Login
- Table of Contents
-
- 06-Network
- 01-VRF
- 02-Interface
- 03-Interface pairs
- 04-Interface collaboration
- 05-4G
- 06-Security zones
- 07-VLAN
- 08-MAC
- 09-DNS
- 10-ARP
- 11-ND
- 12-GRE
- 13-IPsec
- 14-ADVPN
- 15-L2TP
- 16-SSL VPN
- 17-Routing table
- 18-Static routing
- 19-Policy-based routing
- 20-OSPF
- 21-BGP
- 22-RIP
- 23-IP multicast routing
- 24-PIM
- 25-IGMP
- 26-DHCP
- 27-HTTP
- 28-SSH
- 29-NTP
- 30-FTP
- 31-Telnet
- 32-MAC authentication
- 33-MAC address whitelist
- 34-MAC access silent MAC info
- 35-MAC access advanced settings
- 36-IP authentication
- 37-IPv4 whitelist
- 38-IPv6 whitelist
- 39-Wireless
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 19-Policy-based routing | 24.81 KB |
Policy-based routing
Introduction
About PBR
Policy-based routing (PBR) uses user-defined policies to route packets. A policy can specify parameters for packets that match specific criteria such as ACLs, packet lengths, service object groups, or application groups. The parameters include the next hop, output interface, default next hop, and default output interface.
Policy
A policy includes match criteria and actions to be taken on the matching packets. A policy can have one or multiple nodes as follows:
· Each node is identified by a node number. A smaller node number has a higher priority.
· A node contains if-match and apply clauses. An if-match clause specifies a match criterion, and an apply clause specifies an action.
· A node has a match mode of permit or deny.
You can specify a policy for local PBR to guide the forwarding of locally generated packets, or apply a policy to an interface to guide the forwarding of packets received on the interface.
A policy compares packets with nodes in priority order. If a packet matches the criteria on a node, it is processed by the action on the node. Otherwise, it goes to the next node for a match. If the packet does not match the criteria on any node, the device performs a routing table lookup
Node
Match criteria
You can set an ACL, service object group, application group, or packet length match criterion to match packets.
To match a node, a packet must match all types of the match criteria for the node.
Actions
· Compare packets with the next node upon failure on the current node. This action is taken when the specified actions (setting the VPN instance, next hop, output interface, default next hop, and default output interface) are not configured or become invalid. For example, the specified next hop is unreachable, the specified output interface is down, or the packets cannot be forwarded in the specified VPN instance.
· Set an IP precedence.
· Set the DF bit in the IP header.
· Specify the forwarding tables that can be used for the matching packets.
· Set next hops and default next hops associated with track entries. You can specify that a next hop must be directly connected to take effect.
· Set output interfaces and default output interfaces associated with track entries.
PBR and Track
PBR can work with the Track feature to dynamically adapt the availability status of an action to the link status of a tracked object.
The tracked object can be a next hop, output interface, default next hop, or default output interface. The action is valid only when the track entry status changes to Positive or NotReady.
