Configuring Policy-Based Routing


Policy-Based Routing (PBR) enables flexible packet forwarding and routing through user defined policies. Unlike traditional routing based on destination IP address only, PBR allows you to define flexible routing policies based on other parameters such as source and destination IP addresses, IP protocol type, or source and destination L4 port numbers.


PBR policies are implemented with vFlow entries, which Netvisor ONE allocates in a dedicated (hardware) vFlow table, called System-L3-L4-PBR.


In addition, the PBR policy configuration process leverages the vFlow command syntax as explained later in this section (refer also to the Configuring and Using vFlows section for further details on the feature).


PBR routing policies are higher priority than static and dynamic routes. They can match packets based on all Layer 4 and Layer 3 packet fields, as supported by the vFlow configuration syntax.


Note that, if a PBR policy clause is matched but the next-hop is not resolved, the matching traffic is dropped until the next-hop gets resolved.


To enable PBR, use the following command:


CLI (network-admin@switch) > system-settings-modify policy-based-routing


Note: nvOSd must be restarted for this setting to take effect

 

To disable PBR, use the following command:


CLI (network-admin@switch) > system-settings-modify no-policy-based-routing


Note: nvOSd must be restarted for this setting to take effect

 


Use the following vflow command to configure a PBR policy. For details on configuring vFlows, see the Configuring and Using vFlows chapter.


CLI (network-admin@switch) > vflow-create name <policy-name> vrouter-name <vr-name> scope local [<match qualifiers>] action to-next-hop-ip action-to-next-hop-ip-value <ip-address> table-name System-L3-L4-PBR-1-0


Note: You can only specify the scope as local.


Use the following command to modify the PBR policy:


CLI (network-admin@switch) > vflow-modify name <policy-name> vrouter-name <vr-name> [<match qualifiers>] action to-next-hop-ip action-to-next-hop-ip-value <ip-address>


Use the following command to delete the policy:


CLI (network-admin@switch) > vflow-delete name <policy-name>


Below is an example of PBR policy creation:


CLI (network-admin@switch) > vflow-create name test_pbr scope local in-port 10 src-ip 192.168.1.1 src-ip-mask 255.255.255.0 vrouter-name vr1 action to-next-hop-ip action-to-next-hop-ip-value 192.168.10.10


To view the configure policy, use the following command:


CLI (network-admin@switch)> vflow-show


switch:        spine1

name:          test_pbr

scope:        local

type:        pbr

in-port:        10

src-ip:          192.168.1.1/255.255.255.0

burst-size:        auto

vrouter-name:        vr1

precedence:        default

action:        to-next-hop-ip

action-to-next-hop-ip-value:        192.168.10.10

enable:        enable

table-name:        System-L3-L4-PBR-1-0


To modify this policy, the vrouter name and action to-next-hop-ip parameters are required in vflow-modify command to identify it is a PBR vFlow entry that is getting modified. For example, this command modifies the in-port value:


CLI (network-admin@switch) > vflow-modify name test_pbr in-port 20 vrouter-name vr1 action to-next-hop-ip action-to-next-hop-ip-value 192.168.10.10


To display the vFlow table’s usage and a specific PBR policy, use the following command sequence:


CLI (network-admin@switch) > vflow-table-show layout vertical


name:        Egress-Table-1-0

flow-max-per-group:        512

flow-used:        0

flow-tbl-slices:        2

capability:        match-metadata

flow-profile:        system

name:        System-L1-L4-Tun-1-0

flow-max-per-group:2048

flow-used:        54

flow-tbl-slices:        2

capability:        set-metadata

flow-profile:        system

name:        System-VCAP-table-1-0

flow-max-per-group:        512

flow-used:        0

flow-tbl-slices:        1

capability:        none

flow-profile:        system

name:        System-L3-L4-PBR-1-0

flow-max-per-group:

flow-used:

flow-tbl-slices:

capability:        set-metadata

flow-profile:        system

 


CLI (network-admin@switch) > vflow-show name pbr_test layout vertical

 

name:        pbr_test

scope:        local

type:        pbr

src-ip:        10.10.10.1/255.255.255.0

burst-size:        auto

vrouter-name:        vr1

precedence:        default

action:        to-next-hop-ip

action-to-next-hop-ip-value:        30.30.30.1

enable:        enable

table-name:        System-L3-L4-PBR-1-0