Dell Networking SONiC: How to Configure Policy-Based Routing
Summary: This article explains how to Configure Policy Based Routing in Dell Networking SONiC with a simple example.
Instructions
PrerequisitesWe are using standard interface namings to demonstrate the Concepts. See the article Dell Networking S-Series: Basic Interface Configuration - SONiC 4.0 for more information regarding interface naming |
Index
- What is Policy Based Routing?
- Steps to configure Policy-Based Routing.
- Configuration Syntax
- Sample Configuration
What is Policy Based Routing?
Policy-Based Routing (PBR) provides a method to forward packets by overriding the information available in the IP routing table. You can implement policies that selectively cause packets to take different paths. Traditional IP routing forwards packets based only on the destination IP address in the packet. PBR can be configured to forward packets based on other criteria, such as TCP/UDP port numbers, source IP address, DSCP value, and TCP flags. Dell SONiC uses flow-based service policies for policy-based routing. Forwarding policies consist of class maps that select packets and set actions that cause a packet to be forwarded to a predetermined next hop or interface, bypassing the path determined by routing and forwarding tables. You can define multiple match and egress interface or next-hop values in the same policy. You can apply forwarding policies to switched or routed traffic. Traffic can be routed to the same VRF used by the ingress interface or a different VRF.
Use policy-based routing to provide equal access, protocol-sensitive routing, source-sensitive routing, routing based on interactive compare with batch traffic, and routing based on dedicated links. Policy-based routing is a more flexible mechanism for routing packets than destination routing.
Steps to configure Policy-Based Routing
Dell SONiC implements PBR by providing a modular framework to classify traffic and apply forwarding actions, such as set IP next hop, on selected traffic.
To configure PBR:
- Classify (select) traffic for policy-based routing by using ACLs or the L2, L3, or L4 fields in packet headers.
- In a policy map, configure the forwarding actions to take on each classified flow.
- Apply the forwarding policy on ingress interfaces - globally on all switch interfaces, a specified interface, a VLAN, or a port channel
NOTE: In Dell SONiC:
- If an incoming traffic does not find a match in any of the statements applied in a policy map in an interface/vlan/portchannel/globally, it will forward as per the standard route table.
- A forwarding policy is supported only on ingress interfaces.
- Forwarding policies can only forward selected traffic; they cannot trap, switch, or route traffic to the CPU.
- Forwarding policies with next-hop and next-hop-group actions apply only on routed L3 traffic.
- Forwarding policies which use an Ethernet or port channel egress interface apply only on switched L2 traffic.
- Forwarding policies do not apply on traffic destined to the CPU (the destination IP address is the same as the switch address) or traffic which is trapped to the CPU.
- When you apply a forwarding policy globally on all interfaces, the next-hops must be in the default VRF unless you set a non-default VRF using the set {ip | ipv6} next-hop ip-address vrf vrf-name command in the policy map.
Configuration Syntax
Configure Class Map to Classify Traffic
We can classify (match) the incoming traffic by following methods in a class map.
- Using IPv4 or IPv6 or MAC Access list
- Using L2-L4 header fields
Command syntax while Using Access list to match the traffic in the Class map.
If we are configuring the Access list to match the traffic in the Class map, ensure to configure the access list.
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# class-map {CLASSMAP-NAME} match-type acl
DELLSONiC(config-class-map)# match access-group {ip, ipv6, mac} {Access-List-name}
Command syntax while Using L2-L4 header fields
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# class-map {CLASSMAP-NAME} match-type fields match-all
DELLSONiC(config-class-map)# match {MATCH-CRITERIA}
The following is the Match Criteria dei Match packets using DEI value destination-address Match packets using destination address dscp Match packets using DSCP value ethertype Match packets using ethertype ip Match packets using IP/IPv6 protocol l4-port Match packets using TCP/UDP port pcp Match packets using PCP source-address Match packets using source address tcp-flags Match packets using TCP flags vlan Match packets using VLAN ID
Configure Policy Map
A PBR forwarding policy specifies the forwarding actions to take on matching traffic for policy-based routing. A forwarding policy supports the following actions:
- Set next hop - Routes IPv4 traffic to an IPv4 next-hop; routes IPv6 traffic to an IPv6 next-hop.
- Set next-hop group - Specifies the group from which the best next-hop IPv4 or IPv6 address is chosen.
- Set interface - Forward L2 traffic to a specified egress interface.
- Set interface null - Drops matching traffic if the null interface is set or if none of the specified next-hops are reachable or if the specified egress interface is not L2 and link up.
- Set replication group - Used to replicate traffic to anycast servers, designed to resolve the hashing problem as described in RFC7690.
Command Syntax
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# policy-map {POLICYMAP-NAME} type forwarding
DELLSONiC(config-policy-map)#
DELLSONiC(config-policy-map)# class {CLASS-MAP-NAME} priority {Priority-value}
Enter a priority number (0-4095) to specify the order in which a class map is applied in the policy map to match traffic in the flow. A higher priority class map is processed before a lower priority.
