Contents

Configuring PBR·· 1

Overview· 1

Policy· 1

PBR and Track· 2

Restrictions and guidelines: PBR configuration· 2

PBR configuration task list 3

Configuring a policy· 3

Creating a node· 3

Setting match criteria for a node· 3

Configuring actions for a node· 4

Specifying a policy for PBR· 6

Specifying a policy for local PBR· 6

Specifying a policy for interface PBR· 6

Specifying a policy for global PBR· 7

Displaying and maintaining PBR· 7

PBR configuration examples· 8

Packet type-based local PBR configuration example· 8

Packet type-based interface PBR configuration example· 9

Packet type-based global PBR configuration example· 11

EVPN-based service chain PBR configuration example· 12

Configuring PBR

Overview

Policy-based routing (PBR) uses user-defined policies to route packets. A policy can specify parameters for packets that match specific criteria such as ACLs. The parameters include the next hop, output interface, default next hop, and default output interface.

When the device receives a packet, the device searches the PBR policy for a matching node to forward that packet.

·     If a matching node is found and its match mode is permit, the device performs the following operations:

a.     Uses the next hops or output interfaces specified on the node to forward the packet.

b.     Searches the routing table for a route (except the default route) to forward the packet if one of the following conditions exists:

-     No next hops or output interfaces are specified on the node.

-     Forwarding failed based on the next hops or output interfaces.

c.     Uses the default next hops or default output interfaces specified on the node to forward the packet if one of the following conditions exists:

-     No matching route was found in the routing table.

-     The routing table-based forwarding failed.

d.     Uses the default route to forward the packet if one of the following conditions exists:

-     No default next hops or default output interfaces are specified on the node.

-     The forwarding failed based on the default next hops or default output interfaces.

·     The device performs routing table lookup to forward the packet in either of the following conditions:

¡     No matching node is found.

¡     A matching node is found, but its match mode is deny.

PBR includes local PBR and interface PBR.

·     Local PBR guides the forwarding of locally generated packets, such as the ICMP packets generated by using the ping command.

·     Interface PBR guides the forwarding of packets received on an interface only.

Policy

A policy includes match criteria and actions to be taken on the matching packets. A policy can have one or multiple nodes as follows:

·     Each node is identified by a node number. A smaller node number has a higher priority.

·     A node contains if-match and apply clauses. An if-match clause specifies a match criterion, and an apply clause specifies an action.

·     A node has a match mode of permit or deny.

A policy compares packets with nodes in priority order. If a packet matches the criteria on a node, it is processed by the action on the node. If the packet does not match any criteria on the node, it goes to the next node for a match. If the packet does not match the criteria on any node, it is forwarded according to the routing table.

Relationship between if-match clauses

On a node, you can specify multiple types of if-match clauses, but only one if-match clause for each type.

To match a node, a packet must match all types of the if-match clauses for the node but only one if-match clause for each type.

Relationship between apply clauses

You can specify multiple apply clauses for a node, but some of them might not be executed. For more information about relationship between apply clauses, see "Configuring actions for a node."

Relationship between the match mode and clauses on the node

Does a packet match all the if-match clauses on the node?	Match mode
	Permit	Deny
Yes.	·     If the node contains apply clauses, PBR executes the apply clauses on the node. ¡     If PBR-based forwarding succeeds, PBR does not compare the packet with the next node. ¡     If PBR-based forwarding fails, PBR does not compare the packet with the next node. ·     If the node does not contain apply clauses, the packet is forwarded according to the routing table.	The packet is forwarded according to the routing table.
No.	PBR compares the packet with the next node.	PBR compares the packet with the next node.

 

A node that has no if-match clauses matches any packet.

PBR and Track

PBR can work with the Track feature to dynamically adapt the availability status of an apply clause to the link status of a tracked object. The tracked object can be a next hop, output interface, default next hop, or default output interface.

·     When the track entry associated with an object changes to Negative, the apply clause is invalid.

·     When the track entry changes to Positive or NotReady, the apply clause is valid.

For more information about Track-PBR collaboration, see High Availability Configuration Guide.

Restrictions and guidelines: PBR configuration

If a packet destined for the local device matches a PBR policy, PBR will execute the apply clauses in the policy, including the clause for forwarding. When you configure a PBR policy, be careful to avoid this situation.

