Policy Based Routing (PBR) examples
Article ID: 167889
Updated On:
Products
XOS
Issue/Introduction
Examples for implementing policy based routing in different scenariosN/A
Cause
Policy Based Routing (PBR) feature is available in XOS versions 9.6.x and above.
The details for implementing PBR can be found in XOS configururation guide and XOS Command reference guide. This article provides few examples for implementing policy based routing.
NOTE: Implementing Policy Based Routing will add load to your system as all packets received by the NPMs will be inspected against the PBR config.
The details for implementing PBR can be found in XOS configururation guide and XOS Command reference guide. This article provides few examples for implementing policy based routing.
NOTE: Implementing Policy Based Routing will add load to your system as all packets received by the NPMs will be inspected against the PBR config.
Resolution
Here are some examples for implementing PBR in different scenarios:
Example 1:
Single destination route and single source network.
CBS# configure ip policy-routing table pbr_table1
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.10.1 vap-group FW egress-circuit Inside
CBS (conf-pbr-table-route)# end
CBS# configure ip policy-routing rule test_PBRrule1
CBS (conf-pbr-rule)# source-addr 11.11.11.0 255.255.255.0
CBS (conf-pbr-rule)# table pbr_table1
CBS (conf-pbr-rule)# priority 10 (this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate
In the example above, any traffic matching rule "test_PBRrule1" (packets from the specified source network 11.11.11.0/24) will be forwarded using the routing table "pbr_table1". This routing table contains only 1 route to the 172.16.0.1/16 network and no default route.
-----------------------------------
Example 2:
Same PBR table as above but different rule:
CBS# configure ip policy-routing table pbr_table1
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.10.1 vap-group FW egress-circuit Inside
CBS (conf-pbr-table-route)# end
CBS# configure ip policy-routing rule test_PBRrule2
CBS (conf-pbr-rule)# source-addr 11.11.11.0 255.255.255.0
CBS (conf-pbr-rule)# destination-addr 172.16.0.0 255.255.0.0
CBS (conf-pbr-rule)# table pbr_table1
CBS (conf-pbr-rule)# priority 10 (this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate
In this example the traffic matching the rule with both the source network of 11.11.11.0/24 and destination network of 172.16.0.0/16 will be forwarded using the routing table "pbr_table1".
---------------------------------------------
Example 3: mulitple tables and rules:
You can have multiple routes within a PBR table for different destination networks, and you can create multiple PBR tables and link different rules to different tables.
CBS# configure ip policy-routing table pbr_table1
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.10.1 vap-group FW egress-circuit inside
CBS (conf-pbr-table-route)# end
CBS# configure ip policy-routing table pbr_table2
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.200.1 vap-group FW egress-circuit DMZ (different next hop via different circuit )
CBS (conf-pbr-table-route)# end
CBS# configure ip policy-routing rule test_PBRrule2
CBS (conf-pbr-rule)# source-addr 11.11.11.0 255.255.255.0
CBS (conf-pbr-rule)# table pbr_table1
CBS (conf-pbr-rule)# priority 10 (this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate
CBS# configure ip policy-routing rule test_PBRrule3
CBS (conf-pbr-rule)# source-addr 12.12.12.0 255.255.255.0
CBS (conf-pbr-rule)# table pbr_table2
CBS (conf-pbr-rule)# priority 11 ((this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate
In this example, you are sending the traffic to the same destination network via different circuits of the same vap-group (defined in 2 different PBR tables) based on which source network it is originated from as defined in the 2 PBR rules above.
Also, all traffic received by the NPMs in the chassis will be first checked against rule test_PBRrule1 which has priority 10 and if it doesn't match it then will be checked with rule test_PBRrule2 which has priority 11. If it doesn't match any of the PBR rules then if will be processed as per the normal configurations.
--------------------
Example 1:
Single destination route and single source network.
CBS# configure ip policy-routing table pbr_table1
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.10.1 vap-group FW egress-circuit Inside
CBS (conf-pbr-table-route)# end
CBS# configure ip policy-routing rule test_PBRrule1
CBS (conf-pbr-rule)# source-addr 11.11.11.0 255.255.255.0
CBS (conf-pbr-rule)# table pbr_table1
CBS (conf-pbr-rule)# priority 10 (this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate
In the example above, any traffic matching rule "test_PBRrule1" (packets from the specified source network 11.11.11.0/24) will be forwarded using the routing table "pbr_table1". This routing table contains only 1 route to the 172.16.0.1/16 network and no default route.
-----------------------------------
Example 2:
Same PBR table as above but different rule:
CBS# configure ip policy-routing table pbr_table1
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.10.1 vap-group FW egress-circuit Inside
CBS (conf-pbr-table-route)# end
CBS# configure ip policy-routing rule test_PBRrule2
CBS (conf-pbr-rule)# source-addr 11.11.11.0 255.255.255.0
CBS (conf-pbr-rule)# destination-addr 172.16.0.0 255.255.0.0
CBS (conf-pbr-rule)# table pbr_table1
CBS (conf-pbr-rule)# priority 10 (this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate
In this example the traffic matching the rule with both the source network of 11.11.11.0/24 and destination network of 172.16.0.0/16 will be forwarded using the routing table "pbr_table1".
---------------------------------------------
Example 3: mulitple tables and rules:
You can have multiple routes within a PBR table for different destination networks, and you can create multiple PBR tables and link different rules to different tables.
CBS# configure ip policy-routing table pbr_table1
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.10.1 vap-group FW egress-circuit inside
CBS (conf-pbr-table-route)# end
CBS# configure ip policy-routing table pbr_table2
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.200.1 vap-group FW egress-circuit DMZ (different next hop via different circuit )
CBS (conf-pbr-table-route)# end
CBS# configure ip policy-routing rule test_PBRrule2
CBS (conf-pbr-rule)# source-addr 11.11.11.0 255.255.255.0
CBS (conf-pbr-rule)# table pbr_table1
CBS (conf-pbr-rule)# priority 10 (this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate
CBS# configure ip policy-routing rule test_PBRrule3
CBS (conf-pbr-rule)# source-addr 12.12.12.0 255.255.255.0
CBS (conf-pbr-rule)# table pbr_table2
CBS (conf-pbr-rule)# priority 11 ((this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate
In this example, you are sending the traffic to the same destination network via different circuits of the same vap-group (defined in 2 different PBR tables) based on which source network it is originated from as defined in the 2 PBR rules above.
Also, all traffic received by the NPMs in the chassis will be first checked against rule test_PBRrule1 which has priority 10 and if it doesn't match it then will be checked with rule test_PBRrule2 which has priority 11. If it doesn't match any of the PBR rules then if will be processed as per the normal configurations.
--------------------
Feedback
Powered by
