Example for Configuring PBR to Import Traffic to the Firewall in Bypass Mode
Networking Requirements
In Figure 1, enterprise users need to access the Internet through SwitchA (core switch) and the router (access gateway).
To ensure the security of the enterprise's intranet, traffic entering the intranet needs to be imported to the firewall in bypass mode.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure an IP address for each interface and configure a routing protocol between the switch and firewall to ensure that there is a reachable route.
- Configure PBR on SwitchA to redirect traffic to the firewall for security detection. Traffic that is sent from the external network to the enterprise intranet will be redirected.
This example provides only the switch configuration. For the firewall configuration, see the firewall documentation.
Procedure
- Configure an IP address for each interface on SwitchA and the firewall, and configure a routing protocol on SwitchA.
# Assign an IP address to each interface of SwitchA. By default, a switch interface is a Layer 2 interface. Before configuring an IP address for a switch interface, run the undo portswitch command to change the interface to a Layer 3 interface.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] undo portswitch [SwitchA-GigabitEthernet0/0/1] ip address 10.1.1.2 24 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] undo portswitch [SwitchA-GigabitEthernet0/0/2] ip address 10.1.20.1 24 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] undo portswitch [SwitchA-GigabitEthernet0/0/3] ip address 10.1.10.6 24 [SwitchA-GigabitEthernet0/0/3] quit [SwitchA] interface gigabitethernet 0/0/4 [SwitchA-GigabitEthernet0/0/4] undo portswitch [SwitchA-GigabitEthernet0/0/4] ip address 10.1.11.6 24 [SwitchA-GigabitEthernet0/0/4] quit
# Configure a routing protocol on SwitchA to ensure Layer 3 connectivity. OSPF is used as an example.
Generally, two OSPF processes are configured on the firewall to advertise uplink and downlink network segments. Therefore, two OSPF processes need to be configured on SwitchA.
[SwitchA] ospf 100 [SwitchA-ospf-100] area 0 [SwitchA-ospf-100-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [SwitchA-ospf-100-area-0.0.0.0] network 10.1.10.0 0.0.0.255 [SwitchA-ospf-100-area-0.0.0.0] quit [SwitchA-ospf-100] quit [SwitchA] ospf 200 [SwitchA-ospf-200] area 0 [SwitchA-ospf-200-area-0.0.0.0] network 10.1.11.0 0.0.0.255 [SwitchA-ospf-200-area-0.0.0.0] network 10.1.20.0 0.0.0.255 [SwitchA-ospf-200-area-0.0.0.0] quit [SwitchA-ospf-200] quit
- Configure PBR on SwitchA to redirect traffic to the firewall for security detection. Traffic that is sent from the external network to the enterprise intranet will be redirected.# Configure a traffic classifier to match all traffic.
[SwitchA] traffic classifier c1 [SwitchA-classifier-c1] if-match any [SwitchA-classifier-c1] quit
# Configure a traffic behavior to redirect matching traffic to the firewall (with the next-hop address 10.1.10.5).[SwitchA] traffic behavior b1 [SwitchA-behavior-b1] redirect ip-nexthop 10.1.10.5 [SwitchA-behavior-b1] quit
# Configure a traffic policy.[SwitchA] traffic policy p1 [SwitchA-trafficpolicy-p1] classifier c1 behavior b1 [SwitchA-trafficpolicy-p1] quit
# Apply the traffic policy to the inbound direction of GigabitEthernet0/0/1 on SwitchA.[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] traffic-policy p1 inbound [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] quit
- Verify the configuration.
# Check the traffic classifier configuration.
<SwitchA> display traffic classifier user-defined c1 User Defined Classifier Information: Classifier: c1 Operator: AND Rule(s) : if-match any# Check the traffic behavior configuration.
<SwitchA> display traffic behavior user-defined b1 User Defined Behavior Information: Behavior: b1 Redirect: no forced Redirect ip-nexthop 10.1.10.5# Check the traffic policy configuration.
<SwitchA> display traffic policy user-defined p1 User Defined Traffic Policy Information: Policy: p1 Classifier: c1 Operator: AND Behavior: b1 Redirect: no forced Redirect ip-nexthop 10.1.10.5# Check the traffic policy record.
<SwitchA> display traffic-policy applied-record # ------------------------------------------------- Policy Name: p1 Policy Index: 0 Classifier:c1 Behavior:b1 ------------------------------------------------- *interface GigabitEthernet0/0/1 traffic-policy p1 inbound slot 0 : success ------------------------------------------------- Policy total applied times: 1. #
Configuration Files
- SwitchA configuration file
# sysname SwitchA # traffic classifier c1 operator and if-match any # traffic behavior b1 redirect ip-nexthop 10.1.10.5 # traffic policy p1 match-order config classifier c1 behavior b1 # interface GigabitEthernet0/0/1 undo portswitch ip address 10.1.1.2 255.255.255.0 traffic-policy p1 inbound # interface GigabitEthernet0/0/2 undo portswitch ip address 10.1.20.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo portswitch ip address 10.1.10.6 255.255.255.0 # interface GigabitEthernet0/0/4 undo portswitch ip address 10.1.11.6 255.255.255.0 # ospf 100 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.1.10.0 0.0.0.255 # ospf 200 area 0.0.0.0 network 10.1.11.0 0.0.0.255 network 10.1.20.0 0.0.0.255 # return