Login
- Table of Contents
-
- 06-Layer 3 - IP Routing Configuration Guides
- 00-Preface
- 01-Basic IP routing configuration
- 02-Static routing configuration
- 03-RIP configuration
- 04-OSPF configuration
- 05-IS-IS configuration
- 06-BGP configuration
- 07-Policy-based routing configuration
- 08-IPv6 static routing configuration
- 09-RIPng configuration
- 10-OSPFv3 configuration
- 11-IPv6 policy-based routing configuration
- 12-Routing policy configuration
- 13-DCN configuration
- 14-Dual-stack PBR configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-IPv6 policy-based routing configuration | 173.66 KB |
Contents
Restrictions and guidelines: IPv6 PBR configuration
IPv6 PBR configuration task list
Setting match criteria for an IPv6 node
Configuring actions for an IPv6 node
Specifying a policy for IPv6 PBR
Specifying an IPv6 policy for IPv6 local PBR
Specifying an IPv6 policy for IPv6 interface PBR
Specifying an IPv6 policy for IPv6 global PBR
Displaying and maintaining IPv6 PBR
IPv6 PBR configuration examples
Packet type-based IPv6 local PBR configuration example
Configuring IPv6 PBR
Overview
Policy-based routing (PBR) uses user-defined policies to route packets. A policy can specify parameters for packets that match specific criteria such as ACLs. The parameters include the next hop, output interface, default next hop, and default output interface.
When the device receives an IPv6 packet, the device searches the IPv6 PBR policy for a matching node to forward that packet.
· If a matching node is found and its match mode is permit, the device performs the following operations:
a. Uses the next hops or output interfaces specified on the node to forward the packet.
b. Searches the routing table for a route (except the default route) to forward the packet if one of the following conditions exists:
- No next hops or output interfaces are specified on the node.
- Forwarding failed based on the next hops or output interfaces.
c. Uses the default next hops or default output interfaces specified on the node to forward the packet if one of the following conditions exists:
- No matching route was found in the routing table.
- The routing table-based forwarding failed.
d. Uses the default route to forward the packet if one of the following conditions exists:
- No default next hops or default output interfaces are specified on the node.
- The forwarding failed based on the default next hops or default output interfaces.
· The device performs routing table lookup to forward the packet in either of the following conditions:
¡ No matching node is found.
¡ A matching node is found, but its match mode is deny.
PBR includes local PBR and interface PBR.
· Local PBR guides the forwarding of locally generated packets, such as the ICMP packets generated by using the ping command.
· Interface PBR guides the forwarding of packets received on an interface only.
Policy
An IPv6 policy includes match criteria and actions to be taken on the matching packets. A policy can have one or multiple nodes as follows:
· Each node is identified by a node number. A smaller node number has a higher priority.
· A node contains if-match and apply clauses. An if-match clause specifies a match criterion, and an apply clause specifies an action.
· A node has a match mode of permit or deny.
An IPv6 policy compares packets with nodes in priority order. If a packet matches the criteria on a node, it is processed by the action on the node. If the packet does not match any criteria on the node, it goes to the next node for a match. If the packet does not match the criteria on any node, it is forwarded according to the routing table.
Relationship between if-match clauses
On a node, you can specify multiple types of if-match clauses, but only one if-match clause for each type. For a specific type of if-match clause, the most recent configuration overwrites the previous one. A packet that matches all the if-match clauses of a node matches the node.
Relationship between apply clauses
You can specify multiple apply clauses for a node, but some of them might not be executed. For more information about the relationship between the apply clauses, see "Configuring actions for an IPv6 node."
Relationship between the match mode and clauses on the node
|
Match mode |
||
|
In permit mode |
In deny mode |
|
|
Yes |
· If the node contains apply clauses, IPv6 PBR executes the apply clauses on the node. ¡ If IPv6 PBR-based forwarding succeeds, IPv6 PBR does not compare the packet with the next node. ¡ If IPv6 PBR-based forwarding fails, IPv6 PBR does not compare the packet with the next node. · If the node does not contain apply clauses, the packet is forwarded according to the routing table. |
The packet is forwarded according to the routing table. |
|
No |
IPv6 PBR compares the packet with the next node. |
IPv6 PBR compares the packet with the next node. |
A node that has no if-match clauses matches any packet.
