Traffic steering using policy-based forwarding
Each PBF policy is modeled as a sequence of rules, each of which has match conditions and actions. Match conditions specify values for various packet header fields. A packet matches a rule only if all the match conditions evaluate to true. Actions specify the processing to apply to each matching packet.
Each PBF policy is associated with a specific network-instance. The PBF rules only apply to the ingress IP packets on selected routed subinterfaces of the network-instance. Policy-forwarded packets are classified according to the DSCP policy that is attached to the ingress subinterface.
pbr-policy– The PBF policy reflects a policy-based routing (PBR) policy that supports generic PBR actions.vrf-selection-policy– The PBF policy is used only to classify incoming packets into corresponding network instances. This is the default PBF policy type.
Match conditions for PBF policies
The following table lists the match conditions that can be specified in a PBF policy:
| Container | Match condition | Description |
|---|---|---|
ipv4 |
protocol |
An IPv4 packet matches this condition if its IP protocol type field matches the specified value. |
dscp-set |
An IPv4 packet matches this condition if its DSCP value matches any of the values in the specified list. |
|
source-ip.prefix |
An IPv4 packet matches this condition if its source IP address is covered by the specified prefix. |
|
destination-ip.prefix |
An IPv4 packet matches this condition if its destination IP address is covered by the specified prefix. |
|
ipv6 |
next-header |
An IPv6 packet matches this condition if its first next-header field matches the specified value. |
dscp-set |
An IPv6 packet matches this condition if its traffic-class value matches any of the values in the specified list. |
|
source-ip.prefix |
An IPv6 packet matches this condition if its source IP address is covered by the specified prefix. |
|
transport |
source-port |
An IPv4 packet matches this condition if its transport source port matches the specified port number, name or port number range. The match condition for |
destination-port |
An IPv4 packet matches this condition if its transport destination port matches the specified port number, name or port number range. The match condition for |
Actions for PBF policies
The following table lists the actions you can specify in a PBF policy and the SR Linux platforms that support each one:
| Action | Description | Platform support |
|---|---|---|
network-instance |
Forward matching packets according to IP FIB lookup in the specified network-instance, instead of IP FIB lookup in the network-instance owning the subinterface on which the matching packets arrived. The lookup is done using the IP packet DA. The network-instance specified in the action must be type IP-VRF. This action is valid only if the PBF policy type is
|
|
next-hop |
Use the specified IP address instead of the DA from the IP header of the packet for the route lookup. The packet is forwarded towards the next-hop that results from this lookup. This action is valid only if the PBF policy type is
|
|
network-instance and next-hop |
Perform the lookup for matching packets using the next-hop IP
and in the route table of the specified network-instance.These
combined actions are valid only for PBF policies of type
|
|
encapsulate-gre |
Apply GRE encapsulation to matching packets and forward the traffic to configured GRE endpoints. This action is valid only if the policy type is |
|
Creating a PBF policy
To create a PBF policy, configure the match conditions for the policy and the action to take for packets that meet the match conditions.
Match based on IPv4 protocol value
The following example configures a PBF policy that applies to the default network-instance. On subinterfaces where this policy is applied, incoming IPv4 packets that have a value of 4 in their IP protocol field are looked up and forwarded in network-instance red.
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 100 {
description "Sample PBF Policy"
rule 1 {
action {
network-instance red
}
match {
ipv4 {
protocol 4
}
}
}
}
}
}Match based on DSCP values
In the following example, incoming packets matching DSCP values 0, 1, or 2 are looked up and forwarded in network-instance blue:
--{ * candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 101 {
rule 1 {
action {
network-instance blue
}
match {
ipv4 {
dscp-set [
0
1
2
]
}
}
}
}
}
}
Match based on source IP prefix
In the following example, incoming packets whose source IP address matches prefix 10.10.0.0/16 are looked up and forwarded in network-instance green:
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 100 {
rule 1 {
action {
network-instance green
}
match {
ipv4 {
source-ip {
prefix 10.10.0.0/16
}
}
}
}
}
}
}Match based on transport source-port
In the following example, packets with TCP source port 179 use 10.10.10.10 for the route lookup. The packets are forwarded to the next-hop that results from this lookup.
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy p1 {
type pbr-policy
rule 1 {
action {
next-hop 10.10.10.10
}
match {
ipv4 {
protocol tcp
}
transport {
source-port 179
}
}
}
}
}
}GRE encapsulation action for matching packets
In the following example, GRE encapsulation is performed on packets that match the policy rule. The matching traffic is redirected and forwarded via GRE encapsulation to the targets specified in the policy action.
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 100 {
type pbr-policy
rule 1 {
action {
encapsulate-gre {
target 1 {
source 10.10.10.10
destination 10.10.1.16/28
ip-ttl 12
}
target 2 {
destination 10.10.10.16/28
}
}
}
match {
ipv4 {
protocol tcp
}
}
}
}
}
}For each target, you can specify a single destination subnet. The GRE encapsulation distributes matching flows to the component destination addresses that make up the subnet. In this example, the destination subnet for target 1 is 10.10.10.16/28, so flows are distributed across the 16 addresses that make up this subnet.
Traffic that matches the policy is hashed based on the ingress IP header information, which determines which of the configured GRE destination endpoints is used as the destination IP address of the IPv4 GRE header.
Once a packet is encapsulated within the IP-GRE header, it is forwarded to the GRE destination route using the best route within the routing table using available ECMP next-hops, if applicable.
For target 1, a source IP and TTL value are specified, which are applied to the GRE packets originating as a result of this policy action.
Match based on destination IP prefix
In the following example, incoming packets whose destination IP address matches prefix 10.10.10.10/32 are forwarded via GRE encapsulation to the targets specified in the policy action:
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy p1 {
rule 1 {
action {
encapsulate-gre {
target 1 {
source 10.20.20.1
destination 10.20.1.0/28
ip-ttl 4
}
}
}
match {
ipv4 {
protocol udp
destination-ip {
prefix 10.10.10.10/32
}
}
}
}
}
}
}Applying a PBF policy
To activate a PBF policy, apply the policy to one or more routed subinterfaces of the network-instance configured in the policy.
The following example applies a PBF policy to a subinterface in the default network-instance. The system evaluates ingress packets on the subinterface according to the match conditions in the policy and forwards the matching packets according to the action specified in the policy.
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
interface ethernet-1/1.1 {
apply-forwarding-policy 100
}
}
}