Login
- Table of Contents
-
- 05-Layer 3—IP Routing Configuration Guide
- 00-Preface
- 01-Basic IP routing configuration
- 02-Static routing configuration
- 03-RIP configuration
- 04-OSPF configuration
- 05-IS-IS configuration
- 06-BGP configuration
- 07-Policy-based routing configuration
- 08-IPv6 static routing configuration
- 09-RIPng configuration
- 10-OSPFv3 configuration
- 11-IPv6 policy-based routing configuration
- 12-Routing policy configuration
- 13-Dual-stack PBR configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-Dual-stack PBR configuration | 140.19 KB |
Contents
Restrictions and guidelines: Dual-stack PBR configuration
Dual-stack PBR tasks at a glance
Configuring a dual-stack PBR policy
Creating a dual-stack policy node
Setting match criteria for a dual-stack policy node
Configuring actions for a dual-stack policy node
Specifying a policy for dual-stack PBR
Specifying a policy for interface dual-stack PBR
Specifying a policy for global dual-stack PBR
Display and maintenance commands for dual-stack PBR
Example: Configuring packet type-based interface dual-stack PBR
Example: Configuring packet type-based global dual-stack PBR
Configuring dual-stack PBR
About dual-stack PBR
Dual-stack policy-based routing (dual-stack PBR) uses user-defined policies to route packets. A policy can specify parameters for IPv4 or IPv6 packets that match specific criteria such as ACLs. The parameters include the next hop and output interface.
Dual-stack policy
A dual-stack PBR policy includes match criteria and actions to be taken on the matching packets. A dual-stack PBR policy can have one or multiple nodes as follows:
· Each node is identified by a node number. A smaller node number has a higher priority.
· A node contains if-match and apply clauses. An if-match clause specifies a match criterion, and an apply clause specifies an action.
· A node has a match mode of permit or deny.
A dual-stack PBR policy compares packets with dual stack PBR policy nodes in priority order. If a packet matches the criteria on a node, it is processed by the action on the node. If the packet does not match any criteria on the node, it goes to the next node for a match. If the packet does not match the criteria on any node, the device performs a routing table lookup.
Relationship between if-match clauses
On a node, you can specify only one if-match clause. If you specify multiple clauses for a node, the most recently specified clause takes effect.
Relationship between apply clauses
You can specify multiple apply clauses for a node, but some of them might not be executed. For more information about relationship between apply clauses, see "Configuring actions for a dual-stack policy node."
Relationship between the match mode and clauses on the node
|
Does a packet match all the if-match clauses on the node? |
Match mode |
|
|
Permit |
Deny |
|
|
Yes. |
· If the node contains apply clauses, dual-stack PBR executes the apply clauses on the node. ¡ If dual-stack PBR-based forwarding succeeds, dual-stack PBR does not compare the packet with the next node. ¡ If dual-stack PBR-based forwarding fails, dual-stack PBR does not compare the packet with the next node. · If the node does not contain apply clauses, the device performs a routing table lookup for the packet. |
The device performs a routing table lookup for the packet. |
|
No. |
Dual-stack PBR compares the packet with the next node. |
Dual-stack PBR compares the packet with the next node. |
|
|
NOTE: A node that has no if-match clauses matches any packet. |
Packet forwarding process
You can apply a dual-stack PBR policy to an interface or to all interfaces on the device. Once the policy is applied, the device searches the policy for a matching node to forward that packet upon receiving a packet.
· If a matching node is found and its match mode is permit, the device performs the following operations:
a. Uses the next hops or output interfaces specified on the node to forward the packet.
b. Searches the routing table for a route to forward the packet if one of the following conditions exists:
- No next hops or output interfaces are specified on the node.
- Forwarding failed based on the next hops or output interfaces.
· The device performs routing table lookup to forward the packet in either of the following conditions:
¡ No matching node is found.
¡ A matching node is found, but its match mode is deny.
Dual-stack PBR and Track
Dual-stack PBR can work with the Track feature to dynamically adapt the availability status of an apply clause to the link status of a tracked object. The tracked object can be a next hop.