In an MPLS L3VPN or IPv6 MPLS L3VPN network, PBR configuration does not take effect on a VLAN interface used by a PE to connect to the public network. For more information about MPLS L3VPN and IPv6 MPLS L3VPN, see MPLS L3VPN configuration in MPLS Configuration Guide.

PBR configuration task list

Tasks at a glance
(Required.) Configuring a policy: ·     Creating a node ·     Setting match criteria for a node ·     Configuring actions for a node
(Required.) Specifying a policy for PBR: ·     Specifying a policy for local PBR ·     Specifying a policy for interface PBR ·     Specifying a policy for global PBR

 

Configuring a policy

Creating a node

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Create a node for a policy, and enter policy node view.	policy-based-route policy-name [ deny | permit ] node node-number	By default, no policy node is created.
3.     (Optional.) Configure a description for the policy node.	description text	By default, no description is configured for the policy node.

 

Setting match criteria for a node

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter policy node view.	policy-based-route policy-name [ deny | permit ] node node-number	N/A
3.     Set an ACL match criterion.	if-match acl { acl-number | name acl-name }	By default, no ACL match criterion is set. If an ACL match criterion is defined, packets are compared with the ACL rules, and the permit or deny action of the specified ACL is ignored. If the specified ACL does not exist, no packet is matched.
4.     Set a local QoS ID match criterion.	if-match qos-local-id local-id-value qppb-manipulation	By default, no local QoS ID match criterion is set.
5.     Set a service chain match criterion.	if-match service-chain { path-id service-path-id [ path-index service-path-index ] }	By default, no service chain match criterion is set. If you are applying a PBR policy to a Layer 3 Ethernet interface or Layer 3 aggregate interface, do not configure both the if-match service-chain and apply default-next-hop clauses on any nodes in the policy. The if-match service-chain clause is not supported on Layer 3 Ethernet subinterfaces or Layer 3 aggregate subinterfaces.

 

Configuring actions for a node

The apply clauses allow you to specify the actions to be taken on matching packets on a node.

The following apply clauses determine the packet forwarding paths in a descending order:

·     apply next-hop

·     apply output-interface

·     apply default-next-hop

·     apply default-output-interface

If you specify a next hop or default next hop, PBR periodically performs FIB table lookup to determine its availability. Temporary service interruption might occur if PBR does not update the route immediately after its availability status changes.

PBR can guide packets that match a service chain only to VXLAN tunnels on an IPv4 network.

If you configure both the apply service-chain and apply loadshare { default-next-hop | next-hop } commands, the apply loadshare command does not take effect.

If you specify the service-chain keyword for the apply next-hop or apply default-next-hop command, the configured apply loadshare { default-next-hop | next-hop } command does not take effect.

