PBR is used to route packets based on a certain policy. Unlike traditional destination IP based routing, ACLs are used to determine the routing path. ACL characterizes the packet on its source/destination IP address, L4 protocol and ports, and also the kind of application (appRF).
Feature introduced from AOS 6.4.3
Network Topology
1) Create Next-hoplist
2) Create a Route ACL with classification of traffic type with action as route to desired Nexthop list.
3) Bind the acl to user-role
1) Create Next-hoplist
(6.4.3-Beta-Master) #show ip nexthop-list
Nexthop-List Entries
--------------------
Nexthop-list Name Nexthop-list Id Preemptive Failover Active IP Nexthop IPs(Priority)
----------------- --------------- ------------------- --------- ---------------------
Branch-with-multiple-uplinks Enabled 10.17.170.40(40), 10.17.168.200(30), 10.17.169.200(20), 10.17.164.254(10)
test 0x4402 Enabled 10.17.168.193 10.17.168.193(128), 10.17.169.200(128), 10.17.164.254(128)
(6.4.3-Beta-Master) #
2) Create a Route ACL with classification of traffic type with action as route to desired Nexthop list.
(6.4.3-Beta-Master) #show ip access-list test
ip access-list route test
test
----
Priority Source Destination Service Application Action Next
-------- ------ ----------- ------- ----------- ------ ----
1 10.0.0.0 255.255.0.0 any any forward test
(6.4.3-Beta-Master) #
3) Bind the acl to user-role
(6.4.3-Beta-Master) (config) #routing-policy-map role test access-list test
(6.4.3-Beta-Master) (config) #exit
(6.4.3-Beta-Master) #show rights test
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'test'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
ACL Number = 67/0
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-test-sacl session
3 test route
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-test-sacl
---------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
Expired Policies (due to time constraints) = 0
test
----
Priority Source Destination Service Application Action NextHopList IpsecMap Tunnel TunnelGroup IPv4/6
-------- ------ ----------- ------- ----------- ------ ----------- -------- ------ ----------- ------
1 10.0.0.0 255.255.0.0 any any forward test 4
(6.4.3-Beta-Master) #
Ensure that the next hop configured is there in the route-cache.
(6.4.3-Beta-Master) #show datapath route-cache
Route Cache Entries
-------------------
Flags: L - Local, P - Permanent, T - Tunnel, I - IPsec,
t - trusted, A - ARP, D - Drop, R - Routed across vlan
O - Temporary, N - INactive, H - DHCP snooped
IP MAC VLAN Flags
--------------- ----------------- ----------- ------
172.16.0.254 00:1A:1E:01:2D:18 1 LP
10.17.168.200 00:1A:1E:01:2D:18 174 LP
10.17.168.193 00:0B:86:86:09:80 174 tA
10.17.170.40 00:1A:1E:01:2D:18 187 LP
10.17.169.200 00:1A:1E:01:2D:18 183 LP
10.17.164.230 00:1A:1E:01:2D:18 164 LP
10.17.164.254 00:1A:1E:09:15:C0 164 tA
(6.4.3-Beta-Master) #