Login
- Table of Contents
-
- 07-Layer 3 - IP Routing Configuration Guide
- 00-Preface
- 01-IP Routing Basics
- 02-Static Routing Configuration
- 03-RIP Configuration
- 04-OSPF Configuration
- 05-IS-IS Configuration
- 06-BGP Configuration
- 07-Policy-Based Routing Configuration
- 08-Guard Route Configuration
- 09-IPv6 Static Routing Configuration
- 10-RIPng Configuration
- 11-OSPFv3 Configuration
- 12-IPv6 IS-IS Configuration
- 13-IPv6 BGP Configuration
- 14-IPv6 Policy-Based Routing Configuration
- 15-Routing Policy Configuration
- 16-Tunnel End Packets Policy Routing Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Policy-Based Routing Configuration | 145.84 KB |
Contents
Configuring policy-based routing
Introduction to policy-based routing
Displaying and maintaining PBR configuration
Configuring local PBR based on packet type
Configuring interface PBR based on packet type
|
|
NOTE: The switch operates in IRF or standalone (the default) mode. For more information about IRF mode, see IRF Configuration Guide. |
Introduction to policy-based routing
What is policy-based routing
Policy-based routing (PBR) is a routing mechanism based on user-defined policies. Different from the traditional destination-based routing mechanism, PBR enables you to use a policy to route packets based on the source address, packet length, and other criteria. You can specify the VPN instance, packet priority, outgoing interface, next hop, default outgoing interface, default next hop, and other parameters to guide the forwarding of packets that match specific ACLs or have specific lengths.
PBR involves local PBR and interface PBR:
· Local PBR applies to locally generated packets only, such as the ICMP packets generated by using the ping command.
· Interface PBR applies to packets forwarded through the interface only.
In most cases, interface PBR is implemented to meet the forwarding and security requirements.
In general, PBR takes precedence over destination-based routing. PBR applies to the packets matching the specified criteria, and other packets are forwarded through destination-based routing.
Policy
A policy that comprises one or multiple nodes is used to route IP packets.
Node
A node is identified by a node number. The smaller the node number is, the higher the priority of the node is.
A policy node consists of if-match clauses and apply clauses. An if-match clause specifies a match criterion on a node, while an apply clause specifies an action to be taken on packets.
The action to be taken on matched packets depends on the match mode, which can be permit or deny.
if-match clause
Currently, one type of if-match clauses is available: if-match acl.
You can specify only one if-match clause of each type in a policy node.
apply clause
PBR supports the following types of apply clauses in Table 1.
Table 1 Priorities of the apply clauses in a policy node
|
Clause |
Meaning |
Priority |
|
apply access-vpn vpn-instance |
Sets VPN instances |
If a packet matches a forwarding entry of a specified VPN instance, it is forwarded in the VPN instance; if it does not match any entry in all VPN instances specified, it is discarded. |
|
apply ip-precedence |
Sets an IP precedence |
If configured for public network forwarding, that is, the apply access-vpn vpn-instance clause is not configured, this clause will always be executed. |
|
apply ip-address next-hop |
Sets the next hop |
If configured for public network forwarding, that is, the apply access-vpn vpn-instance clause is not configured, this clause will always be executed as long as the next hop is valid. |
|
|
NOTE: · If the next hop of PBR is configured as direct and the ARP entry for the specified next hop can be learned, the next hop is considered valid; otherwise, it is considered invalid. · To set VPN instances for a system that works in standard mode, you must configure reserved VLANs before configuring VPNs. For more information about system working modes, see Fundamentals Configuration Guide. For more information about reserved VLAN, see the reserve-vlan vlan-id command in MPLS Command Reference. |
Relationship between the match mode and clauses
|
If a packet… |
Then… |
|
|
In permit mode |
In deny mode |
|
|
Matches all the if-match clauses on a policy node |
The apply clause is executed, and the packet will not go to the next policy node for a match. |
The apply clause is not executed, the packet will not go to the next policy node for a match, and will be forwarded according to the routing table. |
|
Fails to match an if-match clause on the policy node |
The apply clause is not executed, and the packet will go to the next policy node for a match. |
The apply clause is not executed, and the packet will go to the next policy node for a match. |
There is an OR relationship between the nodes of a policy. If a packet matches a node, it passes the policy; if the packet does not match any node of the policy, it fails to pass the policy, and is forwarded according to the routing table.