· When the track entry associated with an object changes to Negative, the apply clause is invalid.
· When the track entry changes to Positive or NotReady, the apply clause is valid.
For more information about Track and dual-stack PBR collaboration, see High Availability Configuration Guide.
Restrictions and guidelines: Dual-stack PBR configuration
If a packet destined for the device matches a dual-stack PBR policy, dual-stack PBR will execute the apply clauses in the policy, including the clause for forwarding. When you configure a dual-stack PBR policy, be careful to avoid this situation.
Dual-stack PBR tasks at a glance
To configure dual-stack PBR, perform the following tasks:
1. Configuring a dual-stack PBR policy
a. Creating a dual-stack policy node
b. Setting match criteria for a dual-stack policy node
c. Configuring actions for a dual-stack policy node
2. Specifying a policy for dual-stack PBR
Choose the following tasks as needed:
¡ Specifying a policy for interface dual-stack PBR
¡ Specifying a policy for global dual-stack PBR
A global dual-stack PBR policy applies to all interfaces on the device.
Configuring a dual-stack PBR policy
Creating a dual-stack policy node
1. Enter system view.
system-view
2. Create a node for a dual-stack policy, and enter its view.
dual-stack policy-based-route policy-name [ deny | permit ] node node-number
3. (Optional.) Configure a description for the policy node.
description text
By default, no description is configured for a dual-stack policy node.
Setting match criteria for a dual-stack policy node
1. Enter system view.
system-view
2. Enter dual-stack policy node view.
dual-stack policy-based-route policy-name [ deny | permit ] node node-number
3. Set an ACL match criterion.
if-match acl { ipv4 | ipv6 | user-defined } { acl-number | name acl-name }
By default, no ACL match criterion is set.
When using the ACL to match packets, dual-stack PBR ignores the action (permit or deny) and time range settings in the ACL.
Configuring actions for a dual-stack policy node
About this task
The apply clauses allow you to specify the actions to be taken on matching packets on a dual-stack policy node.
The following apply clauses determine the packet forwarding paths in a descending order:
· apply next-hop
· apply output-interface
Dual-stack PBR supports the apply clauses in Table 1.
Table 1 Apply clauses supported in PBR
|
Clause |
Meaning |
Remarks |
|
apply next-hop and apply output-interface |
Sets next hops and sets output interfaces. |
If both clauses are configured, only the apply next-hop clause is executed. |
Restrictions and guidelines
If you specify a next hop, dual-stack PBR periodically performs FIB table lookup to determine its availability. Temporary service interruption might occur if dual-stack PBR does not update the route immediately after its availability status changes.
Configuring actions to direct packet forwarding
1. Enter system view.
system-view
2. Enter dual-stack policy node view.
dual-stack policy-based-route policy-name [ deny | permit ] node node-number
3. Configure actions.
¡ Set next hops.
apply next-hop [ vpn-instance vpn-instance-name ] { { ipv4-address | ipv6-address } [ direct ] [ track track-entry-number ] }&<1-8>
By default, no next hops are specified.
On a node, you can specify a maximum of eight next hops for backup in one command line or by executing this command multiple times.
If multiple next hops on the same subnet are specified for backup, the device first uses the subnet route for the next hops to forward packets when the primary next hop fails. If the subnet route is not available, the device selects a backup next hop.
¡ Set an output interface.
apply output-interface null 0
By default, no output interface is specified.
Specifying a policy for dual-stack PBR
Specifying a policy for interface dual-stack PBR
About this task
Perform this task to apply a dual-stack policy to an interface to guide the forwarding of packets received on the interface.
Restrictions and guidelines
You can apply only one dual-stack policy to an interface and must make sure the specified policy already exists. Before you can apply a new dual-stack PBR policy to an interface, you must first remove the current dual-stack policy from the interface.
You can apply a dual-stack policy to multiple interfaces.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify a dual-stack policy for interface PBR.
dual-stack policy-based-route policy-name
By default, no interface dual-stack policy is applied to an interface.
