Policy-based forwarding

Policy-based forwarding (PBF) supports traffic forwarding in a network-instance based on match conditions and actions defined in a policy, as an alternative to forwarding based on entries in a routing table.

Each PBF policy is modeled as a sequence of rules, each of which has match conditions and actions. Match conditions specify values for various packet header fields. A packet matches a rule only if all the match conditions evaluate to true. Actions specify the processing to apply to each matching packet.

Each PBF policy is associated with a specific network-instance. The PBF rules only apply to the ingress IP packets on selected routed subinterfaces of the network-instance. Policy-forwarded packets are classified according to the DSCP policy that is attached to the ingress subinterface.

Match conditions for PBF policies

The following table lists the match conditions that can be specified in a PBF policy:

Table 1. Match conditions for policy-based forwarding
Container Match condition Description
ipv4 protocol

An IPv4 packet matches this condition if its IP protocol type field matches the specified value.

dscp-set

An IPv4 packet matches this condition if its DSCP value matches any of the values in the specified list.

source-ip.prefix

An IPv4 packet matches this condition if its source IP address is covered by the specified prefix.

destination-ip.prefix

An IPv4 packet matches this condition if its destination IP address is covered by the specified prefix.

ipv6 next-header

An IPv6 packet matches this condition if its first next-header field matches the specified value.

dscp-set

An IPv6 packet matches this condition if its traffic-class value matches any of the values in the specified list.

source-ip.prefix

An IPv6 packet matches this condition if its source IP address is covered by the specified prefix.

Actions for PBF policies

The following table lists the actions you can specify in a PBF policy:

Table 2. Actions for policy-based forwarding
Action Description
network-instance

Forward matching packets according to IP FIB lookup in the specified network-instance, instead of IP FIB lookup in the network-instance owning the subinterface on which the matching packets arrived.

The network-instance specified in the action must be type IP-VRF.

encapsulate-gre

Apply GRE encapsulation to matching packets and forward the traffic to configured GRE endpoints.

The GRE encapsulation action is supported on 7250 IXR-6/10/6e/10e and IXR-X systems.

Creating a PBF policy

To create a PBF policy, configure the match conditions for the policy and the action to take for packets that meet the match conditions.

Match based on IPv4 protocol value

The following example configures a PBF policy that applies to the default network-instance. On subinterfaces where this policy is applied, incoming IPv4 packets that have a value of 4 in their IP protocol field are looked up and forwarded in network-instance red.

--{ candidate shared default }--[  ]--
# info network-instance default policy-forwarding
    network-instance default {
        policy-forwarding {
            policy 100 {
                description "Sample PBF Policy"
                rule 1 {
                    action {
                        network-instance red
                    }
                    match {
                        ipv4 {
                            protocol 4
                        }
                    }
                }
            }
        }
    }

Match based on DSCP values

In the following example, incoming packets matching DSCP values 0, 1, or 2 are looked up and forwarded in network-instance blue:

--{ * candidate shared default }--[  ]--
# info network-instance default policy-forwarding
    network-instance default {
        policy-forwarding {
            policy 101 {
                rule 1 {
                    action {
                        network-instance blue
                    }
                    match {
                        ipv4 {
                            dscp-set [
                                0
                                1
                                2
                            ]
                        }
                    }
                }
            }
        }
    }

Match based on source IP prefix

In the following example, incoming packets whose source IP address matches prefix 10.10.0.0/16 are looked up and forwarded in network-instance green:

--{ candidate shared default }--[  ]--
# info network-instance default policy-forwarding
    network-instance default {
        policy-forwarding {
            policy 100 {
                rule 1 {
                    action {
                        network-instance green
                    }
                    match {
                        ipv4 {
                            source-ip {
                                prefix 10.10.0.0/16
                            }
                        }
                    }
                }
            }
        }
    }

GRE encapsulation action for matching packets

In the following example, GRE encapsulation is performed on packets that match the policy rule. The matching traffic is redirected and forwarded via GRE encapsulation to the targets specified in the policy action.

--{ candidate shared default }--[  ]--
# info network-instance default policy-forwarding
    network-instance default {
        policy-forwarding {
            policy 100 {
                type pbr-policy
                rule 1 {
                    action {
                        encapsulate-gre {
                            target 1 {
                                source 10.10.10.10
                                destination 10.10.1.16/28
                                ip-ttl 12
                            }
                            target 2 {
                                destination 10.10.10.16/28
                            }
                        }
                    }
                    match {
                        ipv4 {
                            protocol tcp
                        }
                    }
                }
            }
        }
    }

For each target, you can specify a single destination subnet. The GRE encapsulation distributes matching flows to the component destination addresses that make up the subnet. In this example, the destination subnet for target 1 is 10.10.10.16/28, so flows are distributed across the 16 addresses that make up this subnet.

Traffic that matches the policy is hashed based on the ingress IP header information, which determines which of the configured GRE destination endpoints is used as the destination IP address of the IPv4 GRE header.

Once a packet is encapsulated within the IP-GRE header, it is forwarded to the GRE destination route using the best route within the routing table using available ECMP next-hops, if applicable.

For target 1, a source IP and TTL value are specified, which are applied to the GRE packets originating as a result of this policy action.

Match based on destination IP prefix

In the following example, incoming packets whose destination IP address matches prefix 10.10.10.10/32 are forwarded via GRE encapsulation to the targets specified in the policy action:

--{ candidate shared default }--[  ]--
# info network-instance default policy-forwarding
    network-instance default {
        policy-forwarding {
            policy p1 {
                rule 1 {
                    action {
                        encapsulate-gre {
                            target 1 {
                                source 10.20.20.1
                                destination 10.20.1.0/28
                                ip-ttl 4
                            }
                        }
                    }
                    match {
                        ipv4 {
                            protocol udp
                            destination-ip {
                                prefix 10.10.10.10/32
                            }
                        }
                    }
                }
            }
        }
    }

Applying a PBF policy

To activate a PBF policy, apply the policy to one or more routed subinterfaces of the network-instance configured in the policy.

The following example applies a PBF policy to a subinterface in the default network-instance. The system evaluates ingress packets on the subinterface according to the match conditions in the policy and forwards the matching packets according to the action specified in the policy.

--{ candidate shared default }--[  ]--
# info network-instance default policy-forwarding
    network-instance default {
        policy-forwarding {
            interface ethernet-1/1.1 {
                apply-forwarding-policy 100
            }
        }
    }