To configure actions for a node:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter policy node view.	policy-based-route policy-name [ deny | permit ] node node-number	N/A
3.     Set an IP precedence.	apply precedence { type | value }	By default, no IP precedence is specified.
4.     Enable load sharing among multiple next hops and default next hops.	apply loadshare { next-hop | default-next-hop }	By default, the primary/backup mode applies. Multiple next hop and default next hop options operate in either primary/backup or load sharing mode. ·     Primary/backup mode—One option is selected from all options in configuration order for packet forwarding, with all remaining options as backups. For example, if multiple next hops are configured, the first configured next hop is selected. When the selected next hop fails, the next available next hop takes over. ·     Load sharing mode—Matching traffic is distributed across the available options in round robin manner, starting from the first configured option. The options perform per-packet load sharing for traffic that does not match any fast forwarding entry, and perform per-flow load sharing for traffic that matches a fast forwarding entry. For the load sharing mode to take effect, make sure multiple next hops and default next hops are set in the policy.
5.     Set next hops.	apply next-hop [ vpn-instance vpn-instance-name ] { ip-address [ direct ] [ track track-entry-number ] [ service-chain path-id service-path-id [ path-index service-path-index ] ] }&<1-8>	By default, no next hops are specified. You can specify a maximum of four next hops for backup in one command line or by executing this command multiple times. The service chain parameters are not supported on Layer 3 Ethernet subinterfaces or Layer 3 aggregate subinterfaces. If multiple next hops on the same subnet are specified for backup, the device first uses the subnet route for the next hops to forward packets when the primary next hop fails. If the subnet route is not available, the device selects a backup next hop.
6.     Set output interfaces.	apply output-interface null 0 [ track track-entry-number ]	By default, no output interfaces are  specified. You can specify only Null 0 as the output interface.
7.     Set default next hops.	apply default-next-hop [ vpn-instance vpn-instance-name ] { ip-address [ direct ] [ track track-entry-number ] [ service-chain path-id service-path-id [ path-index service-path-index ] ] }&<1-8>	By default, no default next hops are  specified. You can specify a maximum of four default next hops for backup in one command line or by executing this command multiple times. The service chain parameters are not supported on Layer 3 Ethernet subinterfaces or Layer 3 aggregate subinterfaces. If multiple next hops on the same subnet are specified for backup, the device first uses the subnet route for the next hops to forward packets when the primary next hop fails. If the subnet route is not available, the device selects a backup next hop. This command is not supported on the LSQM1TGS16GPSA0 module.
8.     Set default output interfaces.	apply default-output-interface null 0 [ track track-entry-number ]	By default, no default output interfaces are specified. You can specify only Null 0 as the default output interface.
9.     Set the service chain information.	apply service-chain path-id service-path-id [ path-index service-path-index ]	By default, no service chain information is set. This command is not supported on Layer 3 Ethernet subinterfaces or Layer 3 aggregate subinterfaces.
10.     Set a mirroring action that mirrors packets to the specified destination IP address.	apply mirror-to-destination	By default, the mirroring action is not set. This clause enables the device to mirror packets to a specific destination device through a tunnel (for example, a GRE tunnel) for packet analysis and monitoring. The device will encapsulate the specified parameters in the outer header of the mirrored packets. This clause is always executed for matching packets.
11.     Enable match counting on the policy node.	apply statistics	By default, match counting is disabled on policy nodes. To include the number of successful matches on a policy node in the statistics displayed by a display command, execute this command. This clause is always executed for matching packets.

 

Specifying a policy for PBR

IMPORTANT: A PBR policy applied to a super VLAN interface takes effect on the interfaces of all sub-VLANs associated with the super VLAN.

 

Specifying a policy for local PBR

Perform this task to specify a policy for local PBR to guide the forwarding of locally generated packets. The specified policy must already exist. If the policy does not exist, the local PBR configuration fails.

You can apply only one policy locally. Before you apply a new policy, you must first remove the current policy.

Local PBR might affect local services, such as ping and Telnet. When you use local PBR, make sure you fully understand its impact on local services of the device.

To specify a policy for local PBR:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Specify a policy for local PBR.	ip local policy-based-route policy-name	By default, no policy is specified for local PBR.

 

Specifying a policy for interface PBR

Perform this task to apply a policy to an interface to guide the forwarding of packets received on the interface. The specified policy must already exist. If the policy does not exist, the interface PBR configuration fails.

You can apply only one policy to an interface. Before you apply a new policy, you must first remove the current policy from the interface.

You can apply a policy to multiple interfaces.

To specify a policy for interface PBR:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter interface view.	interface interface-type interface-number	N/A
3.     Specify a policy for interface PBR.	ip policy-based-route policy-name	By default, no policy is specified for interface PBR.

 

Specifying a policy for global PBR

Perform this task to apply a policy to all interfaces on the device to guide the forwarding of packets received on the interfaces.

You can apply only one policy for global PBR and the specified policy must already exist. Before you can apply a new policy, you must first remove the current policy.

Interface PBR takes precedence over global PBR on an interface. When they are both configured and packets fail to match the interface PBR policy, global PBR applies.

To specify a policy for global PBR:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Specify a policy for global PBR.	ip global policy-based-route policy-name	By default, no policy is specified for global PBR.

 

Displaying and maintaining PBR

Execute display commands in any view and reset commands in user view.