Specifying a policy for global dual-stack PBR
About this task
Perform this task to apply a dual-stack policy to all interfaces on the device to guide the forwarding of packets received on the interfaces.
Restrictions and guidelines
You can apply only one policy for global dual-stack PBR and the specified policy must already exist. Before you can apply a new policy, you must first remove the current policy.
Interface dual-stack PBR takes precedence over global dual-stack PBR on an interface. When they are both configured and packets fail to match the interface dual-stack PBR policy, global dual-stack PBR applies.
Procedure
1. Enter system view.
system-view
2. Specify a policy for global dual-stack PBR.
dual-stack global policy-based-route policy-name
By default, no policy is specified for global dual-stack PBR.
Display and maintenance commands for dual-stack PBR
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display dual-stack PBR policy information. |
display dual-stack policy-based-route [ policy policy-name ] |
|
Display global dual-stack PBR configuration and statistics. |
display dual-stack policy-based-route global [ slot slot-number ] |
|
Display interface dual-stack PBR configuration and statistics. |
display dual-stack policy-based-route interface interface-type interface-number [ slot slot-number ] |
|
Display dual-stack PBR configuration. |
display dual-stack policy-based-route setup |
|
Clear dual-stack PBR statistics. |
reset dual-stack policy-based-route statistics [ policy policy-name ] |
PBR configuration examples
Example: Configuring packet type-based interface dual-stack PBR
Network configuration
As shown in Figure 1, Switch B and Switch C do not have a route to reach each other.
Configure dual-stack PBR on Switch A to implement the following requirements:
· Forward all IPv4 TCP packets received on VLAN-interface 11 to next hop 1.1.2.2 (Switch B).
· Forward all IPv6 TCP packets received on VLAN-interface 11 to next hop 2::2 (Switch C).
Procedure
1. Assign IP addresses to the interfaces as shown in Figure 1. (Details not shown.)
2. Configure static or dynamic routing protocol settings to make sure Host A and B can communicate with Switch B and Switch C, respectively. (Details not shown.)
3. Configure dual-stack PBR on Switch A:
# Configure ACL 3101 to match IPv4 TCP packets.
<SwitchA> system-view
[SwitchA] acl advanced 3101
[SwitchA-acl-ipv4-adv-3101] rule permit tcp
[SwitchA-acl-ipv4-adv-3101] quit
# Configure ACL 3102 to match IPv6 TCP packets.
[SwitchA] acl ipv6 advanced 3102
[SwitchA-acl-ipv6-adv-3102] rule permit tcp
[SwitchA-acl-ipv6-adv-3102] quit
# Configure Node 5 for the dual-stack policy aaa to forward IPv4 TCP packets to next hop 1.1.2.2.
[SwitchA] policy-based-route aaa permit node 5
[SwitchA-pbr-aaa-5] if-match acl 3101
[SwitchA-pbr-aaa-5] apply next-hop 1.1.2.2
[SwitchA-pbr-aaa-5] quit
# Configure Node 10 for the dual-stack policy aaa to forward IPv6 TCP packets to next hop 2::2.
[SwitchA] dual-stack policy-based-route aaa permit node 10
[SwitchA-pbrdual-aaa-10] if-match acl ipv6 3102
[SwitchA-pbrdual-aaa-10] apply next-hop 2::2
[SwitchA-pbrdual-aaa-10] quit
# Configure interface dual-stack PBR by applying policy aaa to VLAN-interface 11.
[SwitchA] interface vlan-interface 11
[SwitchA-Vlan-interface11] dual-stack policy-based-route aaa
[SwitchA-Vlan-interface11] quit
Verifying the configuration
Perform telnet and ping operations to verify that interface dual-stack PBR on Switch A operates as configured to perform packet forwarding as follows:
· Forwards the matching IPv4 TCP packets to the next hop 1.1.2.2 (Switch B).
· Forwards the matching IPv6 TCP packets to the next hop 2::2 (Switch C).
