Policy Based Routing (PBR) examples

book

Article ID: 167889

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Examples for implementing policy based routing in different scenariosN/A

Cause

Policy Based Routing (PBR) feature is available in XOS versions 9.6.x and above.

The details for implementing PBR can be found in XOS configururation guide and XOS Command reference guide. This article provides few examples for implementing policy based routing.

NOTE: Implementing Policy Based Routing will add load to your system as all packets received by the NPMs will be inspected against the PBR config.

Resolution

Here are some examples for implementing PBR in different scenarios:


Example 1:
Single destination route and single source network.

CBS# configure ip policy-routing table pbr_table1
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.10.1 vap-group FW egress-circuit Inside
CBS (conf-pbr-table-route)# end

CBS# configure ip policy-routing rule test_PBRrule1
CBS (conf-pbr-rule)# source-addr 11.11.11.0 255.255.255.0
CBS (conf-pbr-rule)# table pbr_table1
CBS (conf-pbr-rule)# priority 10 (this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate


In the example above, any traffic matching rule "test_PBRrule1" (packets from the specified source network 11.11.11.0/24) will be forwarded using the routing table "pbr_table1". This routing table contains only 1 route to the 172.16.0.1/16 network and no default route.

-----------------------------------
Example 2:
Same PBR table as above but different rule:

CBS# configure ip policy-routing table pbr_table1
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.10.1 vap-group FW egress-circuit Inside
CBS (conf-pbr-table-route)# end

CBS# configure ip policy-routing rule test_PBRrule2
CBS (conf-pbr-rule)# source-addr 11.11.11.0 255.255.255.0
CBS (conf-pbr-rule)# destination-addr 172.16.0.0 255.255.0.0
CBS (conf-pbr-rule)# table pbr_table1
CBS (conf-pbr-rule)# priority 10 (this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate

In this example the traffic matching the rule with both the source network of 11.11.11.0/24 and destination network of 172.16.0.0/16 will be forwarded using the routing table "pbr_table1".

---------------------------------------------

Example 3: mulitple tables and rules:
You can have multiple routes within a PBR table for different destination networks, and you can create multiple PBR tables and link different rules to different tables.

CBS# configure ip policy-routing table pbr_table1
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.10.1 vap-group FW egress-circuit inside
CBS (conf-pbr-table-route)# end

CBS# configure ip policy-routing table pbr_table2
CBS (conf-pbr-table)# description "example config"
CBS (conf-pbr-table)# route 172.16.0.0/16 next-hop 198.168.200.1 vap-group FW egress-circuit DMZ (different next hop via different circuit )
CBS (conf-pbr-table-route)# end


CBS# configure ip policy-routing rule test_PBRrule2
CBS (conf-pbr-rule)# source-addr 11.11.11.0 255.255.255.0
CBS (conf-pbr-rule)# table pbr_table1
CBS (conf-pbr-rule)# priority 10 (this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate

CBS# configure ip policy-routing rule test_PBRrule3
CBS (conf-pbr-rule)# source-addr 12.12.12.0 255.255.255.0
CBS (conf-pbr-rule)# table pbr_table2
CBS (conf-pbr-rule)# priority 11 ((this is rule priority. you can use this to order your PBR rules.)
CBS (conf-pbr-rule)# activate

In this example, you are sending the traffic to the same destination network via different circuits of the same vap-group (defined in 2 different PBR tables) based on which source network it is originated from as defined in the 2 PBR rules above.

Also, all traffic received by the NPMs in the chassis will be first checked against rule test_PBRrule1 which has priority 10 and if it doesn't match it then will be checked with rule test_PBRrule2 which has priority 11. If it doesn't match any of the PBR rules then if will be processed as per the normal configurations.


--------------------