Configuring Policy-Based Route Injection

In policy-based route injection, a policy-based route is configured respectively on the cleaning device and router, so that cleaned traffic is injected to the Zone along different links.

Implementation Mechanism

This function is configured on the AntiDDoS.

As shown in Figure 1, Router1 is a traffic-diversion router. A traffic-diversion channel is established between GE1/0/1 on Router1 and GE2/0/1 on the cleaning device. Inbound traffic is diverted to GE2/0/1 on the cleaning device through Router1 GE1/0/1 for cleaning. After the cleaning is complete, normal traffic is injected to the original link through the policy-based route.

In BGP traffic diversion, Router1 learns the UNR route advertised by the cleaning device and uses the cleaning device as the next hop of the route to the Zone. In this way, after cleaned traffic is injected to Router1, Router1 forwards the traffic to the cleaning device according to the routing table. This arises a loop. To avoid such a loop, configure a policy-based route on inbound interface GE1/0/2 of Router1 to send injected traffic to downstream Router2 or Router3 for forwarding.

Assume that the traffic is diverted to the cleaning device through BGP. The procedure is as follows:
1. Apply the policy-based route to inbound interface GE2/0/1 on the cleaning device to inject the traffic of different Zones to Router1 GE1/0/2 and GE1/0/3 respectively.
2. Apply the policy-based route to inbound interfaces GE1/0/2 and GE1/0/3 on Router1 to inject traffic to downstream Router2 or Router3, and finally to the Zone1 or Zone2.
In policy-based route diversion, no loop exists between Router1 and the cleaning device. Therefore, you need to only apply the policy-based route to the cleaning device.

Assume that the traffic is diverted to the cleaning device through the policy-based route. The procedure is as follows:
1. Apply the policy-based route to inbound interface GE2/0/1 on the cleaning device to inject the traffic of different Zones to different interfaces on Router1.
2. The injected traffic is sent to Router2 or Router3 according to the routing table after reaching Router1. Subsequently, the traffic is issued to the Zone.

In practice, the traffic-injection router can be either Router1 or another downstream router (such as Router2).

Figure 1 Policy-based route injection

As a common traffic-injection mode, policy-based route injection is generally applicable to multiple injected interfaces. This mode is recommended for simple configurations. However, you need to manually modify the configuration of the policy-based route in the event of topology changes. When changes are huge and Zone IP addresses are scattered, massive policy-based routes are required. This demands mass manpower as well as deteriorates system performance. On this basis, you are advised to configure MPLS traffic injection, not policy-based route injection.

Configuring the Cleaning Device

The following describes how to configure a policy-based route on the cleaning device to inject traffic to different interfaces on Router1 through the policy-based route.

Run the system-view command to access the system view.
In the system view, create a PBR policy and access its view.

policy-based-route
Create a PBR rule and access its view.

rule name rule-name

Set the matching conditions of the PBR rule. Either the source security zone or incoming interface must be specified as the matching condition. If you specify both, the latest configuration overwrites the previous configuration. The source IP address, destination IP address, service type, application type, and user are optional. You can select them as required.

Matching Condition	Command
Source security zone or incoming interface	source-zone zone-name&<1-6> ingress-interface { interface-type interface-number }&<1-6> NOTE: Apart from physical interfaces, the AntiDDoS supports four types of logical interface as the incoming interface, namely, the VLANIF interface, Ethernet subinterface, Eth-Trunk interface, and loopback interface. When the incoming interface is set to the VLANIF interface, PBR is implemented on the specified VLAN. When the incoming interface is set to the Ethernet subinterface, PBR is implemented on the traffic of the specified subinterface. When the incoming interface is set to the Eth-Trunk interface, PBR is implemented on the traffic from the specified Eth-Trunk link.
Source IP address	source-address { address-set address-set-name &<1-6> \| ipv4-address [ ipv4-mask-length \| mask mask-address ] \| ipv6-address ipv6-prefix-length \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } \| mac-address &<1-6> \| isp isp-name \| domain-set domain-set-name &<1-6> \| any }
Destination IP address	destination-address { address-set address-set-name &<1-6> \| ipv4-address [ ipv4-mask-length \| mask mask-address ] \| ipv6-address ipv6-prefix-length \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } \| mac-address &<1-6> \| isp isp-name \| domain-set domain-set-name &<1-6> \| any }
Service type	service { service-name&<1-6> \| any }
Application type	application { application-name &<1-6> \| any }