 

Task	Command
Display PBR policy information.	display ip policy-based-route [ policy policy-name ]
Display PBR configuration.	display ip policy-based-route setup
(In standalone mode.) Display global PBR configuration and statistics.	display ip policy-based-route global [ slot slot-number ]
(In IRF mode.) Display global PBR configuration and statistics.	display ip policy-based-route global [ chassis chassis-number slot slot-number ]
(In standalone mode.) Display local PBR configuration and statistics.	display ip policy-based-route local [ slot slot-number ]
(In IRF mode.) Display local PBR configuration and statistics.	display ip policy-based-route local [ chassis chassis-number slot slot-number ]
(In standalone mode.) Display interface PBR configuration and statistics.	display ip policy-based-route interface interface-type interface-number [ slot slot-number ]
(In IRF mode.) Display interface PBR configuration and statistics.	display ip policy-based-route interface interface-type interface-number [ chassis chassis-number slot slot-number ]
Clear PBR statistics.	reset ip policy-based-route statistics [ policy policy-name ]

 

PBR configuration examples

Packet type-based local PBR configuration example

Network requirements

As shown in Figure 1, Switch B and Switch C do not have a route to reach each other.

Configure PBR on Switch A to forward all TCP packets to the next hop 1.1.2.2. Switch A forwards other packets according to the routing table.

Figure 1 Network diagram

 

Configuration procedure

1.     Configure Switch A:

# Create VLAN 10 and VLAN 20.

<SwitchA> system-view

[SwitchA] vlan 10

[SwitchA-vlan10] quit

[SwitchA] vlan 20

[SwitchA-vlan20] quit

# Configure the IP addresses of VLAN-interface 10 and VLAN-interface 20.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] ip address 1.1.2.1 24

[SwitchA-Vlan-interface10] quit

[SwitchA] interface vlan-interface 20

[SwitchA-Vlan-interface20] ip address 1.1.3.1 24

[SwitchA-Vlan-interface20] quit

# Configure ACL 3101 to match TCP packets.

[SwitchA] acl advanced 3101

[SwitchA-acl-adv-3101] rule permit tcp

[SwitchA-acl-adv-3101] quit

# Configure Node 5 for policy aaa to forward TCP packets to next hop 1.1.2.2.

[SwitchA] policy-based-route aaa permit node 5

[SwitchA-pbr-aaa-5] if-match acl 3101

[SwitchA-pbr-aaa-5] apply next-hop 1.1.2.2

[SwitchA-pbr-aaa-5] quit

# Configure local PBR by applying policy aaa to Switch A.

[SwitchA] ip local policy-based-route aaa

2.     Configure Switch B:

# Create VLAN 10.

<SwitchB> system-view

[SwitchB] vlan 10

[SwitchB-vlan10] quit

# Configure the IP address of VLAN-interface 10.

[SwitchB] interface vlan-interface 10

[SwitchB-Vlan-interface10] ip address 1.1.2.2 24

3.     Configure Switch C:

# Create VLAN 20.

<SwitchC> system-view

[SwitchC] vlan 20

[SwitchC-vlan20] quit

# Configure the IP address of VLAN-interface 20.

[SwitchC] interface vlan-interface 20

[SwitchC-Vlan-interface20] ip address 1.1.3.2 24

Verifying the configuration

1.     Perform telnet operations to verify that local PBR on Switch A operates as configured to forward the matching TCP packets to the next hop 1.1.2.2 (Switch B), as follows:

# Verify that you can telnet to Switch B from Switch A successfully. (Details not shown.)

# Verify that you cannot telnet to Switch C from Switch A. (Details not shown.)

2.     Verify that Switch A forwards packets other than TCP packets through VLAN-interface 20. For example, verify that you can ping Switch C from Switch A. (Details not shown.)

Packet type-based interface PBR configuration example

Network requirements

As shown in Figure 2, Switch B and Switch C do not have a route to reach each other.

Configure PBR on Switch A to forward all TCP packets received on VLAN-interface 11 to the next hop 1.1.2.2. Switch A forwards other packets according to the routing table.

Figure 2 Network diagram

 

Configuration procedure

1.     Configure IP addresses and unicast routing protocol settings to make sure Switch B and Switch C can reach Host A. (Details not shown.)

