Policy Routing Configuration Guide

introduction introduction traditional route forwarding used to involve looking up the routing table based on the destination address of the packet and then forwarding the packet however, an increasing number of users now wish to forward and select routes for packets based on their own defined policies in addition to traditional route forwarding there are two different types of policy based routing supported by the device 1 acl based policy routing primarily used to control the flow of packets acl allows or denies packets passing through network devices and can filter based on conditions such as source ip address, destination ip address, port numbers, etc acl can be combined with policy routing to determine the direction of traffic by matching specific conditions of packets, thus implementing policy routing 2 pbr based policy routing mainly used to select different paths or next hops based on specific policies, rather than solely based on the traditional routing table pbr allows defining the direction of traffic based on conditions such as source ip, destination ip, protocol, port, etc it is a more flexible policy routing mechanism when dealing with smaller network scales and requiring simple traffic filtering and routing control, acl based policy routing can be chosen when there is a need to implement more flexible routing policies such as multipath selection, failover, etc , pbr based policy routing can be chosen explanation of principle explanation of principle policy routing is achieved by configuring redirection in the flow behavior, and it only takes effect on packets incoming on the interface it is a mechanism for forwarding packets based on user defined policies, with a priority higher than directly connected routes, static routes, and routes generated through dynamic routing protocols after configuring policy routing on the device, if the received packet (including layer 2 packets) matches the rules of policy routing, it will be forwarded according to the rules; if the match fails, it will be forwarded according to the normal forwarding process based on the destination address configuration configuration 407,137 71201814058958,116 28798185941042#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type creating policy route creating policy route 170,135 7278911564626,355 2721088435374#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type creating matching conditions for policy route creating matching conditions for policy route 121,197 91836734693877,342 0816326530612#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type specifying the next hop for policy route specifying the next hop for policy route the "nexthop" command supports configuring up to 4 next hops when multiple next hops are configured, packets are redirected and forwarded in a primary backup manner the primary and backup links are determined based on the configuration order, where the next hop ip address configured first has a higher priority as the primary link in the event of a failure in the primary link, the backup link is automatically selected in order of configuration as the new primary link 162,213 85714285714283,285 14285714285717#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type creating next hop address group and entering the view creating next hop address group and entering the view when the next hop for policy routing is an address group, packets will be load balanced among the different next hops within the address group 286,223 07482993197277,151 92517006802723#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type unhandled content type binding the policy route to a specified interface binding the policy route to a specified interface 220,262,179#4283c7 unhandled content type #4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type display and maintenance display and maintenance 392,269#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type example configuration of policy based routing example configuration of policy based routing network requirements control the packets received from interface vlan11 of switch a using policy based routing specify the next hop for all tcp packets as 1 1 2 2 forward other packets using the traditional route table lookup method switch a is directly connected to switch b and switch c there is no reachable route between switch b and switch c host a can successfully telnet to switch b but cannot telnet to switch c additionally, host a can ping both switch b and switch c procedure 1 ip addresses and vlan configuration omitted 2 configuration on switch a \# create pbr rule sonic(config)# pbr map aaa seq 5 sonic(config pbr map)# match ip protocol tcp sonic(config pbr map)# set nexthop 1 1 2 2 sonic(config pbr map)# exit \# apply the policy route map to interface sonic(config)# interface vlan 11 sonic(config vlanif 11)# ip address 10 110 0 10/24 sonic(config vlanif 11)# pbr policy aaa sonic(config vlanif 11)# exit \# configuration on switch b and switch c for static routes to host a sonic(config)# ip route 10 110 0 0/24 1 1 2 1 sonic(config)# ip route 10 110 0 0/24 1 1 3 1 verify configuration 1 verify the configuration sonic# show pbr map detail pbr map aaa valid yes seq 5 rule 304 installed 2(1) reason valid ip protocol match tcp nexthop 1 1 2 2 installed 1(1) tableid 10000 2 perform telnet and ping from host a, and verify if the results match the expectations telnet from host a to switch b (telnet 1 1 2 2) success telnet from host a to switch c (telnet 1 1 3 2) failure ping from host a to switch c (ping 1 1 3 2) success e e xample of pbr strategy routing traceability matching scenario xample of pbr strategy routing traceability matching scenario network requirements in the following network setup, traffic from external networks accessing the internal network via the router device is restricted the enterprise requires that public internet traffic entering through the two public network ports (ethernet1 and ethernet3) can access the same internal service when all links are functioning normally, pbr (policy based routing) must be implemented to trace and mark traffic originating from different public network ports simultaneously, the spi (stateful packet inspection) function should be enabled to maintain session records this ensures that return traffic from the internal network port (ethernet2) to different public network ports can correctly identify the corresponding egress interfaces and next hops procedure interface ethernet 2 ip address 192 168 3 1/24 pbr policy srcif stateful packet inspection enable tcp nat static tcp 58 241 51 92 2022 192 168 3 10 5201 dnat extendable test1 nat static tcp 218 3 246 45 2022 192 168 3 10 5201 dnat extendable test2 pbr map srcif seq 5 match src ip 192 168 3 10/24 match ip protocol tcp set nexthop 58 241 51 95 src interface 3 pbr map srcif seq 6 match src ip 192 168 3 10/24 match ip protocol tcp set nexthop 218 3 246 33 src interface 1