Dell Networking SONiC: How to Configure Policy-Based Routing

摘要: This article explains how to Configure Policy Based Routing in Dell Networking SONiC with a simple example.

本文适用于 本文不适用于 本文并非针对某种特定的产品。 本文并非包含所有产品版本。
查看其他资源

说明

Prerequisites

We are using standard interface namings to demonstrate the Concepts. See the article Dell Networking S-Series: Basic Interface Configuration - SONiC 4.0 for more information regarding interface naming


Index

 

What is Policy Based Routing?

Policy-Based Routing (PBR) provides a method to forward packets by overriding the information available in the IP routing table. You can implement policies that selectively cause packets to take different paths. Traditional IP routing forwards packets based only on the destination IP address in the packet. PBR can be configured to forward packets based on other criteria, such as TCP/UDP port numbers, source IP address, DSCP value, and TCP flags. Dell SONiC uses flow-based service policies for policy-based routing. Forwarding policies consist of class maps that select packets and set actions that cause a packet to be forwarded to a predetermined next hop or interface, bypassing the path determined by routing and forwarding tables. You can define multiple match and egress interface or next-hop values in the same policy. You can apply forwarding policies to switched or routed traffic. Traffic can be routed to the same VRF used by the ingress interface or a different VRF.

Use policy-based routing to provide equal access, protocol-sensitive routing, source-sensitive routing, routing based on interactive compare with batch traffic, and routing based on dedicated links. Policy-based routing is a more flexible mechanism for routing packets than destination routing.
 

Steps to configure Policy-Based Routing

Dell SONiC implements PBR by providing a modular framework to classify traffic and apply forwarding actions, such as set IP next hop, on selected traffic.

To configure PBR:

  1. Classify (select) traffic for policy-based routing by using ACLs or the L2, L3, or L4 fields in packet headers.
  2. In a policy map, configure the forwarding actions to take on each classified flow.
  3. Apply the forwarding policy on ingress interfaces - globally on all switch interfaces, a specified interface, a VLAN, or a port channel
In a Nutshell:

Steps to configure Policy Based Routing


NOTE: In Dell SONiC:
  • If an incoming traffic does not find a match in any of the statements applied in a policy map in an interface/vlan/portchannel/globally, it will forward as per the standard route table.
  • A forwarding policy is supported only on ingress interfaces.
  • Forwarding policies can only forward selected traffic; they cannot trap, switch, or route traffic to the CPU.
  • Forwarding policies with next-hop and next-hop-group actions apply only on routed L3 traffic.
  • Forwarding policies which use an Ethernet or port channel egress interface apply only on switched L2 traffic.
  • Forwarding policies do not apply on traffic destined to the CPU (the destination IP address is the same as the switch address) or traffic which is trapped to the CPU.
  • When you apply a forwarding policy globally on all interfaces, the next-hops must be in the default VRF unless you set a non-default VRF using the set {ip | ipv6} next-hop ip-address vrf vrf-name command in the policy map.

 

Configuration Syntax

Configure Class Map to Classify Traffic

We can classify (match) the incoming traffic by following methods in a class map.

  1. Using IPv4 or IPv6 or MAC Access list
  2. Using L2-L4 header fields

Command syntax while Using Access list to match the traffic in the Class map.

If we are configuring the Access list to match the traffic in the Class map, ensure to configure the access list.

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# class-map {CLASSMAP-NAME} match-type acl 
DELLSONiC(config-class-map)# match access-group {ip, ipv6, mac} {Access-List-name}

Command syntax while Using L2-L4 header fields

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# class-map {CLASSMAP-NAME} match-type fields match-all
DELLSONiC(config-class-map)# match {MATCH-CRITERIA}
  
The following is the Match Criteria

  dei                  Match packets using DEI value
  destination-address  Match packets using destination address
  dscp                 Match packets using DSCP value
  ethertype            Match packets using ethertype
  ip                   Match packets using IP/IPv6 protocol
  l4-port              Match packets using TCP/UDP port
  pcp                  Match packets using PCP
  source-address       Match packets using source address
  tcp-flags            Match packets using TCP flags
  vlan                 Match packets using VLAN ID