IPv6 PBR and Track
IPv6 PBR can work with the Track feature to dynamically adapt the availability status of an apply clause to the link status of a tracked object. The tracked object can be a next hop, output interface, default next hop, or default output interface.
· When the track entry associated with an object changes to Negative, the apply clause is invalid.
· When the track entry changes to Positive or NotReady, the apply clause is valid.
For more information about Track and IPv6 PBR collaboration, see High Availability Configuration Guide.
Restrictions and guidelines: IPv6 PBR configuration
In an MPLS L3VPN or IPv6 MPLS L3VPN network, IPv6 PBR configuration does not take effect on a VLAN interface used by a PE to connect to the public network. For more information about MPLS L3VPN and IPv6 MPLS L3VPN, see MPLS L3VPN configuration in MPLS Configuration Guide.
IPv6 PBR configuration task list
|
Tasks at a glance |
|
(Required.) Configuring an IPv6 policy: |
|
(Required.) Specifying a policy for IPv6 PBR: · Specifying an IPv6 policy for IPv6 local PBR |
Configuring an IPv6 policy
Creating an IPv6 node
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an IPv6 policy or policy node, and enter IPv6 policy node view. |
ipv6 policy-based-route policy-name [ deny | permit ] node node-number |
By default, no IPv6 policy node is created. |
|
3. (Optional.) Configure a description for the IPv6 policy node. |
description text |
By default, no description is configured for the IPv6 policy node. |
Setting match criteria for an IPv6 node
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter IPv6 policy node view. |
ipv6 policy-based-route policy-name [ deny | permit ] node node-number |
N/A |
|
3. Set an ACL match criterion. |
By default, no ACL match criterion is set. If an ACL match criterion is defined, packets are compared with the ACL rules, and the permit or deny action of the specified ACL is ignored. If the specified ACL does not exist, no packet is matched. |
|
|
4. Set a local QoS ID match criterion. |
if-match qos-local-id local-id-value qppb-manipulation |
By default, no local QoS ID match criterion is set. |
|
5. Set a service chain match criterion. |
if-match service-chain { path-id service-path-id [ path-index service-path-index ] } |
By default, no service chain match criterion is set. If you are applying an IPv6 PBR policy to a Layer 3 Ethernet interface or Layer 3 aggregate interface, do not configure both the if-match service-chain and apply default-next-hop clauses on any nodes in the policy. The if-match service-chain clause is not supported on Layer 3 Ethernet subinterfaces or Layer 3 aggregate subinterfaces. |
Configuring actions for an IPv6 node
The apply clauses allow you to specify actions to take on matching packets on a node.
The following apply clauses determine the packet forwarding paths in a descending order:
· apply next-hop
· apply output-interface
· apply default-next-hop
· apply default-output-interface
If you specify a next hop or default next hop, IPv6 PBR periodically performs FIB table lookup to determine its availability. Temporary service interruption might occur if IPv6 PBR does not update the route immediately after its availability status changes.
IPv6 PBR can guide packets that match a service chain only to VXLAN tunnels on an IPv4 network.
If you configure both the apply service-chain and apply loadshare { default-next-hop | next-hop } commands, the apply loadshare command does not take effect.
If you specify the service-chain keyword for the apply next-hop or apply default-next-hop command, the configured apply loadshare { default-next-hop | next-hop } command does not take effect.