PBR and track
Associated with a track object, PBR can detect topology changes faster. You can associate PBR with a track entry when you configure the outgoing interface, default outgoing interface, next hop, and default next hop to dynamically determine link reachability. The PBR configuration takes effect when the status of the associated track object is positive or invalid.
|
|
NOTE: For more information about track-PBR collaboration, see High Availability Configuration Guide. |
Configuring PBR
Defining a policy
To define a policy:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a policy or policy node and enter PBR policy node view. |
policy-based-route policy-name [ deny | permit ] node node-number |
N/A |
|
3. Define an ACL match criterion. |
if-match acl acl-number |
Optional. |
|
4. Set a VPN instance. |
apply access-vpn vpn-instance vpn-instance-name |
Optional. |
|
5. Set an IP precedence. |
apply ip-precedence value |
Optional. |
|
6. Set next hops. |
apply ip-address next-hop [ vpn-instance vpn-instance-name ] ip-address1 [ direct ] [ track track-entry-number ] [ ip-address2 [ direct ] [ track track-entry-number ] ] |
Optional. If you configure two next hops for a policy at the same time, only the primary next hop takes effect. The backup next hop takes effect only when the primary next hop is invalid. |
|
|
NOTE: · If an ACL match criterion is defined, packets are matched against the ACL rules, whereas the permit or deny action of the specified ACL is ignored. If the specified ACL does not exist, no packet is matched. · The rule you add to an ACL that has been used by a policy cannot take effect if hardware resources are insufficient or the policy does not support the rule. Such rules are marked as uncompleted in the output of the display acl { acl-number | all | name acl-name } slot slot-number command. To successfully apply the rule, you must delete the rule and reconfigure it when hardware resources are sufficient. For more information about the display acl command, see ACL and QoS Command Reference. · You can configure two next hops by using the apply ip-address next-hop command twice (first case) or once (second case). After that, executing the apply ip-address next-hop command with a new next hop will replace the earlier configured next hop in the first case, or will replace the second next hop specified in the second case. To remove both next hops, execute the apply ip-address next-hop command again by specifying two next hops. |
|
|
CAUTION: · If a policy node has no if-match clause configured, all packets can match the policy node. However, an action is taken according to the match mode, and the packets will not go to the next policy node for a match. · If a permit-mode policy node has no apply clause configured, packets matching all the if-match clauses of the node can pass the policy node, and no action is taken. The matching packets will not go to the next policy node for a match, and will be forwarded according to the routing table. · If a policy node has neither if-match nor apply clauses configured, all packets can match the policy node. However, no action is taken. The packets will not go to the next policy node for a match, and will be forwarded according to the routing table. |
Configuring local PBR
Only one policy can be referenced for local PBR.
To configure local PBR:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure local PBR. |
ip local policy-based-route policy-name |
Not configured by default |
|
|
NOTE: · If the specified policy does not exist, the local PBR configuration succeeds, but it takes effect only when the policy is created. · Local PBR supports only IP forwarding. · Local PBR does not support the apply access-vpn vpn-instance command. |
Configuring interface PBR
Only one policy can be referenced by an interface for interface PBR.