 

Configure Policy Map

A PBR forwarding policy specifies the forwarding actions to take on matching traffic for policy-based routing. A forwarding policy supports the following actions:

  • Set next hop - Routes IPv4 traffic to an IPv4 next-hop; routes IPv6 traffic to an IPv6 next-hop.
  • Set next-hop group - Specifies the group from which the best next-hop IPv4 or IPv6 address is chosen.
  • Set interface - Forward L2 traffic to a specified egress interface.
  • Set interface null - Drops matching traffic if the null interface is set or if none of the specified next-hops are reachable or if the specified egress interface is not L2 and link up.
  • Set replication group - Used to replicate traffic to anycast servers, designed to resolve the hashing problem as described in RFC7690.

Command Syntax

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# policy-map {POLICYMAP-NAME} type forwarding  
DELLSONiC(config-policy-map)# 
DELLSONiC(config-policy-map)# class {CLASS-MAP-NAME} priority {Priority-value}

Enter a priority number (0-4095) to specify the order in which a class map is applied in the policy map to match traffic in the flow. A higher priority class map is processed before a lower priority.


If next hop is a IP address

DELLSONiC(config-policy-map-flow)# set ip next-hop {IP-ADDRESS}


If next hop is a IPv6 address

DELLSONiC(config-policy-map-flow)# set ipv6 next-hop {IPv6 Address}


If we need a specific interface where the traffic is to be forwarded

DELLSONiC(config-policy-map-flow)# set interface {Eth, Null, PortChannel } {interface number}


If we have a IPv4/IPv6 Next Hop Group

DELLSONiC(config-policy-map-flow)# set ip next-hop-group {IPv4 Next Hop Group}
DELLSONiC(config-policy-map-flow)# set ipv6 next-hop-group {IPv6 Next Hop Group}


If we have a IPv4/IPv6 Replication Group

DELLSONiC(config-policy-map-flow)# set ip replication-group {Ipv4 Replication Group}
DELLSONiC(config-policy-map-flow)# set ipv6 replication-group {Ipv4 Replication Group}

 

Configure Service Policy (Apply Policy map in interface)

On an interface or sub-interface:

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# interface {Eth slot/port[/breakout-port] [.subinterface]}
DELLSONiC(config-if-Eth)# service-policy type forwarding in {policy-map-name}

On VLAN interfaces:

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# interface Vlan {vlan-id}
DELLSONiC(conf-if-Vlan)# service-policy type forwarding in {policy-map-name}

On port channel interfaces,

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# interface PortChannel {portchannel-number}
DELLSONiC(conf-if-po)# service-policy type forwarding in {policy-map-name}

Globally on all switch interfaces

When you apply a forwarding policy globally on all interfaces, the next-hops must be in the default VRF unless you set a non-default VRF using the set {ip | ipv6} next-hop ip-address vrf vrf-name command in the policy map.

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# service-policy type forwarding in {policy-map-name}

 

Verify

Use the Following commands to verify Class Map

DELLSONiC# show class-map {class-map-name}

Use the Following commands to verify policy map

DELLSONiC# show policy-map {POLICY-MAP-NAME}


Use the Following commands to service Policy

DELLSONiC# show policy-map type forwarding

DELLSONiC# show service-policy interface {Interface}

DELLSONiC# show service-policy summary

 

Sample Configuration

Let us consider the following topology.

Topology

We do not have a route to 50.0.0.0/24 and 60.0.0.0/24 in DELLSONiC.

DELLSONiC# show ip route 
Codes:  K - kernel route, C - connected, S - static, B - BGP, O - OSPF
        > - selected route, * - FIB route, q - queued route, r - rejected route
       Destination        Gateway                                                                    Dist/Metric   Last Update 
--------------------------------------------------------------------------------------------------------------------------------
 C>*   1.1.1.1/32         Direct                          Loopback0                                  0/0           09:18:16 ago
 C>*   10.0.0.0/24        Direct                          Eth1/1                                     0/0           09:17:56 ago
 C>*   20.0.0.0/24        Direct                          Eth1/2                                     0/0           01:58:41 ago
 C>*   30.0.0.0/24        Direct                          Eth1/3                                     0/0           09:14:38 ago

 

Goal:

The Traffic to server farm 50.0.0.0/24 is to be routed to next hop 20.0.0.2. The Traffic to server farm 60.0.0.0/24 is to be routed to next hop 30.0.0.2.
 

