Configuring Policy-based Routing


Policy-based Routing (PBR) enables flexible packet forwarding and routing through user defined policies. Unlike traditional routing based on destination IP address only, PBR allows you to define routes based on other parameters such as source and destination IP addresses, protocol, or source and destination port numbers.


Policy-based routes can match packets based on the following criteria:


  • All Layer 4 and Layer 3 fields similar to those in vFlow configurations.
  • Policy based routes are higher priority than static and dynamic routes.
  • If PBR vflow matched and next-hop is not resolved, then traffic is dropped until the next-hop is resolved.


To enable PBR, use the following command:


CLI (network-admin@switch) > system-settings-modify policy-based-routing


Note: nvOSd must be restarted for this setting to take effect

 

To disable PBR, use the following command:


CLI (network-admin@switch) > system-settings-modify no-policy-based-routing


Note: nvOSd must be restarted for this setting to take effect

 

You configure PBR using vFlow commands. Internally, policy routing of the packets uses a vFlow entry. Netvisor ONE creates PBR vFlow entries in a new vFlow table, System-L3-L4-PBR.


Use the following command to configure the PBR:


CLI (network-admin@switch) > vflow-create name <name-string> vrouter-name <vr-name> scope local [<match qualifiers>] action to-next-hop-ip action-to-next-hop-ip-value <ip-address> table-name System-L3-L4-PBR-1-0


Note: You can only specify the scope as local.


Use the following command to modify the PBR:


CLI (network-admin@switch) > vflow-modify name <name-string> vrouter-name <vr-name> [<match qualifiers>] action to-next-hop-ip action-to-next-hop-ip-value <ip-address>


Use the following command to delete the PBR:


CLI (network-admin@switch) > vflow-delete name <string>


Use the following command to view the output:


CLI (network-admin@switch)> vflow-show


Below is an example on how to configure a sample PBR:


CLI (network-admin@switch) > vflow-create name test_pbr scope local in-port 10 src-ip 192.168.1.1 src-ip-mask 255.255.255.0 vrouter-name vr1 action to-next-hop-ip action-to-next-hop-ip-value 192.168.10.10


To view the configured PBR, use the command:


CLI (network-admin@spine1) > vflow-show

 

switch:

spine1

name:  

test_pbr

scope:

local

type: 

pbr

in-port: 

10

src-ip:  

192.168.1.1/255.255.255.0

burst-size: 

auto

vrouter-name:

vr1

precedence: 

default

action:

to-next-hop-ip

action-to-next-hop-ip-value:

192.168.10.10

enable:

enable

table-name:

System-L3-L4-PBR-1-0

 

To modify this vflow, vrouter name and action to-next-hop-ip are required to identify it is a PBR vflow that is getting modified. For example:


CLI (network-admin@switch) > vflow-modify name test_pbr in-port 20 vrouter-name vr1 action to-next-hop-ip action-to-next-hop-ip-value 192.168.10.10


To display the vFlow table, use the following command:


CLI (network-admin@switch1*) > vflow-table-show

 

name                  flow-max-per-group flow-used flow-tbl-slices capability     flow-profile

--------------------- ------------------ --------- --------------- -------------- ------------

Egress-Table-1-0         512                0         2              match-metadata system      

System-L1-L4-Tun-1-0     2048               54        2              set-metadata   system      

System-VCAP-table-1-0    512                0         1              none           system      



CLI (network-admin@switch) > vflow-show name pbr_test

 

name        

pbr_test

scope

local

type        

pbr

src-ip

10.10.10.1/255.255.255.0

burst-size

auto

vrouter-name

vr1

precedence

default

action

to-next-hop-ip

action-to-next-hop-ip-value

30.30.30.1

enable

enable

table-name

System-L3-L4-PBR-1-0