To configure actions for an IPv6 policy node:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter IPv6 policy node view. |
ipv6 policy-based-route policy-name [ deny | permit ] node node-number |
N/A |
|
3. Set an IP precedence. |
apply precedence { type | value } |
By default, no IP precedence is specified. |
|
4. Enable load sharing among multiple next hops and default next hops. |
apply loadshare { next-hop | default-next-hop } |
By default, the primary/backup mode applies. Multiple next hop and default next hop options operate in either primary/backup or load sharing mode. · Primary/backup mode—One option is selected from all options in configuration order for packet forwarding, with all remaining options as backups. For example, if multiple next hops are configured, the first configured next hop is selected. When the selected next hop fails, the next available next hop takes over. · Load sharing mode—Matching traffic is distributed across the available options in round robin manner, starting from the first configured option. The options perform per-packet load sharing for traffic that does not match any fast forwarding entry, and perform per-flow load sharing for traffic that matches a fast forwarding entry. For the load sharing mode to take effect, make sure multiple next hops and default next hops are set in the policy. |
|
5. Set next hops for permitted IPv6 packets. |
By default, no next hops are specified. You can specify a maximum of four next hops for backup in one command line or by executing this command multiple times. The service chain parameters are not supported on Layer 3 Ethernet subinterfaces or Layer 3 aggregate subinterfaces. If multiple next hops on the same subnet are specified for backup, the device first uses the subnet route for the next hops to forward packets when the primary next hop fails. If the subnet route is not available, the device selects a backup next hop. |
|
|
6. Set output interfaces. |
apply output-interface null 0 [ track track-entry-number ] |
By default, no output interfaces are specified. You can specify only Null 0 as the output interface. |
|
7. Set default next hops. |
apply default-next-hop [ vpn-instance vpn-instance-name ] { ipv6-address [ direct ] [ track track-entry-number ] [ service-chain path-id service-path-id [ path-index service-path-index ] ] }&<1-8> |
By default, no default next hops are specified. You can specify a maximum of four default next hops for backup in one command line or by executing this command multiple times. The service chain parameters are not supported on Layer 3 Ethernet subinterfaces or Layer 3 aggregate subinterfaces. If multiple next hops on the same subnet are specified for backup, the device first uses the subnet route for the next hops to forward packets when the primary next hop fails. If the subnet route is not available, the device selects a backup next hop. This command is not supported on the LSQM1TGS16GPSA0 module. |
|
8. Set default output interfaces. |
apply default-output-interface null 0 [ track track-entry-number ] |
By default, no default output interfaces are specified. You can specify only Null 0 as the default output interface. |
|
9. Set service chain information. |
apply service-chain path-id service-path-id [ path-index service-path-index ] |
By default, no service chain information is set. This command is not supported on Layer 3 Ethernet subinterfaces or Layer 3 aggregate subinterfaces. |
|
10. Enable match counting on the IPv6 policy node. |
apply statistics |
By default, match counting is disabled on IPv6 policy nodes. To include the number of successful matches on an IPv6 policy node in the statistics displayed by a display command, execute this command. This clause is always executed for matching packets. |
Specifying a policy for IPv6 PBR
Specifying an IPv6 policy for IPv6 local PBR
Perform this task to specify an IPv6 policy for IPv6 local PBR to guide the forwarding of locally generated packets. The specified policy must already exist. If the policy does not exist, the IPv6 local PBR configuration fails.
You can apply only one policy locally. Before you apply a new policy, you must first remove the current policy.
IPv6 local PBR might affect local services, such as ping and Telnet. Do not configure IPv6 local PBR unless doing so is required.
To specify an IPv6 policy for IPv6 local PBR:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify an IPv6 policy for IPv6 local PBR. |
ipv6 local policy-based-route policy-name |
By default, no IPv6 policy is specified for IPv6 local PBR. |
Specifying an IPv6 policy for IPv6 interface PBR
Perform this task to apply an IPv6 policy to an interface to guide the forwarding of packets received on the interface only. The specified policy must already exist. If the policy does not exist, the IPv6 interface PBR configuration fails.
You can apply only one policy to an interface. Before you apply a new policy, you must first remove the current policy from the interface.
You can apply a policy to multiple interfaces.
To specify an IPv6 policy for IPv6 interface PBR:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Specify an IPv6 policy for IPv6 interface PBR. |
ipv6 policy-based-route policy-name |
By default, no IPv6 policy is specified for IPv6 interface PBR. |
Specifying an IPv6 policy for IPv6 global PBR
Perform this task to apply an IPv6 policy to all interfaces on the device to guide the forwarding of packets received on the interfaces.
You can apply only one IPv6 policy for IPv6 global PBR and the specified IPv6 policy must already exist. Before you can apply a new IPv6 policy, you must first remove the current IPv6 policy.