2.     Configure Switch A:

# Configure ACL 3101 to match TCP packets.

[SwitchA] acl advanced 3101

[SwitchA-acl-adv-3101] rule permit tcp

[SwitchA-acl-adv-3101] quit

# Configure Node 5 for policy aaa to forward TCP packets to next hop 1.1.2.2.

[SwitchA] policy-based-route aaa permit node 5

[SwitchA-pbr-aaa-5] if-match acl 3101

[SwitchA-pbr-aaa-5] apply next-hop 1.1.2.2

[SwitchA-pbr-aaa-5] quit

# Configure interface PBR by applying policy aaa to VLAN-interface 11.

[SwitchA] interface vlan-interface 11

[SwitchA-Vlan-interface11] ip policy-based-route aaa

[SwitchA-Vlan-interface11] quit

Verifying the configuration

1.     Perform telnet operations to verify that interface PBR on Switch A operates as configured to forward the matching TCP packets to the next hop 1.1.2.2 (Switch B), as follows:

# Verify that you can telnet to Switch B from Host A successfully. (Details not shown.)

# Verify that you cannot telnet to Switch C from Host A. (Details not shown.)

2.     Verify that Switch A forwards packets other than TCP packets through VLAN-interface 20. For example, verify that you can ping Switch C from Host A. (Details not shown.)

Packet type-based global PBR configuration example

Network requirements

As shown in Figure 3, Switch E and Switch F do not have a route to reach each other.

Configure global PBR on Switch D to forward TCP packets to the next hop 1.1.4.2 (Switch E).

Figure 3 Network diagram

 

Configuration procedure

1.     Configure IP addresses for the interfaces. Make sure Switch A, B and C can communicate with Switch E and Switch F, respectively. (Details not shown.)

2.     Configure Switch D:

# Configure ACL 3101 to match TCP packets sourced from networks 1.1.1.0/24, 1.1.2.0/24, and 1.1.3.0/24.

<SwitchD> system-view

[SwitchD] acl advanced 3101

[SwitchD-acl-ipv4-adv-3101] rule permit tcp source 1.1.1.0 0.0.0.0.255

[SwitchD-acl-ipv4-adv-3101] rule permit tcp source 1.1.2.0 0.0.0.0.255

[SwitchD-acl-ipv4-adv-3101] rule permit tcp source 1.1.3.0 0.0.0.0.255

[SwitchD-acl-ipv4-adv-3101] quit

# Configure node 5 in PBR policy aaa to forward TCP packets that match ACL 3101 to next hop 1.1.4.2.

[SwitchD] policy-based-route aaa permit node 5

[SwitchD-pbr-aaa-5] if-match acl 3101

[SwitchD-pbr-aaa-5] apply next-hop 1.1.4.2

[SwitchD-pbr-aaa-5] quit

# Specify PBR policy aaa as the global PBR policy.

[SwitchD] ip global policy-based-route aaa

Verifying the configuration

1.     Perform telnet operations to verify that global PBR on Switch D operates as configured to forward the matching TCP packets to the next hop 1.1.4.2 (Switch E), as follows:

# Verify that you can telnet to Switch E from Switch A, Switch B, and Switch C successfully. (Details not shown.)

# Verify that you cannot telnet to Switch F from Switch A, Switch B, or Switch C. (Details not shown.)

2.     Verify that Switch D forwards packets other than TCP packets as long as a route is available. For example, verify that you can ping Switch F from Switch A, Switch B, and Switch C. (Details not shown.)

EVPN-based service chain PBR configuration example

Network requirements

As shown in Figure 4, Switch A, Switch B, and Switch C are distributed EVPN gateway devices. Switch D acts as a route reflector to reflect BGP routes for the other switches.

Configure PBR to direct packets sent by Server 1 to Service node 1. After being processed, the packets are forwarded to Server 2.

Figure 4 Network diagram

 

Configuration procedure

1.     Configure IP addresses and subnet masks for interfaces, as shown in Figure 4. (Details not shown.)

2.     Configure Switch A:

# Enable L2VPN.

<SwitchA> system-view

[SwitchA] l2vpn enable

# Disable remote-MAC address learning and remote ARP learning.

[SwitchA] vxlan tunnel mac-learning disable

[SwitchA] vxlan tunnel arp-learning disable

# Create an EVPN instance in VSI instance view, and configure the system to automatically generate an RT and RD.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] evpn encapsulation vxlan

[SwitchA-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchA-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchA-vsi-vpna-evpn-vxlan] quit

# Create VXLAN 10.

[SwitchA-vsi-vpna] vxlan 10

[SwitchA-vsi-vpna-vxlan-10] quit

[SwitchA-vsi-vpna] quit

# Configure BGP to advertise EVPN routes.

[SwitchA] bgp 200

[SwitchA-bgp-default] peer 4.4.4.4 as-number 200

[SwitchA-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchA-bgp-default] address-family l2vpn evpn

