Overview:
Policy routing PBR is a mechanism for routing selection based on user-defined policies. It is divided into local policy routing, interface policy routing and intelligent policy routing SPR. This course only discusses local policy routing.
IP unicast policy routing has the following advantages:
- It is possible to formulate strategies for routing selection according to the actual needs of users to enhance the flexibility and controllability of routing selection.
- Different data streams can be sent through different links to improve link utilization efficiency.
- On the premise of satisfying the quality of business services, choose lower-cost links to transmit business data, thereby reducing the cost of enterprise data services.
Other features:
- The priority of policy routing is higher than that of checking the routing table.
- Local or interface policy routing generally uses ACLs for matching, and cannot be matched by other filters.
The difference between policy routing and routing strategy:
Local Policy Routing (PBR):
Only the policy routing of packets sent by the machine (such as local ping packets) does not work on the forwarded packets. A local policy route can be configured with multiple policy points, and these policy points are specific. Local policy routing supports matching rules based on ACL or packet length.
Matching order:
If a matching local policy routing node is found, the message is sent according to the following steps:
- Check whether the user has set the priority of the message.
• If the user sets the priority of the message, first set the priority of the message according to the priority set by the user, and then continue to execute downward.
• If the user does not set the priority of the message, continue to execute downward. - Check whether the user has set the outbound interface of the local policy routing.
• If the user has set the outgoing interface, the message will be sent out through the outgoing interface, and the following steps will not be performed.
• If the user has not set the outgoing interface, continue to execute downward.
- Check whether the user has set the next hop of the local policy routing (note: not shown in the figure) (the user can set two next hops to achieve the purpose of load sharing).
• If the user has set the next hop of the policy routing, the message will be sent to the next hop, and the following steps will not be performed.
• If the user does not set the next hop, follow the normal process to find the route according to the destination address of the message. If the route is not found, continue to execute downward.
- Check whether the user has set the default outbound interface for local policy routing.
• If the user has set the default outgoing interface, the message will be sent out from the default outgoing interface, and the following steps will not be performed.
• If the user has not set the default outgoing interface, continue execution.
- Check whether the user has set the default next hop of the local policy routing.
• If the user has set the default next hop, the message will be sent to the default next hop, and no further steps will be performed.
• If the user has not set the default next hop, continue execution.
- The message is discarded and an ICMP_UNREACH message is generated.
If no matching local policy routing node is found, follow the general process of sending IP packets and find the route according to the destination address.
Experiment:
1. Purpose:
Let the flow of packets from R1 to R4 to R2.
2. Local policy routing configuration:
- Create a local policy route.
- Use the apply command to configure the actions of local policy routing.
- Create a local policy route in front of the global application in the system view.
Now that OSPF has been enabled on the four routers R1, R2, R3, and R4, we use R1 to ping the loopback port of R4, and now check the routing entries from R1 to R4:
the traffic to R4 is load-shared, but the simulator has the same flow The traffic will only go to one side. We use the tracert command to test, and it goes from R2 to R4.
Because the ping traffic is sent by itself, we use local policy routing: (similar to routing policy)
First create an ACL to match traffic destined for R4:
acl number 3000
rule 5 permit ip destination 4.4.4.4 0
Configure local policy routing:
policy-based-route R4 permit node 1 //Name R4, node 1, and action permit
if-match acl 3000 //Match ACL
apply output-interface GigabitEthernet0/0/0 //Specify the outgoing interface of the traffic
Apply it in the system view:
ip local policy-based-route R4
Now let’s check whether the traffic direction has changed: The traffic sent by R1 is changed from R3 to R4 to R2 to R4, and the modification is successful.
View command:
3. Summary:
Local policy routing can set the outgoing interface of traffic> next hop> default outgoing interface> default next hop. When the next hop is not set, it will be forwarded according to the routing table. If there is no routing table, then Forwarding is performed according to the default setting of the outgoing interface and next hop, and finally discarded when there is no forwarding.
Interface policy routing (traffic-policy):
Interface policy routing is just the opposite of local policy routing. It only works on forwarded packets, but on locally sent packets, and only takes effect on packets in the inbound direction of the interface.
The corresponding configuration:
1. Define flow classification
-
Run the traffic classifier classifier-name [type {and | or}] command to create a traffic classification and enter the traffic classification view, or enter the existing traffic classification view.
and indicates that the relationship between the rules in the flow classification is "logical and". After specifying the logical relationship:
• When there are ACL rules in the flow classification, the packet must match one of the ACL rules and all non-ACL rules to belong to this class;
• When there is no ACL rule in the traffic classification, the packet must match all non-ACL rules to belong to this class.
or means that the rules of the flow classification are "logical or", that is, packets only need to match one or more rules in the flow classification to belong to this class. By default, the relationship between rules in traffic classification is "logical OR". -
Match the corresponding flow.
If-match xxx //For filter, only ACL can be matched, but other information can be matched
Two, configure flow redirection
Run the traffic behavior behavior-name command to create a traffic behavior and enter the traffic behavior view, or enter the existing traffic behavior view.