IPv6 interface PBR takes precedence over IPv6 global PBR on an interface. When they are both configured and packets fail to match the IPv6 interface PBR policy, IPv6 global PBR applies.
To specify an IPv6 policy for IPv6 global PBR:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify an IPv6 policy for IPv6 global PBR. |
ipv6 global policy-based-route policy-name |
By default, no IPv6 policy is specified for IPv6 global PBR. |
Displaying and maintaining IPv6 PBR
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display IPv6 PBR policy information. |
display ipv6 policy-based-route [ policy policy-name ] |
|
(In standalone mode.) Display IPv6 global PBR configuration and statistics. |
display ipv6 policy-based-route global [ slot slot-number ] |
|
(In IRF mode.) Display IPv6 global PBR configuration and statistics. |
display ipv6 policy-based-route global [ chassis chassis-number slot slot-number ] |
|
Display IPv6 PBR configuration. |
display ipv6 policy-based-route setup |
|
(In standalone mode.) Display IPv6 local PBR configuration and statistics. |
display ipv6 policy-based-route local [ slot slot-number ] |
|
(In IRF mode.) Display IPv6 local PBR configuration and statistics. |
display ipv6 policy-based-route local [ chassis chassis-number slot slot-number ] |
|
(In standalone mode.) Display IPv6 interface PBR configuration and statistics. |
display ipv6 policy-based-route interface interface-type interface-number [ slot slot-number ] |
|
(In IRF mode.) Display IPv6 interface PBR configuration and statistics. |
display ipv6 policy-based-route interface interface-type interface-number [ chassis chassis-number slot slot-number ] |
|
Clear IPv6 PBR statistics. |
reset ipv6 policy-based-route statistics [ policy policy-name ] |
IPv6 PBR configuration examples
Packet type-based IPv6 local PBR configuration example
Network requirements
As shown in Figure 1, Switch B and Switch C do not have a route to reach each other.
Configure IPv6 PBR on Switch A to forward all TCP packets to the next hop 1::2. Switch A forwards other packets according to the routing table.
Configuration procedure
1. Configure Switch A:
# Create VLAN 10 and VLAN 20.
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] vlan 20
[SwitchA-vlan20] quit
# Configure the IPv6 addresses of VLAN-interface 10 and VLAN-interface 20.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ipv6 address 1::1 64
[SwitchA-Vlan-interface10] quit
[SwitchA] interface vlan-interface 20
[SwitchA-Vlan-interface20] ipv6 address 2::1 64
[SwitchA-Vlan-interface20] quit
# Configure ACL 3001 to match TCP packets.
[SwitchA] acl ipv6 advanced 3001
[SwitchA-acl-ipv6-adv-3001] rule permit tcp
[SwitchA-acl-ipv6-adv-3001] quit
# Configure Node 5 for policy aaa to forward TCP packets to next hop 1::2.
[SwitchA] ipv6 policy-based-route aaa permit node 5
[SwitchA-pbr6-aaa-5] if-match acl 3001
[SwitchA-pbr6-aaa-5] apply next-hop 1::2
[SwitchA-pbr6-aaa-5] quit
# Configure IPv6 local PBR by applying policy aaa to Switch A.
[SwitchA] ipv6 local policy-based-route aaa
2. Configure Switch B:
# Create VLAN 10.
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
# Configure the IPv6 address of VLAN-interface 10.
[SwitchB] interface vlan-interface 10
[SwitchB-Vlan-interface10] ipv6 address 1::2 64
3. Configure Switch C:
# Create VLAN 20.
<SwitchC> system-view
[SwitchC] vlan 20
[SwitchC-vlan20] quit
# Configure the IPv6 address of VLAN-interface 20.
[SwitchC] interface vlan-interface 20
[SwitchC-Vlan-interface20] ipv6 address 2::2 64
Verifying the configuration
1. Perform telnet operations to verify that IPv6 local PBR on Switch A operates as configured to forward the matching TCP packets to the next hop 1::2 (Switch B), as follows:
# Verify that you can telnet to Switch B from Switch A successfully. (Details not shown.)
# Verify that you cannot telnet to Switch C from Switch A. (Details not shown.)
2. Verify that Switch A forwards packets other than TCP packets through VLAN-interface 20. For example, verify that you can ping Switch C from Switch A. (Details not shown.)
