Policy-based forwarding
Policy-based forwarding (PBF) supports traffic forwarding in a network-instance based on match conditions and actions defined in a policy, as an alternative to forwarding based on entries in a routing table.
Each PBF policy is modeled as a sequence of rules, each of which has match conditions and actions. Match conditions specify values for various packet header fields. A packet matches a rule only if all the match conditions evaluate to true. Actions specify the processing to apply to each matching packet.
Each PBF policy is associated with a specific network-instance. The PBF rules only apply to the ingress IP packets on selected routed subinterfaces of the network-instance. Policy-forwarded packets are classified according to the DSCP policy that is attached to the ingress subinterface.
Match conditions for PBF policies
- dscp-set – list of DSCP values to match for incoming packets; a packet must match one of the DSCP values defined in this list for the rule to apply
- protocol – protocol carried in the IP packet, specified either by name or IP protocol value
- source-ip – source IP address of the IP packet; for an IP-in-IP packet; this refers to the outer IP header source address
Actions for PBF policies
- network-instance – Look up matching packets in the network-instance referenced in the PBR policy instead of the network-instance associated with the subinterface.
Creating a PBF policy
To create a PBF policy, configure the match conditions for the policy and the action to take for packets that meet the match conditions.
Match based on IPv4 protocol value
The following example configures a PBF policy that applies to the default network-instance. On subinterfaces where this policy is applied, incoming IPv4 packets that have a value of 4 in their IP protocol field are looked up and forwarded in network-instance red.
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 100 {
description "Sample PBF Policy"
rule 1 {
action {
network-instance red
}
match {
ipv4 {
protocol 4
}
}
}
}
}
}Match based on DSCP values
In the following example, incoming packets matching DSCP values 0, 1, or 2 are looked up and forwarded in network-instance blue:
--{ * candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 101 {
rule 1 {
action {
network-instance blue
}
match {
ipv4 {
dscp-set [
0
1
2
]
}
}
}
}
}
}
Match based on source IP prefix
In the following example, incoming packets whose source IP address matches prefix 10.10.0.0/16 are looked up and forwarded in network-instance green:
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 100 {
rule 1 {
action {
network-instance green
}
match {
ipv4 {
source-ip {
prefix 10.10.0.0/16
}
}
}
}
}
}
}Applying a PBF policy
To activate a PBF policy, apply the policy to one or more routed subinterfaces of the network-instance configured in the policy.
The following example applies a PBF policy to a subinterface in the default network-instance. The system evaluates ingress packets on the subinterface according to the match conditions in the policy and forwards the matching packets according to the action specified in the policy.
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
interface ethernet-1/1.1 {
apply-forwarding-policy 100
}
}
}