[SwitchA-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchA-bgp-default-evpn] quit

[SwitchA-bgp-default] quit

# Create VPN instance vpna.

[SwitchA] ip vpn-instance vpna

[SwitchA-vpn-instance-vpna] route-distinguisher 1:1

[SwitchA-vpn-instance-vpna] address-family ipv4

[SwitchA-vpn-ipv4-vpna] vpn-target 2:2

[SwitchA-vpn-ipv4-vpna] quit

[SwitchA-vpn-instance-vpna] address-family evpn

[SwitchA-vpn-evpn-vpna] vpn-target 1:1

[SwitchA-vpn-evpn-vpna] quit

[SwitchA-vpn-instance-vpna] quit

# Configure VSI-interface 1.

[SwitchA] interface vsi-interface 1

[SwitchA-Vsi-interface1] ip binding vpn-instance vpna

[SwitchA-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchA-Vsi-interface1] mac-address 0001-0001-0001

[SwitchA-Vsi-interface1] local-proxy-arp enable

[SwitchA-Vsi-interface1] distributed-gateway local

[SwitchA-Vsi-interface1] quit

# Configure VSI-interface 3, associate the interface with VPN instance vpna, and set the L3 VXLAN ID to 1000.

[SwitchA] interface vsi-interface 3

[SwitchA-Vsi-interface3] ip binding vpn-instance vpna

[SwitchA-Vsi-interface3] l3-vni 1000

[SwitchA-Vsi-interface3] quit

# Associate VSI instance vpna with VSI-interface 1.

[SwitchA] vsi vpna

[SwitchA-vsi-vpna] gateway vsi-interface 1

[SwitchA-vsi-vpna] quit

# Configure VLAN-interface 11.

[SwitchA] interface vlan-interface 11

[SwitchA-Vlan-interface11] ip address 11.1.1.1 255.255.255.0

[SwitchA-Vlan-interface11] ospf 1 area 0.0.0.0

[SwitchA-Vlan-interface11] quit

# Associate Ethernet service instance 1000 with VSI instance vpna.

[SwitchA] interface gigabitethernet 1/0/1

[SwitchA-GigabitEthernet1/0/1] port link-mode bridge

[SwitchA-GigabitEthernet1/0/1] service-instance 1000

[SwitchA-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 2

[SwitchA-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

# Create ACL 3000 to permit packets with source IP address 10.1.1.10 and destination IP address 10.1.1.20.

<SwitchA> system-view

[SwitchA] acl advanced 3000

[SwitchA-acl-ipv4-adv-3000] rule 0 permit ip source 10.1.1.10 0 destination 10.1.1.20 0

# Create node 0, use ACL 3000 to match packets with source IP address 10.1.1.10 and destination IP address 10.1.1.20. Apply next hop 10.1.1.11 and service chain path ID 1 to matching packets.

[SwitchA] policy-based-route aa permit node 0

[SwitchA-pbr-aa-0] if-match acl 3000

[SwitchA-pbr-aa-0] apply service-chain path-id 1

[SwitchA-pbr-aa-0] apply next-hop vpn-instance vpna 10.1.1.11

# Apply policy aa to VSI-interface 3.

[SwitchA] interface vsi-interface 1

[SwitchA-Vsi-interface1] ip policy-based-route aa

[SwitchA-Vsi-interface1] quit

3.     Configure Switch B:

# Enable L2VPN.

<SwitchB> system-view

[SwitchB] l2vpn enable

# Disable remote-MAC address learning and remote ARP learning.

[SwitchB] vxlan tunnel mac-learning disable

[SwitchB] vxlan tunnel arp-learning disable

# Create an EVPN instance in VSI instance view, and configure the system to automatically generate an RT and RD.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] evpn encapsulation vxlan

[SwitchB-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchB-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchB-vsi-vpna-evpn-vxlan] quit