# Verify that you can telnet to Switch B (1.1.2.2) from Host A successfully. (Details not shown.)
# Verify that you cannot telnet to Switch C (1.1.3.2) from Host A. (Details not shown.)
# Verify that you can ping Switch C (1.1.3.2) from Host A successfully. (Details not shown.)
# Verify that you can telnet to Switch C (2::2) from Host B successfully. (Details not shown.)
# Verify that you cannot telnet to Switch B (1::2) from Host B. (Details not shown.)
# Verify that you can ping Switch B (1::2) from Host B successfully. (Details not shown.)
Example: Configuring packet type-based global dual-stack PBR
Network configuration
As shown in Figure 2, Switch E and Switch F do not have a route to reach each other.
Configure global dual-stack PBR on Switch D to implement the following requirements:
· Forward IPv4 TCP packets to next hop 1.1.4.2 (Switch E).
· Forward IPv6 TCP packets to next hop 5::2 (Switch F).
Procedure
1. Assign IP addresses to the interfaces, as shown in Figure 2. (Details not shown.)
2. Configure static or dynamic routing protocol settings to make sure Switch A, B and C can communicate with Switch E and Switch F, respectively. (Details not shown.)
3. Configure dual-stack PBR on Switch D:
# Configure ACL 3101 to match IPv4 TCP packets sourced from networks 1.1.1.0/24, 1.1.2.0/24, and 1.1.3.0/24.
<SwitchD> system-view
[SwitchD] acl advanced 3101
[SwitchD-acl-ipv4-adv-3101] rule permit tcp source 1.1.1.0 0.0.0.0.255
[SwitchD-acl-ipv4-adv-3101] rule permit tcp source 1.1.2.0 0.0.0.0.255
[SwitchD-acl-ipv4-adv-3101] rule permit tcp source 1.1.3.0 0.0.0.0.255
[SwitchD-acl-ipv4-adv-3101] quit
# Configure ACL 3102 to match IPv6 TCP packets sourced from networks 1::0/64, 2::0/64, and 3::0/64.
<RouterD> system-view
[RouterD] acl ipv6 advanced 3102
[RouterD-acl-ipv6-adv-3102] rule permit tcp source 1::0 64
[RouterD-acl-ipv6-adv-3102] rule permit tcp source 2::0 64
[RouterD-acl-ipv6-adv-3102] rule permit tcp source 3::0 64
[RouterD-acl-ipv6-adv-3102] quit
# Configure node 5 in dual-stack PBR policy aaa to forward IPv4 TCP packets that match ACL 3101 to next hop 1.1.4.2.
[SwitchD] dual-stack policy-based-route aaa permit node 5
[SwitchD-pbrdual-aaa-5] if-match acl ipv4 3101
[SwitchD-pbrdual-aaa-5] apply next-hop 1.1.4.2
[SwitchD-pbrdual-aaa-5] quit
# Configure node 10 in dual-stack PBR policy aaa to forward IPv6 TCP packets that match ACL 3102 to next hop 5::2.
[SwitchD] dual-stack policy-based-route aaa permit node 10
[SwitchD-pbrdual-aaa-10] if-match acl ipv6 3102
[SwitchD-pbrdual-aaa-10] apply next-hop 5::2
[SwitchD-pbrdual-aaa-10] quit
# Specify dual-stack PBR policy aaa as the global PBR policy.
[SwitchD] dual-stack global policy-based-route aaa
Verifying the configuration
Perform telnet and ping operations to verify that global dual-stack PBR on Switch D operates as configured to perform packet forwarding as follows:
· Forwards the matching IPv4 TCP packets to the next hop 1.1.4.2 (Switch E).
· Forwards the matching IPv6 TCP packets to the next hop 5::2 (Switch F).
# Verify that you can telnet to Switch E (1.1.4.2) successfully and cannot telnet to Switch F (1.1.5.2), from Switch A, B, and C. (Details not shown.)
# Verify that you can ping Switch F (1.1.5.2) from Switch A, B and C successfully. (Details not shown.)
# Verify that you can telnet to Switch F (5::2) successfully and cannot telnet to Switch E (4::2/64), from Switch A, B, and C. (Details not shown.)
# Verify that you can ping Switch F (4::2) from Switch A, B and C successfully. (Details not shown.)
