Policy Routing-Enterprise Network Multiple Exits

The customer’s experimental needs this time:

"Research on the Application of Dual Internet Access Technology"

       In order to ensure the stability, reliability, and fluency of the network, many units and enterprises will choose multiple operators to access the Internet, which can not only achieve mutual redundancy, but also perform load sharing according to different traffic flows, especially for different operators. Intelligent routing can be implemented for access to the data center. For example, traffic accessing China Telecom's data center exits from China Telecom, and traffic accessing China Unicom's data center exits China Unicom's exit.

The customer asked for a small scenario experiment. The topology I designed is as follows. I do not recommend that you use firewalls for policy routing, mainly because of the router bug of ensp. At the beginning of the period, my idea was to use AR series routing to pass the load default route + at the company exit. The nat method is used to do PBR, which is more effective. Later, I found that the PBR strategy of the AR series cannot be called under the interface. It can only be called globally, but it does not take effect globally. I switched to the R series, so the bug in the R series is nat. It had no effect, so in the end, in order to achieve the effect of PBR, I switched to an R series router and omitted NAT.

If there is PBR and NAT required for Tietie, the export equipment here can be replaced with usg6000v firewall, and both firewalls can be implemented.

Without further ado, here’s the complete configuration:

<Huawei>sys
[Huawei]un in en
[Huawei]sys sw2
[sw2]vlan ba 10 20 
[sw2]inte e0/0/1
[sw2-Ethernet0/0/1]po link ac
[sw2-Ethernet0/0/1]po de vlan 10 
[sw2-Ethernet0/0/1]inte e0/0/2
[sw2-Ethernet0/0/2]po link ac
[sw2-Ethernet0/0/2]po de vlan 20
[sw2-Ethernet0/0/2]inte e0/0/3
[sw2-Ethernet0/0/3]po link tr
[sw2-Ethernet0/0/3]po tr al vlan 10 20  

<Huawei>sys
[Huawei]un in en
[Huawei]sys sw3
[sw3]vlan ba 30 40 
[sw3]inte e0/0/1
[sw3-Ethernet0/0/1]po link ac
[sw3-Ethernet0/0/1]po de vlan 30 
[sw3-Ethernet0/0/1]inte e0/0/2
[sw3-Ethernet0/0/2]po link ac
[sw3-Ethernet0/0/2]po de vlan 40
[sw3-Ethernet0/0/2]inte e0/0/3
[sw3-Ethernet0/0/3]po link tr
[sw3-Ethernet0/0/3]po tr al vlan 30 40

<Huawei>sys
[Huawei]un in en
[Huawei]sys sw1
[sw1]vlan ba 10 20 30 40 100
[sw1]stp ro pr  
[sw1]inte g0/0/1
[sw1-GigabitEthernet0/0/1]po link tr
[sw1-GigabitEthernet0/0/1]po tr al vlan 10 20
[sw1-GigabitEthernet0/0/1]inte g0/0/2
[sw1-GigabitEthernet0/0/2]po link tr
[sw1-GigabitEthernet0/0/2]po tr al vlan 30 40  
[sw1-GigabitEthernet0/0/2]inte g0/0/3
[sw1-GigabitEthernet0/0/3]po link ac
[sw1-GigabitEthernet0/0/3]po de vlan 100 
[sw1-GigabitEthernet0/0/3]inte vlan 10 
[sw1-Vlanif10]ip add 192.168.10.254 24
[sw1-Vlanif10]inte vlan 20 
[sw1-Vlanif20]ip add 192.168.20.254 24
[sw1-Vlanif20]inte vlan 30 
[sw1-Vlanif30]ip add 192.168.30.254 24
[sw1-Vlanif30]inte vlan 100
[sw1-Vlanif100]ip add 192.168.0.2 30
[sw1-Vlanif100]ip route-sta 0.0.0.0 0 192.168.0.1