To configure interface PBR:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure interface PBR. |
ip policy-based-route policy-name |
Not configured by default |
|
|
NOTE: If the specified policy does not exist, the interface PBR configuration succeeds, but it takes effect only when the policy is created. |
Displaying and maintaining PBR configuration
|
Command |
Remarks |
|
|
Display the PBR routing information. |
display ip policy-based-route [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the specified PBR routing information (in standalone mode). |
display ip policy-based-route setup { policy-name | interface interface-type interface-number [ slot slot-number ] | local [ slot slot-number ] } [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the specified PBR routing information (in IRF mode). |
display ip policy-based-route setup { policy-name | interface interface-type interface-number [ chassis chassis-number slot slot-number ] | local [ chassis chassis-number slot slot-number ] } [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display PBR statistics (in standalone mode). |
display ip policy-based-route statistics { interface interface-type interface-number | local } [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display PBR statistics (in IRF mode). |
display ip policy-based-route statistics { interface interface-type interface-number | local } [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the PBR policy information. |
display policy-based-route [ policy-name ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Clear PBR statistics. |
reset policy-based-route statistics [ policy-name ] |
Available in user view |
|
|
NOTE: · If a policy has a node with no if-match clause or apply clause configured, all packets can pass the policy. However, no action is taken and the packets will not go to the next policy node for a match. The statistics of PBR will be changed. · If a policy node has if-match clauses but no apply clauses configured, packets will match against these if-match clauses. However, no apply clauses are applicable to the permitted packets, and the packets will not go to the next policy node for a match. The statistics of PBR will be changed. · If a policy node has no if-match clause but apply clauses configured, all packets can pass the policy, and then are forwarded according to the apply clauses if the permit keyword is specified for the node, or are denied if the deny keyword is specified. The packets will not go to the next policy node for a match. In this case, the statistics of PBR will be changed. · If the match mode of a policy node is deny, no apply clause will be executed for the packets satisfying all the if-match clauses, and the packets will not go to the next policy node for a match. They will be forwarded according to the routing table instead. In this case, neither debugging information nor statistics for the deny match mode can be displayed. |
PBR configuration examples
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. Before configuring these interfaces, bring them up by using the undo shutdown command. |
Configuring local PBR based on packet type
Network requirements
As shown in Figure 1, configure PBR on Switch A, so all TCP packets are forwarded to next hop 1.1.2.2, and other packets are forwarded according to the routing table.
Switch A is directly connected to Switch B and Switch C, respectively. Switch B and Switch C are unreachable to each other.
Configuration procedure
1. Configure Switch A:
# Define ACL 3101 to match TCP packets.
<SwitchA> system-view
[SwitchA] acl number 3101
[SwitchA-acl-adv-3101] rule permit tcp
[SwitchA-acl-adv-3101] quit
# Define Node 5 of policy aaa, which forwards TCP packets to next hop 1.1.2.2.
[SwitchA] policy-based-route aaa permit node 5
[SwitchA-pbr-aaa-5] if-match acl 3101
[SwitchA-pbr-aaa-5] apply ip-address next-hop 1.1.2.2
[SwitchA-pbr-aaa-5] quit
# Apply policy aaa to Switch A.
[SwitchA] ip local policy-based-route aaa
# Configure the IP addresses of VLAN-interface 10 and VLAN-interface 20.
[SwitchA] interface Vlan-interface 10
[SwitchA-Vlan-interface10] ip address 1.1.2.1 255.255.255.0
[SwitchA-Vlan-interface10] quit
[SwitchA] interface Vlan-interface 20
[SwitchA-Vlan-interface20] ip address 1.1.3.1 255.255.255.0
2. Configure Switch B:
# Configure the IP address of VLAN-interface 10.
<SwitchB> system-view
[SwitchB] interface Vlan-interface 10
[SwitchB-Vlan-interface10] ip address 1.1.2.2 255.255.255.0
[SwitchB-Vlan-interface10] quit
3. Configure Switch C:
# Configure the IP address of VLAN-interface 20.
<SwitchC> system-view
[SwitchC] interface Vlan-interface 20
[SwitchC-Vlan-interface20] ip address 1.1.3.2 255.255.255.0
[SwitchC-Vlan-interface20] quit
4. Verify the configuration:
# Telnet to Switch B (1.1.2.2/24) from Switch A. The operation succeeds.
<SwitchA> telnet 1.1.2.2
Trying 1.1.2.2 ...
Press CTRL+K to abort
Connected to 1.1.2.2 ...
