Policy Based Routing (PBR)

About this task

Define a policy based routing (PBR) configuration to direct packets to selective paths. PBR can optionally mark traffic for preferential services. PBR minimally provides the following:
  • A means to use source address, protocol, application and traffic class as traffic routing criteria
  • The ability to load balance multiple WAN uplinks
  • A means to selectively mark traffic for QoS optimization
Since PBR is applied to incoming routed packets, a route-map is created containing a set of filters and associated actions. Based on the actions defined in the route-map, packets are forwarded to the next relevant hop. Routemaps are configurable under a global policy called routing-policy, and applied to profiles and devices.

Route-maps contain a set of filters which select traffic (match clauses) and associated actions (set clauses) for routing. A routemap consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value). If it matches, the routing decision is based on this route-map. If the packet does not match the route-map, the route-map entry with next highest precedence is matched. If the incoming packet does not match any of the route-map entries, it‘s subjected to typical destination based routing. Each route-map entry can optionally enable/disable logging.

The following criteria can optionally be used as traffic selection segregation criteria:
  • IP Access List - A typical IP ACL can be used for traffic permissions. The mark and log actions in ACL rules however are neglected. Route-map entries have separate logging. Only one ACL can be configured per route map entry.
  • IP DSCP - Packet filtering can be performed by traffic class, as determined from the IP DSCP field. One DSCP value is configurable per route map entry. If IP ACLs on a WLAN, ports or SVI mark the packet, the new/ marked DSCP value is used for matching.
  • Incoming WLAN - Packets can be filtered by the incoming WLAN. There are two ways to match the WLAN:
    • If the device doing policy based routing has an onboard radio and a packet is received on a local WLAN, then this WLAN is used for selection.
    • If the device doing policy based routing does not have an onboard radio and a packet is received from an extended VLAN, then the device which received the packet passes the WLAN information in the MINT packet for the PBR router to use as match criteria.
  • Client role - The client role can be used as match criteria, similar to a WLAN. Each device has to agree on a unique identifier for role definition and pass the same MINT tunneled packets.
  • Incoming SVI - A source IP address qualifier in an ACL typically satisfies filter requirements. But if the host originating the packet is multiple hops away, the incoming SVI can be used as match criteria. In this context the SVI refers to the device interface performing policy based routing, and not the originating connected device.

Each route map entry has a set of match and set (action) clauses. ACL rules configured under route map entries merge to create a single ACL. Route map precedence values determine the prioritization of the rules in this merged ACL. An IP DSCP value is also added to the ACL rules.

Set (or action) clauses determine the routing function when a packet satisfies match criteria. If no set clauses are defined, the default is to fallback to destination based routing for packets satisfying the match criteria. If no set clause is configured and fallback to destination based routing is disabled, then the packet is dropped. The following can be defined within set clauses:
  • Next hop - The IP address of the next hop or the outgoing interface through which the packet should be routed. Up to two next hops can be specified. The outgoing interface should be a PPP, a tunnel interface or a SVI which has DHCP client configured. The first reachable hop should be used, but if all the next hops aren‘t reachable, typical destination based route lookup is performed.
  • Default next hop - If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This can be either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is in case of former, PBR occurs first, then destination based routing. In case of the latter, the order is reversed. With both cases:
    • If a defined next hop is reachable, it‘s used. If fallback is configured refer to (b).
    • Do normal destination based route lookup. If a next hop is found its used, if not refer to (c).
    • If default next hop is configured and reachable, it‘s used. If not, drop the packet.
  • Fallback - Fallback to destination based routing if none of the configured next hops are reachable (or not configured). This is enabled by default.
  • Mark IP DSCP - Set IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL.
Note

Note

A packet should optimally satisfy all the match criteria, if no match clause is defined in a route-map, it would match everything. Packets not conforming to any of the match clauses are subjected to normal destination based routing.