If next hop is a IP address
DELLSONiC(config-policy-map-flow)# set ip next-hop {IP-ADDRESS}
If next hop is a IPv6 address
DELLSONiC(config-policy-map-flow)# set ipv6 next-hop {IPv6 Address}
If we need a specific interface where the traffic is to be forwarded
DELLSONiC(config-policy-map-flow)# set interface {Eth, Null, PortChannel } {interface number}
If we have a IPv4/IPv6 Next Hop Group
DELLSONiC(config-policy-map-flow)# set ip next-hop-group {IPv4 Next Hop Group}
DELLSONiC(config-policy-map-flow)# set ipv6 next-hop-group {IPv6 Next Hop Group}
If we have a IPv4/IPv6 Replication Group
DELLSONiC(config-policy-map-flow)# set ip replication-group {Ipv4 Replication Group}
DELLSONiC(config-policy-map-flow)# set ipv6 replication-group {Ipv4 Replication Group}
Configure Service Policy (Apply Policy map in interface)
On an interface or sub-interface:
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# interface {Eth slot/port[/breakout-port] [.subinterface]}
DELLSONiC(config-if-Eth)# service-policy type forwarding in {policy-map-name}
On VLAN interfaces:
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# interface Vlan {vlan-id}
DELLSONiC(conf-if-Vlan)# service-policy type forwarding in {policy-map-name}
On port channel interfaces,
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# interface PortChannel {portchannel-number}
DELLSONiC(conf-if-po)# service-policy type forwarding in {policy-map-name}
Globally on all switch interfaces
When you apply a forwarding policy globally on all interfaces, the next-hops must be in the default VRF unless you set a non-default VRF using the set {ip | ipv6} next-hop ip-address vrf vrf-name command in the policy map.
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# service-policy type forwarding in {policy-map-name}
Verify
Use the Following commands to verify Class Map
DELLSONiC# show class-map {class-map-name}
Use the Following commands to verify policy map
DELLSONiC# show policy-map {POLICY-MAP-NAME}
Use the Following commands to service Policy
DELLSONiC# show policy-map type forwarding
DELLSONiC# show service-policy interface {Interface}
DELLSONiC# show service-policy summary
Sample Configuration
Let us consider the following topology.
We do not have a route to 50.0.0.0/24 and 60.0.0.0/24 in DELLSONiC.
DELLSONiC# show ip route
Codes: K - kernel route, C - connected, S - static, B - BGP, O - OSPF
> - selected route, * - FIB route, q - queued route, r - rejected route
Destination Gateway Dist/Metric Last Update
--------------------------------------------------------------------------------------------------------------------------------
C>* 1.1.1.1/32 Direct Loopback0 0/0 09:18:16 ago
C>* 10.0.0.0/24 Direct Eth1/1 0/0 09:17:56 ago
C>* 20.0.0.0/24 Direct Eth1/2 0/0 01:58:41 ago
C>* 30.0.0.0/24 Direct Eth1/3 0/0 09:14:38 ago
Goal:
The Traffic to server farm 50.0.0.0/24 is to be routed to next hop 20.0.0.2. The Traffic to server farm 60.0.0.0/24 is to be routed to next hop 30.0.0.2.
Configuration
Let us configure the Class Map. Here we classify the traffic based on various parameters.
Class Map MATCH_IP_OF_SERVER-1 the match criteria is dst-ip 50.0.0.0/24.
In the class map MATCH_IP_OF_SERVER-2, the match criteria are dst-ip 60.0.0.0/24.
admin@DELLSONiC:~$ sonic-cli DELLSONiC# DELLSONiC# configure DELLSONiC(config)# class-map MATCH_IP_OF_SERVER-1 match-type fields match-all DELLSONiC(config-class-map)# description "MATCH IP ADDRESS of SERVER FARM 1" DELLSONiC(config-class-map)# match destination-address ip 50.0.0.0/24 DELLSONiC(config-class-map)# exit DELLSONiC(config)# DELLSONiC(config)# class-map MATCH_IP_OF_SERVER-2 match-type fields match-all DELLSONiC(config-class-map)# description "MATCH IP ADDRESS of SERVER FARM 2" DELLSONiC(config-class-map)# match destination-address ip 60.0.0.0/24 DELLSONiC(config-class-map)# exit DELLSONiC(config)# exit DELLSONiC#
Let us configure the Policy Map.
Here we define what is the next action to be taken if traffic matches a condition. In this case, if traffic matches a specific destination IP address, forward to a specific next hop IP.
admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure DELLSONiC(config)# policy-map FORWARD_TO_SERVER type forwarding DELLSONiC(config-policy-map)# class MATCH_IP_OF_SERVER-2 priority 100 DELLSONiC(config-policy-map-flow)# set ip next-hop 30.0.0.2 DELLSONiC(config-policy-map-flow)# exit DELLSONiC(config-policy-map-flow)# DELLSONiC(config-policy-map)# class MATCH_IP_OF_SERVER-1 priority 100 DELLSONiC(config-policy-map-flow)# set ip next-hop 20.0.0.2 DELLSONiC(config-policy-map-flow)# exit DELLSONiC(config-policy-map)# exit DELLSONiC(config)#
Let us apply the Policy map as service policy to interface Eth 1/1.
admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure DELLSONiC(config)# interface Eth 1/1 DELLSONiC(config-if-Eth1/1)# service-policy type forwarding in FORWARD_TO_SERVER DELLSONiC(config-if-Eth1/1)# end
Verify Configuration
Let us check the class map configuration. Here we can see for MATCH_IP_OF_SERVER-1 the match criteria are dst-ip 50.0.0.0/24. In the class map MATCH_IP_OF_SERVER-2, the match criteria are dst-ip 60.0.0.0/24.