******************************************************************************
* Copyright (c) 2004-2011 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*******************************************************************************************************
# Telnet to Switch C (1.1.3.2/24) from Switch A. The operation fails.
<SwitchA> telnet 1.1.3.2
Trying 1.1.3.2 ...
Press CTRL+K to abort
Can't connect to the remote host!
# Ping Switch C (1.1.3.2/24) from Switch A. The operation succeeds.
<SwitchA> ping 1.1.3.2
PING 1.1.3.2: 56 data bytes, press CTRL_C to break
Reply from 1.1.3.2: bytes=56 Sequence=1 ttl=255 time=2 ms
Reply from 1.1.3.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 1.1.3.2: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 1.1.3.2: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 1.1.3.2: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 1.1.3.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
Telnet uses TCP, and ping uses ICMP. The preceding results show that all TCP packets of Switch A are forwarded to next hop 1.1.2.2, and other packets are forwarded via VLAN-interface 20. The PBR configuration is effective.
Configuring interface PBR based on packet type
Network requirements
As shown in Figure 2, configure PBR on Switch A, so all TCP packets arriving on VLAN-interface 10 are forwarded to next hop 1.1.2.2, and other packets are forwarded according to the routing table.
Switch A is directly connected to Switch B and Switch C, respectively. Switch B and Switch C are unreachable to each other.
Configuration procedure
|
|
NOTE: In this example, static routes are configured to ensure the reachability among switches. |
1. Configure Switch A:
# Define ACL 3101 to match TCP packets.
<SwitchA> system-view
[SwitchA] acl number 3101
[SwitchA-acl-adv-3101] rule permit tcp
[SwitchA-acl-adv-3101] quit
# Define Node 5 of policy aaa, which forwards TCP packets to next hop 1.1.2.2.
[SwitchA] policy-based-route aaa permit node 5
[SwitchA-pbr-aaa-5] if-match acl 3101
[SwitchA-pbr-aaa-5] apply ip-address next-hop 1.1.2.2
[SwitchA-pbr-aaa-5] quit
# Apply the policy aaa to VLAN-interface 11.
[SwitchA] interface vlan-interface 11
[SwitchA-Vlan-interface11] ip address 10.110.0.10 255.255.255.0
[SwitchA-Vlan-interface11] ip policy-based-route aaa
[SwitchA-Vlan-interface11] quit
# Configure the IP addresses of VLAN-interface 10 and VLAN-interface 20.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 1.1.2.1 255.255.255.0
[SwitchA-Vlan-interface10] quit
[SwitchA] interface vlan-interface 20
[SwitchA-Vlan-interface20] ip address 1.1.3.1 255.255.255.0
2. Configure Switch B:
# Configure a static route to subnet 10.110.0.0/24.
<SwitchB> system-view
[SwitchB] ip route-static 10.110.0.0 24 1.1.2.1
# Configure the IP address of VLAN-interface 10.
[SwitchB] interface vlan-interface 10
[SwitchB-Vlan-interface10] ip address 1.1.2.2 255.255.255.0
[SwitchB-Vlan-interface10] quit
3. Configure Switch C:
# Configure a static route to subnet 10.110.0.0/24.
<SwitchC> system-view
[SwitchC] ip route-static 10.110.0.0 24 1.1.3.1
# Configure the IP address of VLAN-interface 20.
[SwitchC] interface vlan-interface 20
[SwitchC-Vlan-interface20] ip address 1.1.3.2 255.255.255.0
[SwitchC-Vlan-interface20] quit
4. Verify the configuration:
Configure the IP address of Host A as 10.110.0.20/24, and the gateway as 10.110.0.10.
On Host A, telnet to Switch B (1.1.2.2) that is directly connected to Switch A. The operation succeeds.
On Host A, telnet to Switch C (1.1.3.2) that is directly connected to Switch A. The operation fails.
Ping Switch C from Host A. The operation succeeds.
Telnet uses TCP and ping uses ICMP. The preceding results show that all TCP packets arriving on VLAN-interface 11 of Switch A are forwarded to next hop 1.1.2.2, and other packets are forwarded via VLAN-interface 20. The PBR configuration is effective.
