Port hybrid untagged vlan 10

[SW1-GigabitEthernet0/0/24] Port hybrid tagged vlan 20 --- Configure the VLANs to which the hybrid interface is added and the frames from these VLANs pass through the interface in tagged mode.