[mirror_frr.git] / doc / user / pbr.rst

.. _pbr:

***
PBR
***

:abbr:`PBR` is Policy Based Routing.  This implementation supports a very simple
interface to allow admins to influence routing on their router.  At this time
you can only match on destination and source prefixes for an incoming interface.
At this point in time, this implementation will only work on Linux.

.. _starting-pbr:

Starting PBR
============

Default configuration file for *pbrd* is :file:`pbrd.conf`.  The typical
location of :file:`pbrd.conf` is |INSTALL_PREFIX_ETC|/pbrd.conf.

If the user is using integrated config, then :file:`pbrd.conf` need not be
present and the :file:`frr.conf` is read instead.

.. program:: pbrd

:abbr:`PBR` supports all the common FRR daemon start options which are
documented elsewhere.

.. _nexthop-groups:

Nexthop Groups
==============

Nexthop groups are a way to encapsulate ECMP information together.  It's a
listing of ECMP nexthops used to forward packets for when a pbr-map is matched.

.. clicmd:: nexthop-group NAME

   Create a nexthop-group with an associated NAME.  This will put you into a
   sub-mode where you can specify individual nexthops.  To exit this mode type
   exit or end as per normal conventions for leaving a sub-mode.

.. clicmd:: nexthop [A.B.C.D|X:X::X:XX] [interface] [nexthop-vrf NAME] [label LABELS]

   Create a v4 or v6 nexthop.  All normal rules for creating nexthops that you
   are used to are allowed here.  The syntax was intentionally kept the same as
   creating nexthops as you would for static routes.

.. clicmd:: [no] pbr table range (10000-4294966272) (10000-4294966272)

   Set or unset the range used to assign numeric table ID's to new
   nexthop-group tables. Existing tables will not be modified to fit in this
   range, so it is recommended to configure this before adding nexthop groups.

   .. seealso:: :ref:`pbr-details`

Showing Nexthop Group Information
---------------------------------

.. clicmd:: show pbr nexthop-groups [NAME]

   Display information on a PBR nexthop-group. If ``NAME`` is omitted, all
   nexthop groups are shown.

.. _pbr-maps:

PBR Maps
========

PBR maps are a way to group policies that we would like to apply to individual
interfaces. These policies when applied are matched against incoming packets.
If matched the nexthop-group or nexthop is used to forward the packets to the
end destination.

.. clicmd:: pbr-map NAME seq (1-700)

   Create a pbr-map with NAME and sequence number specified.  This command puts
   you into a new submode for pbr-map specification.  To exit this mode type
   exit or end as per normal conventions for leaving a sub-mode.

.. clicmd:: match src-ip PREFIX

   When a incoming packet matches the source prefix specified, take the packet
   and forward according to the nexthops specified.  This command accepts both
   v4 and v6 prefixes.  This command is used in conjunction of the
   :clicmd:`match dst-ip PREFIX` command for matching.

.. clicmd:: match dst-ip PREFIX

   When a incoming packet matches the destination prefix specified, take the
   packet and forward according to the nexthops specified.  This command accepts
   both v4 and v6 prefixes.  This command is used in conjunction of the
   :clicmd:`match src-ip PREFIX` command for matching.

.. clicmd:: match mark (1-4294967295)

   Select the mark to match.  This is a linux only command and if attempted
   on another platform it will be denied.  This mark translates to the
   underlying `ip rule .... fwmark XXXX` command.

.. clicmd:: set nexthop-group NAME

   Use the nexthop-group NAME as the place to forward packets when the match
   commands have matched a packet.

.. clicmd:: set nexthop [A.B.C.D|X:X::X:XX] [interface] [nexthop-vrf NAME]

   Use this individual nexthop as the place to forward packets when the match
   commands have matched a packet.

.. clicmd:: set vrf unchanged|NAME

   If unchanged is set, the rule will use the vrf table the interface is in
   as its lookup. If NAME is specified, the rule will use that vrf table as
   its lookup.

   Not supported with NETNS VRF backend.

.. clicmd:: show pbr map [NAME] [detail]

   Display pbr maps either all or by ``NAME``. If ``detail`` is set, it will
   give information about the rules unique ID used internally and some extra
   debugging information about install state for the nexthop/nexthop group.