Packet type-based IPv6 interface PBR configuration example
Network requirements
As shown in Figure 2, Switch B and Switch C do not have a route to reach each other.
Configure IPv6 PBR on Switch A to forward all TCP packets received on VLAN-interface 11 to the next hop 1::2. Switch A forwards other IPv6 packets according to the routing table.
Configuration procedure
1. Configure IPv6 addresses and unicast routing protocol settings to make sure that Switch B and Switch C each have a route to reach Hots A. (Details not shown.)
2. Configure Switch A:
# Configure ACL 3001 to match TCP packets.
[SwitchA] acl ipv6 advanced 3001
[SwitchA-acl-ipv6-adv-3001] rule permit tcp
[SwitchA-acl-ipv6-adv-3001] quit
# Configure Node 5 for policy aaa to forward TCP packets to next hop 1::2.
[SwitchA] ipv6 policy-based-route aaa permit node 5
[SwitchA-pbr6-aaa-5] if-match acl 3001
[SwitchA-pbr6-aaa-5] apply next-hop 1::2
[SwitchA-pbr6-aaa-5] quit
# Configure IPv6 interface PBR by applying policy aaa to VLAN-interface 11.
[SwitchA] interface vlan-interface 11
[SwitchA-Vlan-interface11] ipv6 policy-based-route aaa
Verifying the configuration
1. Enable IPv6 and configure the IPv6 address 10::3 for Host A.
C:\>ipv6 install
Installing...
Succeeded.
C:\>ipv6 adu 4/10::3
2. Perform telnet operations to verify that IPv6 interface PBR on Switch A operates as configured to forward the matching TCP packets to the next hop 1::2 (Switch B), as follows:
# Verify that you can telnet to Switch B from Host A successfully. (Details not shown.)
# Verify that you cannot telnet to Switch C from Host A. (Details not shown.)
3. Verify that Switch A forwards packets other than TCP packets through VLAN-interface 20. For example, verify that you can ping Switch C from Host A. (Details not shown.)
Packet type-based IPv6 global PBR configuration example
Network requirements
As shown in Figure 3, Switch E and Switch F do not have a route to reach each other.
Configure IPv6 global PBR on Switch D to forward TCP packets to the next hop 4::2 (Switch E).
Configuration procedure
1. Configure IPv6 addresses for the interfaces. Make sure Switch A, B and C can communicate with Switch E and Switch F, respectively. (Details not shown.)
2. Configure Switch D:
# Configure IPv6 ACL 3101 to match TCP packets sourced from networks 1::0/64, 2::0/64, and 3::0/64.
<SwitchD> system-view
[SwitchD] acl ipv6 advanced 3101
[SwitchD-acl-ipv6-adv-3101] rule permit tcp source 1::0 64
[SwitchD-acl-ipv4-adv-3101] rule permit tcp source 2::0 64
[SwitchD-acl-ipv4-adv-3101] rule permit tcp source 3::0 64
[SwitchD-acl-ipv4-adv-3101] quit
# Configure node 5 in IPv6 PBR policy aaa to forward TCP packets that match ACL 3101 to next hop 4::2.
[SwitchD] ipv6 policy-based-route aaa permit node 5
[SwitchD-pbr6-aaa-5] if-match acl 3101
[SwitchD-pbr6-aaa-5] apply next-hop 4::2
[SwitchD-pbr6-aaa-5] quit
# Specify IPv6 PBR policy aaa as the IPv6 global PBR policy.
[SwitchD] ipv6 global policy-based-route aaa
Verifying the configuration
1. Perform telnet operations to verify that IPv6 global PBR on Switch D operates as configured to forward the matching TCP packets to the next hop 4::2 (Switch E), as follows:
# Verify that you can telnet to Switch E from Switch A, Switch B, and Switch C successfully. (Details not shown.)
# Verify that you cannot telnet to Switch F from Switch A, Switch B, or Switch C. (Details not shown.)
2. Verify that Switch D forwards packets other than TCP packets as long as a route is available. For example, verify that you can ping Switch F from Switch A, Switch B, and Switch C. (Details not shown.)