Configure the action for packets matching the conditions.

action { pbr { egress-interface interface-type interface-number &<1-2> [ next-hop ip-address &<1-2> ] | next-hop ip-address &<1-2> | vpn-instance vpn-instance-name } | no-pbr }

NOTE:
NO PBR applies to certain scenarios. For example, to implement PBR on subnet 10.1.1.0/24 except 10.1.1.2, configure a rule with a higher priority to implement NO PBR on 10.1.1.2 first and then another rule with a lower priority to implement PBR on subnet 10.1.1.0/24.
Optional: Enable PBR to interwork with IP-link and enable the AntiDDoS to determine the validity of PBR based on IP-link status.
track ip-link link-id

If IP-link is configured and detects that the next hop is unreachable, the AntiDDoS forwards the packet based on the route table.

Configuring the Router

The following uses Huawei NE80E as an example for describing how to configure the policy-based route on the router to inject traffic respectively to Router2 and Router3.

Run the system-view command to access the system view.
Configure the ACL to define the data flow matching the policy-based route.
Run the following commands to define a traffic classifier.
1. Run the traffic classifier classifier-name command in the system view to define a traffic classifier and access the traffic classifier view.
  
  classifier-name specifies the name of a traffic classifier. It is a string of 1 to 31 characters, case sensitive.
2. Run the if-match [ ipv6 ] acl { acl-number | name acl-name } command to define an ACL rule.
  
  acl-number specifies the number of the ACL. The value is an integer.
  
  For IPv4 packets, the value ranges from 2000 to 4099.
  - A value ranging from 2000 to 3999 indicates a basic or an advanced ACL.
  - A value ranging from 4000 to 4099 indicates an ACL based on the Layer-2 Ethernet frame header.
  For IPv6 packets, the value ranges from 2000 to 3999.
  - A value ranging from 2000 to 2999 indicates a basic ACL.
  - A value ranging from 3000 to 3999 indicates an advanced ACL.
  acl-name specifies the name of a naming ACL. The value is a string of 1 to 32 case-sensitive characters and cannot contain a space. It must start with a letter from a to z or A to Z, and can be a combination of letters, digits, hyphens (-), or underscores (_).
Run the following commands to define a traffic behavior and set an action accordingly.
1. Run the traffic behavior behavior-name command in the system view to define a traffic behavior and access the traffic behavior view.
  
  behavior-name: specifies the name of a traffic behavior. The value is a string of 1 to 31 characters.
2. Run the redirect ip-nexthop ip-address [ interface interface-type interface-number ] command to redirect to the next hop.
  
  ip-address specifies the IP address of the redirected next hop.
  
  interface-type interface-number specifies the type and number of the outbound interface. The number is in the slot number/card number/port number format.
Run the following commands to define a traffic policy and specify a behavior for the classifier in the policy.
1. Run the traffic policy policy-name command in the system view to define a traffic policy and access the policy view.
  
  policy-name: specifies the name of a traffic policy. The value is a string of 1 to 31 characters.
2. Run the classifier classifier-name behavior behavior-name [ precedence precedence ] command to specify a behavior for the traffic classifier in the policy.
  
  classifier-name specifies the name of a traffic classifier. It must be already defined.
  
  behavior-name specifies the name of a traffic behavior. It must be already defined.
  
  precedence indicates the priority of the associated traffic classifier and behavior. The value is an integer ranging from 1 to 255. The smaller the precedence value, the higher the priority. The associated traffic classifier and behavior are preferentially processed. If precedence is not specified, the system searches for the association according to the configured sequence.
Run the following commands to apply the policy-based route to the interface.
1. Run the interface interface-type interface-number commands in the system view to access the interface view.
  
  Interfaces indicate inbound interface GE1/0/2 and GE1/0/3 on traffic-injection Router1, as shown in Figure 1.
2. Run the traffic-policy policy-name inbound command to apply the policy-based route.
  
  inbound applies the traffic policy to the inbound direction.