Configuration

Let us configure the Class Map. Here we classify the traffic based on various parameters.
Class Map MATCH_IP_OF_SERVER-1 the match criteria is dst-ip 50.0.0.0/24.
In the class map MATCH_IP_OF_SERVER-2, the match criteria are dst-ip 60.0.0.0/24.

admin@DELLSONiC:~$ sonic-cli
DELLSONiC#
DELLSONiC# configure
DELLSONiC(config)# class-map MATCH_IP_OF_SERVER-1 match-type fields match-all
DELLSONiC(config-class-map)# description "MATCH IP ADDRESS of SERVER FARM 1"
DELLSONiC(config-class-map)# match destination-address ip 50.0.0.0/24
DELLSONiC(config-class-map)# exit
DELLSONiC(config)#
DELLSONiC(config)# class-map MATCH_IP_OF_SERVER-2 match-type fields match-all
DELLSONiC(config-class-map)# description "MATCH IP ADDRESS of SERVER FARM 2"
DELLSONiC(config-class-map)# match destination-address ip 60.0.0.0/24
DELLSONiC(config-class-map)# exit
DELLSONiC(config)# exit
DELLSONiC#

Let us configure the Policy Map.
Here we define what is the next action to be taken if traffic matches a condition. In this case, if traffic matches a specific destination IP address, forward to a specific next hop IP.

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# policy-map FORWARD_TO_SERVER type forwarding
DELLSONiC(config-policy-map)# class MATCH_IP_OF_SERVER-2 priority 100
DELLSONiC(config-policy-map-flow)# set ip next-hop 30.0.0.2
DELLSONiC(config-policy-map-flow)# exit
DELLSONiC(config-policy-map-flow)#
DELLSONiC(config-policy-map)# class MATCH_IP_OF_SERVER-1 priority 100
DELLSONiC(config-policy-map-flow)# set ip next-hop 20.0.0.2
DELLSONiC(config-policy-map-flow)# exit
DELLSONiC(config-policy-map)# exit
DELLSONiC(config)#

Let us apply the Policy map as service policy to interface Eth 1/1.

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# interface Eth 1/1
DELLSONiC(config-if-Eth1/1)# service-policy type forwarding in FORWARD_TO_SERVER
DELLSONiC(config-if-Eth1/1)# end


Verify Configuration

Let us check the class map configuration. Here we can see for MATCH_IP_OF_SERVER-1 the match criteria are dst-ip 50.0.0.0/24. In the class map MATCH_IP_OF_SERVER-2, the match criteria are dst-ip 60.0.0.0/24.

DELLSONiC# show class-map MATCH_IP_OF_SERVER-1
Class-map MATCH_IP_OF_SERVER-1 match-type fields
  Description: "MATCH IP ADDRESS of SERVER FARM 1"
  Match:
    dst-ip 50.0.0.0/24
  Referenced in flows:
    policy FORWARD_TO_SERVER at priority 100
DELLSONiC#

 

DELLSONiC# show class-map MATCH_IP_OF_SERVER-2
Class-map MATCH_IP_OF_SERVER-2 match-type fields
  Description: "MATCH IP ADDRESS of SERVER FARM 2"
  Match:
    dst-ip 60.0.0.0/24
  Referenced in flows:
    policy FORWARD_TO_SERVER at priority 100
DELLSONiC#

The policy map defines what is the next hop for a traffic classified under a class map.

DELLSONiC# show policy-map type forwarding
Policy FORWARD_TO_SERVER Type forwarding
  Description:
  Flow MATCH_IP_OF_SERVER-2 at priority 100
    Description:
    set ip nexthop 30.0.0.2
  Flow MATCH_IP_OF_SERVER-1 at priority 100
    Description:
    set ip nexthop 20.0.0.2
  Applied to:
    Eth1/1 at Ingress

 

DELLSONiC# show policy-map FORWARD_TO_SERVER
Policy FORWARD_TO_SERVER Type forwarding
  Description:
  Flow MATCH_IP_OF_SERVER-2 at priority 100
    Description:
    set ip nexthop 30.0.0.2
  Flow MATCH_IP_OF_SERVER-1 at priority 100
    Description:
    set ip nexthop 20.0.0.2
  Applied to:
    Eth1/1 at Ingress
DELLSONiC#

The service policy defines where the policy map is to be applied.

DELLSONiC# show service-policy summary
Eth1/1
    forwarding policy FORWARD_TO_SERVER at ingress
CtrlPlane
    qos policy oob-qos-policy at ingress

 

DELLSONiC# show service-policy interface Eth 1/1
Eth1/1
  Policy FORWARD_TO_SERVER type forwarding at ingress
  Description:
    Flow MATCH_IP_OF_SERVER-2 at priority 100 (Active)
      Description:
      set ip nexthop 30.0.0.2 (Selected)
      Packet matches: 616 frames 62832 bytes
    Flow MATCH_IP_OF_SERVER-1 at priority 100 (Active)
      Description:
      set ip nexthop 20.0.0.2 (Selected)
      Packet matches: 50 frames 5100 bytes
DELLSONiC#

 

DELLSONiC# show service-policy policy-map FORWARD_TO_SERVER
Eth1/1
  Policy FORWARD_TO_SERVER type forwarding at ingress
  Description:
    Flow MATCH_IP_OF_SERVER-2 at priority 100 (Active)
      Description:
      set ip nexthop 30.0.0.2 (Selected)
      Packet matches: 616 frames 62832 bytes
    Flow MATCH_IP_OF_SERVER-1 at priority 100 (Active)
      Description:
      set ip nexthop 20.0.0.2 (Selected)
      Packet matches: 50 frames 5100 bytes
DELLSONiC#

 

What if the next hop is Down.

Consider the next hop 20.0.0.2 is Down. See below output. We can see from show the service-policy interface Eth 1/1 and show service-policy policy-map FORWARD_TO_SERVER. 20.0.0.2 is missing "(selected)", while 30.0.0.2 which is reachable is having "(selected)."

Here the counters (packet match and frame) will increment however the packet will drop as next hop is not reachable.

DELLSONiC# show service-policy policy-map FORWARD_TO_SERVER
Eth1/1
  Policy FORWARD_TO_SERVER type forwarding at ingress
  Description:
    Flow MATCH_IP_OF_SERVER-2 at priority 100 (Active)
      Description:
      set ip nexthop 30.0.0.2 (Selected)
      Packet matches: 616 frames 62832 bytes
    Flow MATCH_IP_OF_SERVER-1 at priority 100 (Active)
      Description:
      set ip nexthop 20.0.0.2                          ====>Selected missing
      Packet matches: 50 frames 5100 bytes

30.0.0.2 is reachable and selected. 20.0.0.2 is not reachable and hence selected is missing.

DELLSONiC# show service-policy interface Eth 1/1
Eth1/1
  Policy FORWARD_TO_SERVER type forwarding at ingress
  Description:
    Flow MATCH_IP_OF_SERVER-2 at priority 100 (Active)
      Description:
      set ip nexthop 30.0.0.2 (Selected)
      Packet matches: 616 frames 62832 bytes
    Flow MATCH_IP_OF_SERVER-1 at priority 100 (Active)
      Description:
      set ip nexthop 20.0.0.2                          ====>Selected missing
      Packet matches: 50 frames 5100 bytes

受影响的产品

Enterprise SONiC Distribution, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch Z9264F-ON, PowerSwitch Z9432F-ON
文章属性
文章编号: 000222385
文章类型: How To
上次修改时间: 07 3月 2024
版本:  4
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。