Versions Compared

Old Version 4

changes.mady.by.user Tracy Yang

Saved on

compared with

New Version Current

changes.mady.by.user Tracy Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
stylenone

Configuration Notes and Constraints

When configuring PBR, consider the following points:

  • PBR processes only IP packets, L2 messages are not processed.

  • PBR processes only unicast packets, multicast packets are not processed.

  • PBR only handles forwarded packets, but does not handle locally originated packets (including local protocol and data packets).

  • PBR policy applies to the VLAN interface where the traffic is coming in.

  • Each PBR map can be applied to multiple Layer 3 interfaces, but each Layer 3 interface can have at most one PBR map configured.

  • You cannot configure both IPv4 and IPv6 match conditions for the same PBR policy sequence.

  • For a PBR rule, at At least one of the IP match conditions (destination-ipv4, source-ipv4, destination-ipv6, source-ipv6) SHOULD be configured, otherwise the following error is reported.

At least one of destination-ipv4, source-ipv4, destination-ipv6, source-ipv6 need to be configured

Commit failed.

  • If you do not want to filter IP address, you can configure the IP address in the match rule with all 0s.

admin@PICOS# set routing pbr map PBR_map1 sequence 10 match source-ipv4 0.0.0.0/32

  • A PBR rule match condition SHOULD be configured for a PBR policy.

  • A PBR policy must contain an action configuration. However, if the action is configured with only DSCP, but no next-hop IP address, as shown in the following command line, this PBR policy only changes the DSCP value of the matched messages which will be forwarded based on the destination address according to the route table.

admin@PICOS# set routing pbr map PBR_map1 sequence 10 match destination-ipv4 1.1.1.0/24

admin@PICOS# set routing pbr map PBR_map1 sequence 10 action dscp 40

  • The next-hop address must be directly connected and reachable without supporting recursion.

  • The next-hop address in the action configuration does not support the tunnel IP address.Each PBR map can be applied to multiple Layer 3 interfaces, but each Layer 3 interface can have at most one PBR map configured.

  • If a message matches the Discard rule in the firewall filter ACL and also matches the PBR rule, the Discard rule in the firewall filter ACL has a higher priority than the PBR rule, then the message will be discarded.

  • IPSG ACL takes precedence over PBR ACL. If a packet is discarded by the IPSG module, it will have no chance to be processed by the PBR module.When performing matching operations on the DSCP value of a packet, DSCP values (in the received packet and user-configured DSCP value in the match rule) exceeding 7 will undergo internal conversion, taking only the last 3 bits of the binary representation as the DSCP value. This may result in different DSCP values being converted to the same value, leading to potential matching errors. This is the limitation for using DSCP as a match condition.

Configuring Policy-Based Routing

Follow the configuration roadmap below to complete the deployment of Policy-Based Routing:

...

Policies in PBR include match rule, which are conditions that incoming packets must meet in order to be subjected to the policy. Match rules include attributes such as source/destination IP address, source/destination port, and DSCP value.

2. Configure PBR action.

...

set routing pbr map <map-name> sequence <sequence-number> match source-port <source-port>set routing pbr map <map-name> sequence <sequence-number> match dscp <dscp-value>

set routing pbr map <map-name> sequence <sequence-number> match destination-ipv6 <ipv6-address/prefix-length>

...