.. _pbr-policy:

PBR Policy
==========

After you have specified a PBR map, in order for it to be turned on, you must
apply the PBR map to an interface.  This policy application to an interface
causes the policy to be installed into the kernel.

.. index:: pbr-policy
.. clicmd:: pbr-policy NAME

   This command is available under interface sub-mode.  This turns
   on the PBR map NAME and allows it to work properly.

.. _pbr-details:

PBR Details
===========

Under the covers a PBR map is translated into two separate constructs in the
Linux kernel.

.. index:: PBR Rules

The PBR map specified creates a `ip rule ...` that is inserted into the Linux
kernel that points to a table to use for forwarding once the rule matches.

.. index:: PBR Tables

The creation of a nexthop or nexthop-group is translated to a default route in a
table with the nexthops specified as the nexthops for the default route.
Commit	Line	Data
a6c93cb2 DS	1	.. _pbr:
	2
	3	***
	4	PBR
	5	***
	6
6568993b QY	7	:abbr:`PBR` is Policy Based Routing. This implementation supports a very simple
	8	interface to allow admins to influence routing on their router. At this time
	9	you can only match on destination and source prefixes for an incoming interface.
	10	At this point in time, this implementation will only work on Linux.
a6c93cb2 DS	11
	12	.. _starting-pbr:
	13
6568993b	14	Starting PBR
a6c93cb2 DS	15	============
	16
	17	Default configuration file for pbrd is :file:`pbrd.conf`. The typical
	18	location of :file:`pbrd.conf` is \|INSTALL_PREFIX_ETC\|/pbrd.conf.
	19
6568993b QY	20	If the user is using integrated config, then :file:`pbrd.conf` need not be
6568993b QY	21	present and the :file:`frr.conf` is read instead.
a6c93cb2 DS	22
	23	.. program:: pbrd
	24
	25	:abbr:`PBR` supports all the common FRR daemon start options which are
	26	documented elsewhere.
	27
	28	.. _nexthop-groups:
	29
6568993b	30	Nexthop Groups
a6c93cb2 DS	31	==============
	32
	33	Nexthop groups are a way to encapsulate ECMP information together. It's a
6568993b	34	listing of ECMP nexthops used to forward packets for when a pbr-map is matched.
a6c93cb2	35
a6c93cb2 DS	36	.. clicmd:: nexthop-group NAME
a6c93cb2 DS	37
6568993b QY	38	Create a nexthop-group with an associated NAME. This will put you into a
	39	sub-mode where you can specify individual nexthops. To exit this mode type
	40	exit or end as per normal conventions for leaving a sub-mode.
a6c93cb2	41
db2fede9	42	.. clicmd:: nexthop [A.B.C.D\|X:X::X:XX] [interface] [nexthop-vrf NAME] [label LABELS]
a6c93cb2	43
6568993b QY	44	Create a v4 or v6 nexthop. All normal rules for creating nexthops that you
	45	are used to are allowed here. The syntax was intentionally kept the same as
	46	creating nexthops as you would for static routes.
	47
2e7c93ac QY	48	.. clicmd:: [no] pbr table range (10000-4294966272) (10000-4294966272)
	49
	50	Set or unset the range used to assign numeric table ID's to new
	51	nexthop-group tables. Existing tables will not be modified to fit in this
	52	range, so it is recommended to configure this before adding nexthop groups.
	53
	54	.. seealso:: :ref:`pbr-details`
	55
	56	Showing Nexthop Group Information
	57	---------------------------------
	58
	59	.. clicmd:: show pbr nexthop-groups [NAME]
	60
	61	Display information on a PBR nexthop-group. If ``NAME`` is omitted, all
	62	nexthop groups are shown.
	63
a6c93cb2 DS	64	.. _pbr-maps:
a6c93cb2 DS	65
6568993b	66	PBR Maps
a6c93cb2 DS	67	========
a6c93cb2 DS	68
2e7c93ac QY	69	PBR maps are a way to group policies that we would like to apply to individual
	70	interfaces. These policies when applied are matched against incoming packets.
	71	If matched the nexthop-group or nexthop is used to forward the packets to the
