Support Center > Search Results > SecureKnowledge Details
Policy-Based Routing (PBR) on Scalable Platforms with VSX
Solution

This article explains how to configure Policy-Based Routing (PBR) on Gaia OS on Scalable Platforms to route traffic according to user-defined policies.

Please refer to sk100500 for more detailed information regarding PBR.

Note: Support for this feature is included in R80.20SP from Jumbo Hotfix Accumulator for R80.20SP Take_178 and above.

Introduction

Policy-Based Routing (PBR) lets the user create routing tables that enable Gaia OS to direct traffic to appropriate destinations by defining a policy to filter the traffic based on one or more of the following:

  • Interface at which a packet arrives
  • Source IPv4 address and subnet mask
  • Destination IPv4 address and subnet mask
  • Service Port (e.g., FTP, SSH, Telnet): added starting in R76SP.50 Jumbo HF Take_96
  • Protocol Number (e.g., TCP, UDP, ICMP): added starting in R76SP.50 Jumbo HF Take_96

The Policy Rules also specify the action to take if the traffic is matched:

  • Prohibit: Send a "Prohibit" message to the sending host
  • Unreachable: Send an "Unreachable" message to the sending host
  • Table: Process the traffic according to rules defined in an "Action Table"

You can define many Policy Rules. Traffic is compared to all the rules in order of the rules' priority - one rule at a time, according to the priority that is configured for the rule.

Policy-Based Routing (PBR) can be used to direct traffic based on where it is coming from (this may include single hosts or entire networks) to where it is going (also single hosts or entire networks). This greatly improves network administrators' control over the routing of traffic through a network. For example, a company may want all traffic from a specific source to use a different route instead of using the default gateway; this can be defined in the action tables for Policy-Based Routing (PBR).

Policy-Based Routing (PBR) static routes have priority over static routes in the OS routing table. When a packet arrives at the OS, the packet is checked for a match to a Policy-Based Routing (PBR) static route:

  • If the packet matches, it is then forwarded according to the priority of the Policy-Based Routing (PBR) static route.
  • If the packet does not match a Policy-Based Routing (PBR) static route, the packet is then forwarded according to the priority of the static routes in the OS routing table.

Routing and Firewall Processing

It is important to note that routing tables, including PBR tables, are checked after firewall processing is complete. This means that in situations such as NAT, routing rules are checked against the original source address (refer to sk101562).

Configuration

Configure a PBR table:

In CLI:

Set pbr table TABLE_NAME static-route NETWORK_ADDRESS/MASK_LENGTH nexthop gateway address IP_ADDRESS on

Configure a PBR rule:

In CLI:

  1. Interface

    set pbr rule priority VALUE match interface VALUE

  2. Source, Subnet Mask

    set pbr rule priority VALUE match from VALUE

  3. Destination, Subnet Mask

    set pbr rule priority VALUE match to VALUE

  4. Service Port

    set pbr rule priority VALUE match port VALUE

  5. Protocol

    set pbr rule priority VALUE match protocol VALUE

Example PBR Configuration:

[Global] Hostname:0> set virtual-system 1

[Global] Hostname:1> set pbr table toR1 static-route 10.1.1.0/24 nexthop gateway address 1.1.1.100 on

[Global] Hostname:1> set pbr table toR2 static-route 10.2.2.0/24 nexthop gateway address 2.2.2.100 on

[Global] Hostname:1> set pbr table toR3 static-route 10.3.3.0/24 nexthop gateway address 3.3.3.100 on

[Global] Hostname:1> set pbr rule priority 1 match interface eth1-01

[Global] Hostname:1> set pbr rule priority 2 match from 22.22.22.0/24

[Global] Hostname:1> set pbr rule priority 3 match protocol 89

[Global] Hostname:1> set pbr rule priority 3 match to 10.3.3.0/24

[Global] Hostname:1> set pbr rule priority 3 match port 80

[Global] Hostname:1> set pbr rule priority 3 match protocol tcp

[Global] Hostname:1> set pbr rule priority 1 action table toR1

[Global] Hostname:1> set pbr rule priority 2 action table toR2

[Global] Hostname:1> set pbr rule priority 3 action table toR3

Monitoring

In CLI:

 

Verifying Policy-Based Routing (PBR) configuration

One method of verifying that PBR is configured correctly is to use these commands (in Expert mode):

To list the policy rules:

[Expert@HostName:0]# vsenv 1

Context is set to Virtual Device VS1 (ID 1).

[Expert@HostName:1]# ip rule list

0: from all lookup 255 hit 74987

1: from all iif eth1-01 lookup 1

2: from 22.22.22.0/24 proto 89 lookup 2

3: from all to 10.3.3.0/24 dport 80 proto 6 lookup 3

32766: from all lookup main hit 74965

32767: from all lookup default hit 12763

To list the action tables:

[Expert@HostName:1]# ip route list table TABLE_ID

 

Related Solutions

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
Applies To:
  • MBS-7670

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment