Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
120
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Policy Based Routing
You can configure the Brocade device to perform the following types of PBR based on a packet
Layer 3 and Layer 4 information:
Layer 3 and Layer 4 information:
•
Select the next-hop gateway.
•
Send the packet to the null interface (null0).
When a PBR policy has multiple next hops to a destination, PBR selects the first live next hop
specified in the policy that is up. If none of the policy's direct routes or next hops are available, the
packet is routed in the normal way.
specified in the policy that is up. If none of the policy's direct routes or next hops are available, the
packet is routed in the normal way.
Configuration considerations for policy-based routing
•
PBR is supported in the full Layer 3 code only.
•
PBR is not supported together with ACLs on the same port.
•
Global PBR is not supported when IP Follow is configured on an interface.
•
Global PBR is not supported with per-port-per-VLAN ACLs.
•
A PBR policy on an interface takes precedence over a global PBR policy.
•
You cannot apply PBR on a port if that port already has ACLs, ACL-based rate limiting,
DSCP-based QoS, MAC address filtering.
DSCP-based QoS, MAC address filtering.
•
The number of route maps that you can define is limited by the available system memory,
which is determined by the system configuration and how much memory other features use.
When a route map is used in a PBR policy, the PBR policy uses up to six instances of a route
map, up to five ACLs in a matching policy of each route map instance, and up to six next hops
in a set policy of each route map instance. Note that the CLI will allow you configure more than
six next hops in a route map; however, the extra next hops will not be placed in the PBR
database. The route map could be used by other features like BGP or OSPF, which may use
more than six next hops.
which is determined by the system configuration and how much memory other features use.
When a route map is used in a PBR policy, the PBR policy uses up to six instances of a route
map, up to five ACLs in a matching policy of each route map instance, and up to six next hops
in a set policy of each route map instance. Note that the CLI will allow you configure more than
six next hops in a route map; however, the extra next hops will not be placed in the PBR
database. The route map could be used by other features like BGP or OSPF, which may use
more than six next hops.
•
ACLs with the log option configured should not be used for PBR purposes.
•
PBR ignores explicit or implicit deny ip any any ACL entries, to ensure that for route maps that
use multiple ACLs, the traffic is compared to all the ACLs. PBR also ignores any deny clauses in
an ACL. Traffic that matches a deny clause is routed normally using Layer 3 paths.
use multiple ACLs, the traffic is compared to all the ACLs. PBR also ignores any deny clauses in
an ACL. Traffic that matches a deny clause is routed normally using Layer 3 paths.
•
PBR always selects the first next hop from the next hop list that is up. If a PBR policy's next hop
goes down, the policy uses another next hop if available. If no next hops are available, the
device routes the traffic in the normal way.
goes down, the policy uses another next hop if available. If no next hops are available, the
device routes the traffic in the normal way.
•
PBR is not supported for fragmented packets. If the PBR ACL filters on Layer 4 information like
TCP/UDP ports, fragmented packed are routed normally.
TCP/UDP ports, fragmented packed are routed normally.
•
You can change route maps or ACL definitions dynamically and do not need to rebind the PBR
policy to an interface.
policy to an interface.
Configuring a PBR policy
To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally
or on individual interfaces. The device programs the ACLs into the packet processor on the
interfaces and routes traffic that matches the ACLs according to the instructions in the route maps.
or on individual interfaces. The device programs the ACLs into the packet processor on the
interfaces and routes traffic that matches the ACLs according to the instructions in the route maps.
To configure a PBR policy:
•
Configure ACLs that contain the source IP addresses for the IP traffic you want to route using
PBR.
PBR.