	72	end destination.
a6c93cb2	73
e5436163	74	.. clicmd:: pbr-map NAME seq (1-700)
a6c93cb2	75
6568993b QY	76	Create a pbr-map with NAME and sequence number specified. This command puts
	77	you into a new submode for pbr-map specification. To exit this mode type
	78	exit or end as per normal conventions for leaving a sub-mode.
a6c93cb2	79
6568993b	80	.. clicmd:: match src-ip PREFIX
a6c93cb2	81
6568993b QY	82	When a incoming packet matches the source prefix specified, take the packet
	83	and forward according to the nexthops specified. This command accepts both
	84	v4 and v6 prefixes. This command is used in conjunction of the
	85	:clicmd:`match dst-ip PREFIX` command for matching.
a6c93cb2	86
6568993b	87	.. clicmd:: match dst-ip PREFIX
a6c93cb2	88
6568993b QY	89	When a incoming packet matches the destination prefix specified, take the
6568993b QY	90	packet and forward according to the nexthops specified. This command accepts
56f0bea7	91	both v4 and v6 prefixes. This command is used in conjunction of the
6568993b	92	:clicmd:`match src-ip PREFIX` command for matching.
a6c93cb2	93
a547ef39 DS	94	.. clicmd:: match mark (1-4294967295)
	95
	96	Select the mark to match. This is a linux only command and if attempted
	97	on another platform it will be denied. This mark translates to the
	98	underlying `ip rule .... fwmark XXXX` command.
	99
a6c93cb2 DS	100	.. clicmd:: set nexthop-group NAME
a6c93cb2 DS	101
6568993b QY	102	Use the nexthop-group NAME as the place to forward packets when the match
6568993b QY	103	commands have matched a packet.
a6c93cb2 DS	104
	105	.. clicmd:: set nexthop [A.B.C.D\|X:X::X:XX] [interface] [nexthop-vrf NAME]
	106
6568993b QY	107	Use this individual nexthop as the place to forward packets when the match
6568993b QY	108	commands have matched a packet.
a6c93cb2	109
be3b67b5 SW	110	.. clicmd:: set vrf unchanged\|NAME
	111
	112	If unchanged is set, the rule will use the vrf table the interface is in
	113	as its lookup. If NAME is specified, the rule will use that vrf table as
	114	its lookup.
	115
	116	Not supported with NETNS VRF backend.
	117
b781c086 SW	118	.. clicmd:: show pbr map [NAME] [detail]
	119
	120	Display pbr maps either all or by ``NAME``. If ``detail`` is set, it will
	121	give information about the rules unique ID used internally and some extra
	122	debugging information about install state for the nexthop/nexthop group.
	123
a6c93cb2 DS	124	.. _pbr-policy:
a6c93cb2 DS	125
6568993b	126	PBR Policy
a6c93cb2 DS	127	==========
a6c93cb2 DS	128
6568993b QY	129	After you have specified a PBR map, in order for it to be turned on, you must
	130	apply the PBR map to an interface. This policy application to an interface
	131	causes the policy to be installed into the kernel.
a6c93cb2	132
6568993b	133	.. index:: pbr-policy
a6c93cb2 DS	134	.. clicmd:: pbr-policy NAME
a6c93cb2 DS	135
6568993b QY	136	This command is available under interface sub-mode. This turns
6568993b QY	137	on the PBR map NAME and allows it to work properly.
a6c93cb2 DS	138
	139	.. _pbr-details:
	140
6568993b	141	PBR Details
a6c93cb2 DS	142	===========
a6c93cb2 DS	143
6568993b QY	144	Under the covers a PBR map is translated into two separate constructs in the
	145	Linux kernel.
	146
	147	.. index:: PBR Rules
a6c93cb2	148
6568993b QY	149	The PBR map specified creates a `ip rule ...` that is inserted into the Linux
6568993b QY	150	kernel that points to a table to use for forwarding once the rule matches.
a6c93cb2	151
6568993b	152	.. index:: PBR Tables
a6c93cb2	153
6568993b QY	154	The creation of a nexthop or nexthop-group is translated to a default route in a
6568993b QY	155	table with the nexthops specified as the nexthops for the default route.
a6c93cb2	156