Configuring Policy-Based Routing

Configuration Notes and Constraints

When configuring PBR, consider the following points:

  • PBR processes only IP packets, L2 messages are not processed.

  • PBR processes only unicast packets, multicast packets are not processed.

  • PBR only handles forwarded packets, but does not handle locally originated packets (including local protocol and data packets).

  • PBR policy applies to the VLAN interface where the traffic is coming in.

  • Each PBR map can be applied to multiple Layer 3 interfaces, but each Layer 3 interface can have at most one PBR map configured.

  • You cannot configure both IPv4 and IPv6 match conditions for the same PBR policy sequence.

  • At least one match condition SHOULD be configured for a PBR policy.

  • A PBR policy must contain an action configuration. However, if the action is configured with only DSCP, but no next-hop IP address, as shown in the following command line, this PBR policy only changes the DSCP value of the matched messages which will be forwarded based on the destination address according to the route table.

admin@PICOS# set routing pbr map PBR_map1 sequence 10 match destination-ipv4 1.1.1.0/24

admin@PICOS# set routing pbr map PBR_map1 sequence 10 action dscp 40

  • The next-hop address must be directly connected and reachable without supporting recursion.

  • The next-hop address in the action configuration does not support the tunnel IP address.

  • If a message matches the Discard rule in the firewall filter ACL and also matches the PBR rule, the Discard rule in the firewall filter ACL has a higher priority than the PBR rule, then the message will be discarded.

  • IPSG ACL takes precedence over PBR ACL. If a packet is discarded by the IPSG module, it will have no chance to be processed by the PBR module.

Configuring Policy-Based Routing

Follow the configuration roadmap below to complete the deployment of Policy-Based Routing:

1. Configure PBR match rule.

Policies in PBR include match rule, which are conditions that incoming packets must meet in order to be subjected to the policy. Match rules include attributes such as source/destination IP address, source/destination port.

2. Configure PBR action.

Once a packet matches the specified rule in a policy, an action is taken based on the policy configuration. This action could involve routing the packet through a specific next-hop router/next-hop group routers, changing Quality of Service (QoS) policies such as DSCP value.

3. Configure applying interface for the PBR policy.

Applying this policy to the VLAN interface where the traffic is coming in.

Procedure

Step 1          Enable IP routing for L3 forwarding.

set ip routing enable true

Step 2          Configure the match rule for PBR traffic classification.

set routing pbr map <map-name> sequence <sequence-number> match destination-ipv4 <ipv4-address/prefix-length>

set routing pbr map <map-name> sequence <sequence-number> match source-ipv4 <ipv4-address/prefix-length>

set routing pbr map <map-name> sequence <sequence-number> match destination-port <destination-port>

set routing pbr map <map-name> sequence <sequence-number> match source-port <source-port>

set routing pbr map <map-name> sequence <sequence-number> match destination-ipv6 <ipv6-address/prefix-length>

set routing pbr map <map-name> sequence <sequence-number> match source-ipv6 <ipv6-address/prefix-length>

Step 3          Configure an action to redirect packets to a next-hop IPv4/IPv6 address for policy-based routing.

set routing pbr map <map-name> sequence <sequence-number> action nexthop <ip-address> [nexthop-vrf  <vrf-name>]

Step 4          (Optional) Configure an action to redirect packets to a next-hop group IPv4/IPv6 addresses for policy-based routing.

set routing nexthop-group <group-name> nexthop-vrf <vrf-name> nexthop <ip-address>

set routing pbr map <map-name> sequence <sequence-number> action nexthop-group <group-name>

Step 5          Configure an action to modify the DSCP value in packets for policy-based routing.

set routing pbr map <map-name> sequence <sequence-number> action dscp <dscp-value>

Step 6          Apply the PBR policy to the VLAN interface where the traffic is coming in.

set routing pbr map <map-name> vlan-interface <vlan-interface>

Step 7          Commit the configuration.

commit

Step 8          View the configuration information of policy-based routing.

run show pbr map [<map-name>]

Copyright © 2024 Pica8 Inc. All Rights Reserved.