[Huawei]sys R2
[R2]un in en 
[R2]interface GigabitEthernet0/0/0
[R2-GigabitEthernet0/0/0] ip address 100.1.1.2 255.255.255.252 
[R2-GigabitEthernet0/0/0]interface GigabitEthernet0/0/1
[R2-GigabitEthernet0/0/1] ip address 200.1.1.2 255.255.255.252 
[R2-GigabitEthernet0/0/1]interface GigabitEthernet0/0/2
[R2-GigabitEthernet0/0/2] ip address 192.168.0.1 255.255.255.252 
[R2-GigabitEthernet0/0/2]q
[R2]ip route-static 192.168.0.0 255.255.0.0 192.168.0.2
[R2]ospf 
[R2-ospf-1]ar 0 
[R2-ospf-1-area-0.0.0.0]net 100.1.1.0 0.0.0.3
[R2-ospf-1-area-0.0.0.0]net 200.1.1.0 0.0.0.3
[R2-ospf-1-area-0.0.0.0]q
[R2-ospf-1]im static 
[R2-ospf-1]q

配置pbr的匹配流量
[R2]acl number 3000  
[R2-acl-adv-3000] rule 5 permit ip source 192.168.10.0 0.0.0.255  
[R2-acl-adv-3000] rule 10 permit ip source 192.168.30.0 0.0.0.255 
[R2-acl-adv-3000]acl number 3001  
[R2-acl-adv-3001] rule 5 permit ip source 192.168.20.0 0.0.0.255 
[R2-acl-adv-3001] rule 10 permit ip source 192.168.40.0 0.0.0.255 
[R2-acl-adv-3001]q

pbr策略，最后在流量的入接口调用即可
[R2]policy-based-route huawei permit node 10
[R2-policy-based-route-huawei-10] if-match acl 3000
[R2-policy-based-route-huawei-10] apply ip-address next-hop 100.1.1.1  
[R2-policy-based-route-huawei-10]policy-based-route huawei permit node 20
[R2-policy-based-route-huawei-20] if-match acl 3001
[R2-policy-based-route-huawei-20] apply ip-address next-hop 200.1.1.1  
[R2-policy-based-route-huawei-20]inte g0/0/2
[R2-GigabitEthernet0/0/2]ip policy-based-route huawei 

<Huawei>sys
[Huawei]un in en
[Huawei]sys AR2
[AR2]inte g0/0/0
[AR2-GigabitEthernet0/0/0]ip ad 100.1.1.1 30 
[AR2-GigabitEthernet0/0/0]inte g0/0/1
[AR2-GigabitEthernet0/0/1]ip ad 100.1.1.6 30
[AR2-GigabitEthernet0/0/1]ospf 
[AR2-ospf-1]
[AR2-ospf-1]ar 0 
[AR2-ospf-1-area-0.0.0.0]net 100.1.1.4 0.0.0.3
[AR2-ospf-1-area-0.0.0.0]net 100.1.1.0 0.0.0.3

<Huawei>sys
[Huawei]un in en
[Huawei]sys AR3
[AR3]inte g0/0/0
[AR3-GigabitEthernet0/0/0]ip ad 200.1.1.1 30 
[AR3-GigabitEthernet0/0/0]inte g0/0/1
[AR3-GigabitEthernet0/0/1]ip ad 200.1.1.6 30
[AR3-GigabitEthernet0/0/1]ospf 
[AR3-ospf-1]ar 0 
[AR3-ospf-1-area-0.0.0.0]net 200.1.1.0 0.0.0.3
[AR3-ospf-1-area-0.0.0.0]net 200.1.1.4 0.0.0.3

<Huawei>sys
[Huawei]un in en
[Huawei]sys R1
[R1]inte g0/0/0
[R1-GigabitEthernet0/0/0]ip ad 100.1.1.5 30 
[R1-GigabitEthernet0/0/0]inte g0/0/1
[R1-GigabitEthernet0/0/1]ip ad 200.1.1.5 30
[R1-GigabitEthernet0/0/1]inte loop0
[R1-LoopBack0]ip ad 100.100.100.100 32
[R1-LoopBack0]ospf 
[R1-ospf-1]ar 0 
[R1-ospf-1-area-0.0.0.0]net 100.1.1.4 0.0.0.3
[R1-ospf-1-area-0.0.0.0]net 200.1.1.4 0.0.0.3
[R1-ospf-1-area-0.0.0.0]net 100.100.100.100 0.0.0.0

Experimental phenomena