# Configure VXLAN 10.

[SwitchB-vsi-vpna] vxlan 10

[SwitchB-vsi-vpna-vxlan-10] quit

[SwitchB-vsi-vpna] quit

# Configure BGP to advertise EVPN routes.

[SwitchB] bgp 200

[SwitchB-bgp-default] peer 4.4.4.4 as-number 200

[SwitchB-bgp-default] peer 4.4.4.4 connect-interface loopback0

[SwitchB-bgp-default] address-family l2vpn evpn

[SwitchB-bgp-default-evpn] peer 4.4.4.4 enable

# Create VPN instance vpna.

[SwitchB] ip vpn-instance vpna

[SwitchB-vpn-instance-vpna] route-distinguisher 1:1

[SwitchB-vpn-instance-vpna] address-family ipv4

[SwitchB-vpn-ipv4-vpna] vpn-target 2:2

[SwitchB-vpn-ipv4-vpna] quit

[SwitchB-vpn-instance-vpna] address-family evpn

[SwitchB-vpn-evpn-vpna] vpn-target 1:1

[SwitchB-vpn-evpn-vpna] quit

[SwitchB-vpn-instance-vpna] quit

# Configure VSI-interface 1.

[SwitchB] interface vsi-interface 1

[SwitchB-Vsi-interface1] ip binding vpn-instance vpna

[SwitchB-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchB-Vsi-interface1] mac-address 0001-0001-0001

[SwitchB-Vsi-interface1] local-proxy-arp enable

[SwitchB-Vsi-interface1] distributed-gateway local

[SwitchB-Vsi-interface1] quit

# Associate VSI instance vpna with VSI-interface 1.

[SwitchB] vsi vpna

[SwitchB-vsi-vpna] gateway vsi-interface 1

[SwitchB-vsi-vpna] quit

# Configure VSI-interface 3.

[SwitchB] interface vsi-interface 3

[SwitchB-Vsi-interface3] ip binding vpn-instance vpna

[SwitchB-Vsi-interface3] l3-vni 1000

[SwitchB-Vsi-interface3] quit

# Configure GigabitEthernet 1/0/1 as an AC interface.

[SwitchB] interface gigabitethernet 1/0/1

[SwitchB-GigabitEthernet1/0/1] port link-mode bridge

[SwitchB-GigabitEthernet1/0/1] service-instance 1000

[SwitchB-GigabitEthernet1/0/1-srv1000] encapsulation s-vid 2

[SwitchB-GigabitEthernet1/0/1-srv1000] xconnect vsi vpna

[SwitchB-GigabitEthernet1/0/1-srv1000] quit

[SwitchB-GigabitEthernet1/0/1] quit

# Create node 0 and apply next hop 10.1.1.11 to packets with service chain path ID 1.

[SwitchB] policy-based-route aa permit node 0

[SwitchB-pbr-aa-0] if-match service-chain path-id 1

[SwitchB-pbr-aa-0] apply next-hop vpn-instance vpna 10.1.1.11

[SwitchB-pbr-aa-0] quit

# Apply policy aa to VSI-interface 3.

[SwitchB] interface vsi-interface 3

[SwitchB-Vsi-interface3] ip policy-based-route aa

[SwitchB-Vsi-interface3] quit

4.     Configure Switch C:

# Enable L2VPN.

<SwitchC> system-view

[SwitchC] l2vpn enable

# Disable remote-MAC address learning and remote ARP learning.

[SwitchC] vxlan tunnel mac-learning disable

[SwitchC] vxlan tunnel arp-learning disable

# Create an EVPN instance in VSI instance view, and configure the system to automatically generate an RT and RD.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] evpn encapsulation vxlan

