Configuration Notes and Constraints
When configuring PBR, consider the following points:
PBR processes only IP packets, L2 messages are not processed.
PBR processes only unicast packets, multicast packets are not processed.
PBR only handles forwarded packets, but does not handle locally originated packets (including local protocol and data packets).
PBR policy applies to the VLAN interface where the traffic is coming in.
You cannot configure both IPv4 and IPv6 match conditions for the same PBR policy sequence.
For a PBR rule, at least one of the IP match conditions (destination-ipv4, source-ipv4, destination-ipv6, source-ipv6) SHOULD be configured, otherwise the following error is reported.
At least one of destination-ipv4, source-ipv4, destination-ipv6, source-ipv6 need to be configured Commit failed. |
If you do not want to filter IP address, you can configure the IP address in the match rule with all 0s.
admin@PICOS# set routing pbr map PBR_map1 sequence 10 match source-ipv4 0.0.0.0/32 |
A PBR rule must contain an action configuration. However, if the action is configured with only DSCP, but no next-hop IP address, as shown in the following command line, this PBR policy only changes the DSCP value of the matched messages which will be forwarded based on the destination address according to the route table.
admin@PICOS# set routing pbr map PBR_map1 sequence 10 match destination-ipv4 1.1.1.0/24 admin@PICOS# set routing pbr map PBR_map1 sequence 10 action dscp 40 |
The next-hop address must be directly connected and reachable without supporting recursion.
The next-hop address in the action configuration does not support the tunnel IP address.
Each PBR map can be applied to multiple Layer 3 interfaces, but each Layer 3 interface can have at most one PBR map configured.
If a message matches the Discard rule in the firewall filter ACL and also matches the PBR rule, the Discard rule in the firewall filter ACL has a higher priority than the PBR rule, then the message will be discarded.
IPSG ACL takes precedence over PBR ACL. If a packet is discarded by the IPSG module, it will have no chance to be processed by the PBR module.
When performing matching operations on the DSCP value of a packet, DSCP values (in the received packet and user-configured DSCP value in the match rule) exceeding 7 will undergo internal conversion, taking only the last 3 bits of the binary representation as the DSCP value. This may result in different DSCP values being converted to the same value, leading to potential matching errors. This is the limitation for using DSCP as a match condition.
Configuring Policy-Based Routing
Follow the configuration roadmap below to complete the deployment of Policy-Based Routing:
1. Configure PBR match rule.
Policies in PBR include match rule, which are conditions that incoming packets must meet in order to be subjected to the policy. Match rules include attributes such as source/destination IP address, source/destination port, and DSCP value.
2. Configure PBR action.
Once a packet matches the specified rule in a policy, an action is taken based on the policy configuration. This action could involve routing the packet through a specific next-hop router, changing Quality of Service (QoS) policies such as DSCP value.
3. Configure applying interface for the PBR policy.
Applying this policy to the VLAN interface where the traffic is coming in.
Procedure
Step 1 Enable IP routing for L3 forwarding.
set ip routing enable true
Step 2 Configure the match rule for PBR traffic classification.
set routing pbr map <map-name> sequence <sequence-number> match destination-ipv4 <ipv4-address/prefix-length>
set routing pbr map <map-name> sequence <sequence-number> match source-ipv4 <ipv4-address/prefix-length>
set routing pbr map <map-name> sequence <sequence-number> match destination-port <destination-port>
set routing pbr map <map-name> sequence <sequence-number> match source-port <source-port>
set routing pbr map <map-name> sequence <sequence-number> match dscp <dscp-value>
set routing pbr map <map-name> sequence <sequence-number> match destination-ipv6 <ipv6-address/prefix-length>
set routing pbr map <map-name> sequence <sequence-number> match source-ipv6 <ipv6-address/prefix-length>
Step 3 Configure an action to redirect packets to a next-hop IPv4/IPv6 address for policy-based routing.
set routing pbr map <map-name> sequence <sequence-number> action nexthop <ip-address> [nexthop-vrf <vrf-name>]
Step 4 Configure an action to modify the DSCP value in packets for policy-based routing.
set routing pbr map <map-name> sequence <sequence-number> action dscp <dscp-value>
Step 5 Apply the PBR policy to the VLAN interface where the traffic is coming in.
set routing pbr map <map-name> vlan-interface <vlan-interface>
Step 6 Commit the configuration.
commit
Step 7 View the configuration information of policy-based routing.
run show pbr map [<map-name>]