Example for Configuring Redirection
Networking Requirements
As shown in Figure 1, users need to access the Internet. User devices connect to the gateway router through access switch SwitchB and core switch SwitchA and communicate with the Internet through the gateway.
To ensure data and network security, users want to ensure security of all traffic from the Internet to servers.
This example illustrates how to configure redirection to send all traffic from the external network to the internal network to the firewall.
Configuration Roadmap
- Connect SwitchA to the core firewall in bypass mode to filter traffic.
- Configure the device to redirect all traffic from the Internet to the firewall because traffic entering the firewall is Layer 2 traffic.
- Configure port isolation on the interface of SwitchA connected to the firewall to prevent loops, and disable MAC address learning to prevent MAC address flapping.
Procedure
- Create VLANs and configure interfaces to ensure Layer 2 connectivity.
# Create VLAN 100 and VLAN 200 on SwitchB.
<HUAWEI> system-view [HUAWEI] sysname SwitchB [SwitchB] vlan batch 100 200
# Configure GE0/0/2 and GE0/0/3 on SwitchB as access interfaces, add GE0/0/2 to VLAN 200 and GE0/0/3 to VLAN 100, and configure GE0/0/1 as a trunk interface and add GE0/0/1 to VLAN 100 and VLAN 200.
[SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] port link-type access [SwitchB-GigabitEthernet0/0/2] port default vlan 200 [SwitchB-GigabitEthernet0/0/2] quit [SwitchB] interface gigabitethernet 0/0/3 [SwitchB-GigabitEthernet0/0/3] port link-type access [SwitchB-GigabitEthernet0/0/3] port default vlan 100 [SwitchB-GigabitEthernet0/0/3] quit [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port link-type trunk [SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200 [SwitchB-GigabitEthernet0/0/1] quit
# Create VLAN 100 and VLAN 200 on SwitchA.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 100 200
# Configure GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 on SwitchA as trunk interfaces and add them to VLAN 100 and VLAN 200. Add GE0/0/3 and GE0/0/4 to the same port isolation group. Disable MAC address learning on GE0/0/4 to prevent MAC address flapping.
[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 200 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 200 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] port link-type trunk [SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200 [SwitchA-GigabitEthernet0/0/3] port-isolate enable [SwitchA-GigabitEthernet0/0/3] quit [SwitchA] interface gigabitethernet 0/0/4 [SwitchA-GigabitEthernet0/0/4] port link-type trunk [SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 200 [SwitchA-GigabitEthernet0/0/4] port-isolate enable [SwitchA-GigabitEthernet0/0/4] mac-address learning disable [SwitchA-GigabitEthernet0/0/4] quit
- Configure MQC to implement redirection to an interface.# Configure a traffic classifier.
[SwitchA] traffic classifier c1 [SwitchA-classifier-c1] if-match any [SwitchA-classifier-c1] quit
# Configure a traffic behavior.[SwitchA] traffic behavior b1 [SwitchA-behavior-b1] redirect interface gigabitethernet 0/0/3 [SwitchA-behavior-b1] quit
# Configure a traffic policy.[SwitchA] traffic policy p1 [SwitchA-trafficpolicy-p1] classifier c1 behavior b1 [SwitchA-trafficpolicy-p1] quit
# Apply the traffic policy to GigabitEthernet0/0/1 on SwitchA in the inbound direction.[SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] traffic-policy p1 inbound [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] quit
- Verify the configuration.
# Check the traffic classifier configuration.
<SwitchA> display traffic classifier user-defined c1 User Defined Classifier Information: Classifier: c1 Operator: OR Rule(s) : if-match any# Check the traffic behavior configuration.
<SwitchA> display traffic behavior user-defined b1 User Defined Behavior Information: Behavior: b1 Redirect: no forced Redirect interface GigabitEthernet0/0/3
# Check the traffic policy configuration.
<SwitchA> display traffic policy user-defined p1 User Defined Traffic Policy Information: Policy: p1 Classifier: c1 Operator: OR Behavior: b1 Redirect: no forced Redirect interface GigabitEthernet0/0/3# Check the traffic policy configuration.
<SwitchA> display traffic-policy applied-record # ------------------------------------------------- Policy Name: p1 Policy Index: 0 Classifier:c1 Behavior:b1 ------------------------------------------------- *interface GigabitEthernet0/0/1 traffic-policy p1 inbound slot 0 : success ------------------------------------------------- Policy total applied times: 1. #
Configuration Files
SwitchA configuration file
# sysname SwitchA # vlan batch 100 200 # traffic classifier c1 operator or if-match any # traffic behavior b1 redirect interface GigabitEthernet0/0/3 # traffic policy p1 match-order config classifier c1 behavior b1 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 200 traffic-policy p1 inbound # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 100 200 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 100 200 port-isolate enable group 1 # interface GigabitEthernet0/0/4 port link-type trunk mac-address learning disable port trunk allow-pass vlan 100 200 port-isolate enable group 1 # return
SwitchB configuration file
# sysname SwitchB # vlan batch 100 200 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 100 200 # interface GigabitEthernet0/0/2 port link-type access port default vlan 200 # interface GigabitEthernet0/0/3 port link-type access port default vlan 100 # return