DELLSONiC# show class-map MATCH_IP_OF_SERVER-1 Class-map MATCH_IP_OF_SERVER-1 match-type fields Description: "MATCH IP ADDRESS of SERVER FARM 1" Match: dst-ip 50.0.0.0/24 Referenced in flows: policy FORWARD_TO_SERVER at priority 100 DELLSONiC#
DELLSONiC# show class-map MATCH_IP_OF_SERVER-2 Class-map MATCH_IP_OF_SERVER-2 match-type fields Description: "MATCH IP ADDRESS of SERVER FARM 2" Match: dst-ip 60.0.0.0/24 Referenced in flows: policy FORWARD_TO_SERVER at priority 100 DELLSONiC#
The policy map defines what is the next hop for a traffic classified under a class map.
DELLSONiC# show policy-map type forwarding Policy FORWARD_TO_SERVER Type forwarding Description: Flow MATCH_IP_OF_SERVER-2 at priority 100 Description: set ip nexthop 30.0.0.2 Flow MATCH_IP_OF_SERVER-1 at priority 100 Description: set ip nexthop 20.0.0.2 Applied to: Eth1/1 at Ingress
DELLSONiC# show policy-map FORWARD_TO_SERVER Policy FORWARD_TO_SERVER Type forwarding Description: Flow MATCH_IP_OF_SERVER-2 at priority 100 Description: set ip nexthop 30.0.0.2 Flow MATCH_IP_OF_SERVER-1 at priority 100 Description: set ip nexthop 20.0.0.2 Applied to: Eth1/1 at Ingress DELLSONiC#
The service policy defines where the policy map is to be applied.
DELLSONiC# show service-policy summary Eth1/1 forwarding policy FORWARD_TO_SERVER at ingress CtrlPlane qos policy oob-qos-policy at ingress
DELLSONiC# show service-policy interface Eth 1/1 Eth1/1 Policy FORWARD_TO_SERVER type forwarding at ingress Description: Flow MATCH_IP_OF_SERVER-2 at priority 100 (Active) Description: set ip nexthop 30.0.0.2 (Selected) Packet matches: 616 frames 62832 bytes Flow MATCH_IP_OF_SERVER-1 at priority 100 (Active) Description: set ip nexthop 20.0.0.2 (Selected) Packet matches: 50 frames 5100 bytes DELLSONiC#
DELLSONiC# show service-policy policy-map FORWARD_TO_SERVER Eth1/1 Policy FORWARD_TO_SERVER type forwarding at ingress Description: Flow MATCH_IP_OF_SERVER-2 at priority 100 (Active) Description: set ip nexthop 30.0.0.2 (Selected) Packet matches: 616 frames 62832 bytes Flow MATCH_IP_OF_SERVER-1 at priority 100 (Active) Description: set ip nexthop 20.0.0.2 (Selected) Packet matches: 50 frames 5100 bytes DELLSONiC#
What if the next hop is Down.
Consider the next hop 20.0.0.2 is Down. See below output. We can see from show the service-policy interface Eth 1/1 and show service-policy policy-map FORWARD_TO_SERVER. 20.0.0.2 is missing "(selected)", while 30.0.0.2 which is reachable is having "(selected)."
Here the counters (packet match and frame) will increment however the packet will drop as next hop is not reachable.
DELLSONiC# show service-policy policy-map FORWARD_TO_SERVER Eth1/1 Policy FORWARD_TO_SERVER type forwarding at ingress Description: Flow MATCH_IP_OF_SERVER-2 at priority 100 (Active) Description: set ip nexthop 30.0.0.2 (Selected) Packet matches: 616 frames 62832 bytes Flow MATCH_IP_OF_SERVER-1 at priority 100 (Active) Description: set ip nexthop 20.0.0.2 ====>Selected missing Packet matches: 50 frames 5100 bytes
30.0.0.2 is reachable and selected. 20.0.0.2 is not reachable and hence selected is missing.
DELLSONiC# show service-policy interface Eth 1/1 Eth1/1 Policy FORWARD_TO_SERVER type forwarding at ingress Description: Flow MATCH_IP_OF_SERVER-2 at priority 100 (Active) Description: set ip nexthop 30.0.0.2 (Selected) Packet matches: 616 frames 62832 bytes Flow MATCH_IP_OF_SERVER-1 at priority 100 (Active) Description: set ip nexthop 20.0.0.2 ====>Selected missing Packet matches: 50 frames 5100 bytes