HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

571

572

573

574

575

576

577

578

579

580

553

As shown in Figure 318, configure local PBR on Firewall to forward all locally generated TCP packets via

GigabitEthernet 0/1. Firewall forwards other packets according to the routing table.

Figure 318 Network diagram

2. Configuration procedure

a. Configure Firewall:

# Configure ACL 3101 to match TCP packets.

<Firewall> system-view

[Firewall] acl number 3101

[Firewall-acl-adv-3101] rule permit tcp

[Firewall-acl-adv-3101] quit

# Configure Node 5 for policy aaa to forward TCP packets via GigabitEthernet 0/1.

[Firewall] policy-based-route aaa permit node 5

[Firewall-pbr-aaa-5] if-match acl 3101

[Firewall-pbr-aaa-5] apply ip-address next-hop 1.1.2.2

[Firewall-pbr-aaa-5] quit

# Configure local PBR by applying policy aaa on Firewall.

[Firewall] ip local policy-based-route aaa

# Configure the IP addresses of the GigabitEthernet interfaces.

[Firewall] interface gigabitethernet 0/1

[Firewall-GigabitEthernet0/1] ip address 1.1.2.1 255.255.255.0

[Firewall-GigabitEthernet0/1] quit

[Firewall] interface gigabitethernet 0/2

[Firewall-GigabitEthernet0/2] ip address 1.1.3.1 255.255.255.0

b. Configure IP address for the GigabitEthernet interface of Router A.

<RouterA> system-view

[RouterA] interface gigabitethernet 0/1

[RouterA-GigabitEthernet0/1] ip address 1.1.2.2 255.255.255.0

c. Configure IP address for the GigabitEthernet interface of Router B.

<RouterB> system-view

[RouterB] interface gigabitethernet 0/2

[RouterB-GigabitEthernet0/2] ip address 1.1.3.2 255.255.255.0

d. Verify the configuration:

# Telnet to Router A (1.1.2.2/24) from Firewall. The operation succeeds.

# Telnet to Router B (1.1.3.2/24) from Firewall. The operation fails.

# Ping Router B (1.1.3.2/24) from Firewall. The operation succeeds.

Telnet uses TCP, and ping uses ICMP. The preceding results show that all TCP packets of Firewall

are forwarded to the next hop 1.1.2.2, and other packets are forwarded via GigabitEthernet 0/2.

The local PBR configuration is effective.