To define a PBR configuration:

Procedure

  1. Select Configuration → Network → Policy Based Routing.
    The Policy Based Routing screen displays.
    Click to expand in new window
    GUID-6456633B-5311-4BA7-B0EC-9E4CE3770E1E-low.png
  2. Select Add to create a new PBR configuration, Edit to modify the attributes of an existing PBR configuration, or Delete to remove a selected PBR configuration. Select Copy to copy the selected PBR configuration or Rename to rename the PBR configuration.
  3. If creating a new PBR policy assign it a Policy Name up to 32 characters to distinguish this route map configuration from others with similar attributes. Select Continue to proceed to the Policy Name screen where route map configurations can be added, modified or removed. Select Exit to exit without creating a PBR policy.
    Click to expand in new window
    GUID-7594FB01-AFAF-4C95-9E0D-81F21231AD62-low.png
  4. Refer to the following to determine whether a new route-map configuration requires creation or an existing route-map requires modification or removal:
    Precedence Lists the numeric precedence (priority) assigned to each listed PBR configuration. A routemap consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value).
    DSCP Displays each policy‘s DSCP value used as matching criteria for the route map. DSCP is the Differentiated Services Code Point field in an IP header and is for packet classification. Packets are filtered based on the traffic class defined in the IP DSCP field. One DSCP value can be configured per route map entry.
    Role Policy Lists each policy‘s role policy used as matching criteria.
    User Role Lists the user role defined in the Role Policy.
    Access Control List Displays each policy‘s IP ACL used as an access/deny filter criteria for the route map.
    WLAN Displays each policy‘s WLAN used as an access/deny filter for the route map.
    Incoming Interface Display the name of the Access Point WWAN or VLAN interface on which the packet is received for the listed PBR policy.
  5. Select Add or Edit to create or modify a route-map configuration. Configurations can optionally be removed by selecting Delete.
    Click to expand in new window
    GUID-9708E007-474F-409E-AD34-E79988545D52-low.png
  6. If adding a route map, use the spinner control to set a numeric Precedence (priority) for this route-map. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value).
  7. Refer to the Match Clauses field to define the following matching criteria for the route-map configuration:
    DSCP Select this option to enable a spinner control to define the DSCP value used as matching criteria for the route map. DSCP is the Differentiated Services Code Point field in an IP header and is for packet classification. Packets are filtered based on the traffic class defined in the IP DSCP field. One DSCP value can be configured per route map entry.
    Role Policy Use the drop-down to select a Role Policy to use with this route-map. Click the Create icon to create a new Role Policy. To view and modify an existing policy, click the Edit icon.
    User Role Use the drop-down menu to select a role defined in the selected Role Policy. This user role is used while deciding the routing.
    Access Control List Use the drop-down menu to select an IP based ACL used as matching criteria for this route-map. Click the Create icon to create a new ACL. To view and modify an existing ACL, click the Edit icon.
    WLAN Use the drop-down menu to select the Access Point WLAN used as matching criteria for this route-map. Click the Create icon to create a new WLAN. To view and modify an existing WLAN, click the Edit icon.
    Incoming Interface Select this option to enable radio buttons used to define the interfaces required to receive route-map packets. Use the drop-down menu to define either the Access Point‘s wwan1 or pppoe1 interface. Neither is selected by default. Or, select the VLAN ID option to define the Access Point VLAN to receive route-map-packets.
  8. Set the following Action Clauses to determine the routing function performed when a packet satisfies match criteria. Optionally fallback to destination based routing if no hop resource is available.
    Next Hop (Primary) Define a first hop priority request. Set either the IP address of the virtual resource or select the Interface option and define either a wwan1, pppoe1 or a VLAN interface. In the simplest terms, if this primary hop resource is available, its used with no additional considerations.
    Next Hop (Secondary) If the primary hop request were unavailable, a second resource can be defined. Set either the IP address of the virtual resource or select the Interface option and define either a wwan1, pppoe1 or a VLAN interface.
    Default Next Hop If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This value is set as either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is in case of former, PBR occurs first, then destination based routing. In case of the latter, the order is reverse. Set either the next hop IP address or define either a wwan1, pppoe1 or a VLAN interface.
    Use Destination Routing It may be a good idea to select this option to default back to destination based routing if none of the defined hop resources are reachable. Packets are dropped if a next hop resource is unavailable and fallback to destination routing is disabled. This option is enabled by default.
    Mark Select this option and use the spinner control to set IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL.
  9. Select OK to save the updates to the route-map configuration. Select Reset to revert to the last saved configuration.