Policy-based forwarding
Policy-based forwarding (PBF) supports traffic forwarding in a network-instance based on match conditions and actions defined in a policy, as an alternative to forwarding based on entries in a routing table.
Each PBF policy is modeled as a sequence of rules, each of which has match conditions and actions. Match conditions specify values for various packet header fields. A packet matches a rule only if all the match conditions evaluate to true. Actions specify the processing to apply to each matching packet.
Each PBF policy is associated with a specific network-instance. The PBF rules only apply to the ingress IP packets on selected routed subinterfaces of the network-instance. Policy-forwarded packets are classified according to the DSCP policy that is attached to the ingress subinterface.
Match conditions for PBF policies
The following table lists the match conditions that can be specified in a PBF policy:
Container | Match condition | Description |
---|---|---|
ipv4 |
protocol |
An IPv4 packet matches this condition if its IP protocol type field matches the specified value. |
dscp-set |
An IPv4 packet matches this condition if its DSCP value matches any of the values in the specified list. |
|
source-ip.prefix |
An IPv4 packet matches this condition if its source IP address is covered by the specified prefix. |
|
destination-ip.prefix |
An IPv4 packet matches this condition if its destination IP address is covered by the specified prefix. |
|
ipv6 |
next-header |
An IPv6 packet matches this condition if its first next-header field matches the specified value. |
dscp-set |
An IPv6 packet matches this condition if its traffic-class value matches any of the values in the specified list. |
|
source-ip.prefix |
An IPv6 packet matches this condition if its source IP address is covered by the specified prefix. |
Actions for PBF policies
The following table lists the actions you can specify in a PBF policy:
Action | Description |
---|---|
network-instance |
Forward matching packets according to IP FIB lookup in the specified network-instance, instead of IP FIB lookup in the network-instance owning the subinterface on which the matching packets arrived. The network-instance specified in the action must be type IP-VRF. |
encapsulate-gre |
Apply GRE encapsulation to matching packets and forward the traffic to configured GRE endpoints. The GRE encapsulation action is supported on 7250 IXR-6/10/6e/10e and IXR-X systems. |
Creating a PBF policy
To create a PBF policy, configure the match conditions for the policy and the action to take for packets that meet the match conditions.
Match based on IPv4 protocol value
The following example configures a PBF policy that applies to the default network-instance. On subinterfaces where this policy is applied, incoming IPv4 packets that have a value of 4 in their IP protocol field are looked up and forwarded in network-instance red.
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 100 {
description "Sample PBF Policy"
rule 1 {
action {
network-instance red
}
match {
ipv4 {
protocol 4
}
}
}
}
}
}
Match based on DSCP values
In the following example, incoming packets matching DSCP values 0, 1, or 2 are looked up and forwarded in network-instance blue:
--{ * candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 101 {
rule 1 {
action {
network-instance blue
}
match {
ipv4 {
dscp-set [
0
1
2
]
}
}
}
}
}
}
Match based on source IP prefix
In the following example, incoming packets whose source IP address matches prefix 10.10.0.0/16 are looked up and forwarded in network-instance green:
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 100 {
rule 1 {
action {
network-instance green
}
match {
ipv4 {
source-ip {
prefix 10.10.0.0/16
}
}
}
}
}
}
}
GRE encapsulation action for matching packets
In the following example, GRE encapsulation is performed on packets that match the policy rule. The matching traffic is redirected and forwarded via GRE encapsulation to the targets specified in the policy action.
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy 100 {
type pbr-policy
rule 1 {
action {
encapsulate-gre {
target 1 {
source 10.10.10.10
destination 10.10.1.16/28
ip-ttl 12
}
target 2 {
destination 10.10.10.16/28
}
}
}
match {
ipv4 {
protocol tcp
}
}
}
}
}
}
For each target, you can specify a single destination subnet. The GRE encapsulation distributes matching flows to the component destination addresses that make up the subnet. In this example, the destination subnet for target 1 is 10.10.10.16/28, so flows are distributed across the 16 addresses that make up this subnet.
Traffic that matches the policy is hashed based on the ingress IP header information, which determines which of the configured GRE destination endpoints is used as the destination IP address of the IPv4 GRE header.
Once a packet is encapsulated within the IP-GRE header, it is forwarded to the GRE destination route using the best route within the routing table using available ECMP next-hops, if applicable.
For target 1, a source IP and TTL value are specified, which are applied to the GRE packets originating as a result of this policy action.
Match based on destination IP prefix
In the following example, incoming packets whose destination IP address matches prefix 10.10.10.10/32 are forwarded via GRE encapsulation to the targets specified in the policy action:
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
policy p1 {
rule 1 {
action {
encapsulate-gre {
target 1 {
source 10.20.20.1
destination 10.20.1.0/28
ip-ttl 4
}
}
}
match {
ipv4 {
protocol udp
destination-ip {
prefix 10.10.10.10/32
}
}
}
}
}
}
}
Applying a PBF policy
To activate a PBF policy, apply the policy to one or more routed subinterfaces of the network-instance configured in the policy.
The following example applies a PBF policy to a subinterface in the default network-instance. The system evaluates ingress packets on the subinterface according to the match conditions in the policy and forwards the matching packets according to the action specified in the policy.
--{ candidate shared default }--[ ]--
# info network-instance default policy-forwarding
network-instance default {
policy-forwarding {
interface ethernet-1/1.1 {
apply-forwarding-policy 100
}
}
}