Please configure as follows according to actual needs:
execute the command redirect [vpn-instance vpn-instance-name] nexthop ip-address &<1-16> [fail-action discard] or redirect ipv6 [vpn-instance vpn-instance-name] nexthop ipv6-address &<1-16> [fail-action discard ], configure a single action to redirect to the next hop IP address. This action only takes effect during Layer 3 forwarding.
When there are multiple next hops, the device redirects and forwards packets in the active/standby mode. The device determines the primary and backup links according to the configuration sequence of the next hop. The next hop IP address configured first has a higher priority. The first next hop IP address configured is used as the primary link, and other links are used as backup links. When the main link is Down, the next hop with higher priority is automatically selected as the new main link. When the high-priority link is restored, the traffic will be switched from the low-priority link to the high-priority link; when all the redirected links are unavailable, the message will be forwarded based on the destination address to find the interface .
By default, if all the configured next hops are unreachable, the packet is forwarded according to the original destination address. If the fail-action discard parameter is configured, if all the configured next hops are unreachable, the packet is discarded.
Three, configure the flow strategy
Run the traffic policy policy-name command to create a traffic policy and enter the traffic policy view, or enter the existing traffic policy view.
Run the classifier classifier-name behavior behavior-name [precedence precedence-value] command to configure the required traffic behavior for the specified traffic classification in the traffic policy, that is, bind the traffic classification and traffic behavior.
Four, application flow strategy
Run the interface interface-type interface-number command to enter the interface view.
Run the traffic-policy policy-name inbound command to apply the traffic policy on the interface.
experiment:
1. Purpose
We still ensure the interoperability of the entire network. Now we need to complete the communication from R5 to R1 loopback port. R5 traffic will pass through R4, and traffic splitting needs to be selected on R4: load sharing has been carried out in the form of flow, now Let all traffic go R4->R3->R1.
The current flow trend: R4->R2->R1.
2. Specific steps:
Because we are routing traffic on R4 and changing the traffic of R5, we use interface policy routing: make the traffic from R5 to R1 go to R4 and R3 to R1.
First configure ACL to match the traffic destined for R1:
acl number 3000
rule 5 permit ip destination 1.1.1.1 0
Configure interface policy routing:
traffic classifier R1 operator or //Configure the type of traffic. The default matching is or, which means it can match one of the ACLs. You can configure multiple ACLs
if-match acl 3000
traffic behavior R1 //Configure the behavior corresponding to traffic
redirect ip-nexthop 10.1.4.3 //The interface whose next hop is R3
traffic policy R1 //Define a policy
classifier R1 behavior R1 //Associate traffic with behavior
[R4-GigabitEthernet0/0/2]traffic-policy R1 inbound //Apply the policy to the inbound interface of the incoming traffic
Finally, test on R5: R4, R3, and R1 indicate that the operation has been successful.
View commands:
• Execute the command display traffic classifier [classifier-name] to view the configured traffic classifier information.
• Run the display traffic behavior [behavior-name] command to view the configured traffic behavior information.
• Run the display traffic policy [policy-name [classifier classifier-name]] command to view information about the configured traffic policy.
• Execute the command display traffic-policy applied-record [policy-name] [global [slot slot-id] | interface interface-type interface-number | vlan vlan-id | vsi vsi-name | vpn-instance vpn-instance-name | qos group group-id | bridge-domain bd-id] [inbound | outbound] to view the application records of the specified flow policy.
Simplified policy routing based on ACL:
The simple but castrated version of interface-based policy routing can only be redirected to the specified next hop, which takes precedence over routing and forwarding, and can only be effective when the three-layer switch performs layer three forwarding.
Purpose: By configuring simplified policy routing based on ACL, the Layer 3 packets matching ACL rules are redirected to the specified next hop address.
Background information: When users want to control the traffic entering the network, they can configure ACL rules to match the packets based on the source IP address, fragment tag, destination IP address, source port number, source MAC address and other information of the packet. Then configure simplified policy routing based on ACL to filter packets matching ACL rules. Compared with configuring policy routing, configuring simplified policy routing based on ACL does not require separate creation of traffic classification, traffic behavior, or flow policy, and the configuration is more concise; however, because packets are matched only based on ACL rules, there is no flow policy for matching rules. rich.
If the simplified policy routing in the system view, VLAN view, and interface view is configured at the same time, the effective priority of the simplified policy routing based on ACL is: interface> VLAN> global application.
Note: The eNSP simulator can only be configured in global mode.
Configuration command:
View command:
execute the command display traffic-policy applied-record traffic-redirect [global [slot slot-id] | interface interface-type interface-number | vlan vlan-id | qos group group-id] [inbound] to view the specified flow Application record of the strategy.
Smart Policy Routing (SPR):
Select the best link for service data flow based on link quality information (omitted), please refer to the following notes for details:
https://blog.csdn.net/tushanpeipei/article/details/109367748
Reference material: Huawei hedex document