Configuring Policy-Based Routing
Policy-Based Routing (PBR) enables flexible packet forwarding and routing through user defined policies. Unlike traditional routing based on destination IP address only, PBR allows you to define flexible routing policies based on other parameters such as source and destination IP addresses, IP protocol type, or source and destination L4 port numbers.
PBR policies are implemented with vFlow entries, which Netvisor ONE allocates in a dedicated (hardware) vFlow table, called System-L3-L4-PBR.
In addition, the PBR policy configuration process leverages the vFlow command syntax as explained later in this section (refer also to the Configuring and Using vFlows section for further details on the feature).
PBR routing policies are higher priority than static and dynamic routes. They can match packets based on all Layer 4 and Layer 3 packet fields, as supported by the vFlow configuration syntax.
Note that, if a PBR policy clause is matched but the next-hop is not resolved, the matching traffic is dropped until the next-hop gets resolved.
To enable PBR, use the following command:
CLI (network-admin@switch) > system-settings-modify policy-based-routing
Note: nvOSd must be restarted for this setting to take effect
To disable PBR, use the following command:
CLI (network-admin@switch) > system-settings-modify no-policy-based-routing
Note: nvOSd must be restarted for this setting to take effect
Use the following vflow command to configure a PBR policy. For details on configuring vFlows, see the Configuring and Using vFlows chapter.
CLI (network-admin@switch) > vflow-create name <policy-name> vrouter-name <vr-name> scope local [<match qualifiers>] action to-next-hop-ip action-to-next-hop-ip-value <ip-address> table-name System-L3-L4-PBR-1-0
Note: You can only specify the scope as local.
Use the following command to modify the PBR policy:
CLI (network-admin@switch) > vflow-modify name <policy-name> vrouter-name <vr-name> [<match qualifiers>] action to-next-hop-ip action-to-next-hop-ip-value <ip-address>
Use the following command to delete the policy:
CLI (network-admin@switch) > vflow-delete name <policy-name>
Below is an example of PBR policy creation:
CLI (network-admin@switch) > vflow-create name test_pbr scope local in-port 10 src-ip 192.168.1.1 src-ip-mask 255.255.255.0 vrouter-name vr1 action to-next-hop-ip action-to-next-hop-ip-value 192.168.10.10
To view the configure policy, use the following command:
CLI (network-admin@switch)> vflow-show
switch: spine1
name: test_pbr
scope: local
type: pbr
in-port: 10
src-ip: 192.168.1.1/255.255.255.0
burst-size: auto
vrouter-name: vr1
precedence: default
action: to-next-hop-ip
action-to-next-hop-ip-value: 192.168.10.10
enable: enable
table-name: System-L3-L4-PBR-1-0
To modify this policy, the vrouter name and action to-next-hop-ip parameters are required in vflow-modify command to identify it is a PBR vFlow entry that is getting modified. For example, this command modifies the in-port value:
CLI (network-admin@switch) > vflow-modify name test_pbr in-port 20 vrouter-name vr1 action to-next-hop-ip action-to-next-hop-ip-value 192.168.10.10
To display the vFlow table’s usage and a specific PBR policy, use the following command sequence:
CLI (network-admin@switch) > vflow-table-show layout vertical
name: Egress-Table-1-0
flow-max-per-group: 512
flow-used: 0
flow-tbl-slices: 2
capability: match-metadata
flow-profile: system
name: System-L1-L4-Tun-1-0
flow-max-per-group:2048
flow-used: 54
flow-tbl-slices: 2
capability: set-metadata
flow-profile: system
name: System-VCAP-table-1-0
flow-max-per-group: 512
flow-used: 0
flow-tbl-slices: 1
capability: none
flow-profile: system
name: System-L3-L4-PBR-1-0
flow-max-per-group:
flow-used:
flow-tbl-slices:
capability: set-metadata
flow-profile: system
CLI (network-admin@switch) > vflow-show name pbr_test layout vertical
name: pbr_test
scope: local
type: pbr
src-ip: 10.10.10.1/255.255.255.0
burst-size: auto
vrouter-name: vr1
precedence: default
action: to-next-hop-ip
action-to-next-hop-ip-value: 30.30.30.1
enable: enable
table-name: System-L3-L4-PBR-1-0