[SwitchC-vsi-vpna-evpn-vxlan] route-distinguisher auto

[SwitchC-vsi-vpna-evpn-vxlan] vpn-target auto

[SwitchC-vsi-vpna-evpn-vxlan] quit

# Configure VXLAN 10.

[SwitchC-vsi-vpna] vxlan 10

[SwitchC-vsi-vpna-vxlan-10] quit

[SwitchC-vsi-vpna] quit

# Configure BGP to advertise EVPN routes.

[SwitchC] bgp 200

[SwitchC-bgp-default] peer 4.4.4.4 as-number 200

[SwitchC-bgp-default] peer 4.4.4.4 connect-interface loopback 0

[SwitchC-bgp-default] address-family l2vpn evpn

[SwitchC-bgp-default-evpn] peer 4.4.4.4 enable

[SwitchC-bgp-default-evpn] quit

[SwitchC-bgp-default] quit

# Create VPN instance vpna.

[SwitchC] ip vpn-instance vpna

[SwitchC-vpn-instance-vpna] route-distinguisher 1:1

[SwitchC-vpn-instance-vpna] address-family ipv4

[SwitchC-vpn-ipv4-vpna] vpn-target 2:2

[SwitchC-vpn-ipv4-vpna] quit

[SwitchC-vpn-instance-vpna] address-family evpn

[SwitchC-vpn-evpn-vpna] vpn-target 1:1

[SwitchC-vpn-evpn-vpna] quit

[SwitchC-vpn-instance-vpna] quit

# Create VSI-interface 1, assign an IP address to it, and specify the interface as a distributed gateway in VXLAN 10.

[SwitchC] interface vsi-interface 1

[SwitchC-Vsi-interface1] ip binding vpn-instance vpna

[SwitchC-Vsi-interface1] ip address 10.1.1.1 255.255.255.0

[SwitchC-Vsi-interface1] mac-address 0001-0001-0001

[SwitchC-Vsi-interface1] local-proxy-arp enable

[SwitchC-Vsi-interface1] distributed-gateway local

[SwitchC-Vsi-interface1] quit

# Create VSI-interface 3, associate the interface with VPN instance vpna, and set the L3 VXLAN ID to 1000.

[SwitchC] interface vsi-interface 3

[SwitchC-Vsi-interface3] ip binding vpn-instance vpna

[SwitchC-Vsi-interface3] l3-vni 1000

[SwitchC-Vsi-interface3] quit

# Associate VSI instance vpna with VSI-interface 1.

[SwitchC] vsi vpna

[SwitchC-vsi-vpna] gateway vsi-interface 1

[SwitchC-vsi-vpna] quit

# Bind VSI instance vpna to GigabitEthernet 1/0/1.

[SwitchC] interface gigabitethernet 1/0/1

[SwitchC-GigabitEthernet1/0/1] port link-mode bridge

[SwitchC-GigabitEthernet1/0/1] service-instance 2000

[SwitchC-GigabitEthernet1/0/1-srv2000] encapsulation s-vid 2

[SwitchC-GigabitEthernet1/0/1] xconnect vsi vpna

[SwitchC-GigabitEthernet1/0/1] quit

5.     Configure Switch D:

# Configure Switch D to establish BGP connections with the other switches.

<SwitchD> system-view

[SwitchD] bgp 200

[SwitchD-bgp-default] group evpn

[SwitchD-bgp-default] peer 1.1.1.1 group evpn

[SwitchD-bgp-default] peer 2.2.2.2 group evpn

[SwitchD-bgp-default] peer 3.3.3.3 group evpn

[SwitchD-bgp-default] peer evpn as-number 200

[SwitchD-bgp-default] peer evpn connect-interface loopback 0

# Configure BGP to advertise EVPN routes, and disable route target filtering for BGP EVPN routes.

[SwitchD-bgp-default] address-family l2vpn evpn

[SwitchD-bgp-default-evpn] peer evpn enable

[SwitchD-bgp-default-evpn] undo policy vpn-target

# Configure Switch D as a route reflector.

[SwitchD-bgp-default-evpn] peer evpn reflect-client

[SwitchD-bgp-default-evpn] quit

[SwitchD-bgp-default] quit

# Configure VLAN-interface 11.

[SwitchD] interface vlan-interface 11

[SwitchD-Vlan-interface11] ip address 11.1.1.4 255.255.255.0

[SwitchD-Vlan-interface11] ospf 1 area 0.0.0.0

[SwitchD-Vlan-interface11] quit

# Configure VLAN-interface 12.

[SwitchD] interface vlan-interface 12

[SwitchD-Vlan-interface12] ip address 12.1.1.4 255.255.255.0

[SwitchD-Vlan-interface12] ospf 1 area 0.0.0.0

[SwitchD-Vlan-interface12] quit

# Configure VLAN-interface 13.

[SwitchD] interface Vlan-interface 13

[SwitchD-Vlan-interface13] ip address 13.1.1.4 255.255.255.0

[SwitchD-Vlan-interface13] ospf 1 area 0.0.0.0

[SwitchD-Vlan-interface13] quit

Verifying the configuration

# Capture packets sent from Server 1 to Server 2 in Ethernet service instance 1000. (Details not shown.)

The packets are processed by Service node 1 before they are delivered to Server 2.