Fortinet black logo

Administration Guide

Policy-based routing

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:822228
Download PDF

Policy-based routing

NOTE: You must have an advanced features license to use policy-based routing.

Policy-based routing (PBR) allows users to define the next hop for packets based on the packetʼs source or destination IP addresses. You can specify the virtual routing and forwarding (VRF) instance that the next hop belongs to or the default VRF instance is used. You can assign the next hop to a next-hop group to use equal-cost multi-path (ECMP) routing.

Configuring policy-based routing

config router policy

config nexthop-group

edit <name_of_next-hop_group>

config nexthop

edit <configuration_identifier>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <VRF_name>

next

end

next

end

config pbr-map

edit <PBR_map_name>

set comments <string>

config rule

edit <rule_sequence_number>

set src <IPv4_address_mask>

set dst <IPv4_address_mask>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <VRF_name>

set nexthop-group name <next-hop_group_name>

next

end

next

end

config interface

edit <interface_name>

set pbr-map-name <PBR_policy_map_name>

next

end

end

Variable

Description

config nexthop-group Configure the next-hop group using equal-cost multi-path (ECMP) routing.
<name_of_next-hop_group> Enter the name of the next-hop group. No default
config nexthop Configure the next hop.
<configuration_identifier> Enter the configuration identifier. No default
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <VRF_name> Enter the virtual routing and forwarding (VRF) instance name. No default
config pbr-map Configure the policy-based routing (PBR) map .
<PBR_map_name> Enter the name of the PBR map. No default
comments <string> Enter a descriptive comment. No default
config rule Configure the PBR rule.
<rule_sequence_number> Enter a rule identifier. The range of values is 1-10000. No default
src <IPv4_address_mask> Enter the source IPv4 address and mask. 0.0.0.0 0.0.0.0
dst <IPv4_address_mask> Enter the destination IPv4 address and mask. 0.0.0.0 0.0.0.0
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <VRF_name> Enter the name of the VRF instance that the next-hop address belongs to. If the name is not specified, the default VRF is used. No default
nexthop-group name <next-hop_group_name> Enter the next-hop group name. This setting is used for ECMP. No default
config interface Configure the interface.
<interface_name> Enter the name of the interface to configure. No default
pbr-map-name <PBR_map_name> Enter the name of the PBR map. The PBR map is created with the config pbr-map command. No default

Example

This example creates the “pbrmap1” policy for vlan10, which is an ingress switch virtual interface (SVI). The policy has three rules:

  • Rule 1 finds packets with a source address of 22.1.1.0/24 and forwards them to the next hop, 12.1.1.2, which belongs to the default VRF instance.
  • Rule 2 finds packets with a destination address of 33.1.1.0/24 and forwards them to the ECMP route with the two next-hop IP addresses in the next-hop group . Both next hops belong to the default VRF instance.
  • Rule 3 finds packets with a destination address of 11.1.1.0/24 and forwards them to the next hop, 13.1.1.2, which belongs to the “vrfv4” VRF instance.

config router policy

config nexthop-group

edit "nhgroup1"

config nexthop

edit 1

set nexthop-ip 12.1.1.4

next

edit 2

set nexthop-ip 12.1.1.5

next

end

next

end

config pbr-map

edit "pbrmap1"

config rule

edit 1

set src 22.1.1.0 255.255.255.0

set nexthop-ip 12.1.1.2

next

edit 2

set dst 33.1.1.0 255.255.255.0

set nexthop-group-name "nhgroup1"

next

edit 3

set src 11.1.1.0 255.255.255.0

set nexthop-ip 13.1.1.2

set nexthop-vrf-name "vrfv4"

next

end

next

end

config interface

edit "vlan10"

set pbr-map-name "pbrmap1"

next

end

end

Checking the PBR configuration

Use the following command get information about the specified PBR rule. If the PBR rule is not specified , all rules are returned.

get router info pbr map ["<map-name> <sequence-number> <interface-name>"]

For example:

get router info pbr map "pbrmap1 1 vlan10"

Use the following command to get information about the PBR next-hop group:

get router info pbr nexthop-group

Policy-based routing

NOTE: You must have an advanced features license to use policy-based routing.

Policy-based routing (PBR) allows users to define the next hop for packets based on the packetʼs source or destination IP addresses. You can specify the virtual routing and forwarding (VRF) instance that the next hop belongs to or the default VRF instance is used. You can assign the next hop to a next-hop group to use equal-cost multi-path (ECMP) routing.

Configuring policy-based routing

config router policy

config nexthop-group

edit <name_of_next-hop_group>

config nexthop

edit <configuration_identifier>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <VRF_name>

next

end

next

end

config pbr-map

edit <PBR_map_name>

set comments <string>

config rule

edit <rule_sequence_number>

set src <IPv4_address_mask>

set dst <IPv4_address_mask>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <VRF_name>

set nexthop-group name <next-hop_group_name>

next

end

next

end

config interface

edit <interface_name>

set pbr-map-name <PBR_policy_map_name>

next

end

end

Variable

Description

config nexthop-group Configure the next-hop group using equal-cost multi-path (ECMP) routing.
<name_of_next-hop_group> Enter the name of the next-hop group. No default
config nexthop Configure the next hop.
<configuration_identifier> Enter the configuration identifier. No default
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <VRF_name> Enter the virtual routing and forwarding (VRF) instance name. No default
config pbr-map Configure the policy-based routing (PBR) map .
<PBR_map_name> Enter the name of the PBR map. No default
comments <string> Enter a descriptive comment. No default
config rule Configure the PBR rule.
<rule_sequence_number> Enter a rule identifier. The range of values is 1-10000. No default
src <IPv4_address_mask> Enter the source IPv4 address and mask. 0.0.0.0 0.0.0.0
dst <IPv4_address_mask> Enter the destination IPv4 address and mask. 0.0.0.0 0.0.0.0
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <VRF_name> Enter the name of the VRF instance that the next-hop address belongs to. If the name is not specified, the default VRF is used. No default
nexthop-group name <next-hop_group_name> Enter the next-hop group name. This setting is used for ECMP. No default
config interface Configure the interface.
<interface_name> Enter the name of the interface to configure. No default
pbr-map-name <PBR_map_name> Enter the name of the PBR map. The PBR map is created with the config pbr-map command. No default

Example

This example creates the “pbrmap1” policy for vlan10, which is an ingress switch virtual interface (SVI). The policy has three rules:

  • Rule 1 finds packets with a source address of 22.1.1.0/24 and forwards them to the next hop, 12.1.1.2, which belongs to the default VRF instance.
  • Rule 2 finds packets with a destination address of 33.1.1.0/24 and forwards them to the ECMP route with the two next-hop IP addresses in the next-hop group . Both next hops belong to the default VRF instance.
  • Rule 3 finds packets with a destination address of 11.1.1.0/24 and forwards them to the next hop, 13.1.1.2, which belongs to the “vrfv4” VRF instance.

config router policy

config nexthop-group

edit "nhgroup1"

config nexthop

edit 1

set nexthop-ip 12.1.1.4

next

edit 2

set nexthop-ip 12.1.1.5

next

end

next

end

config pbr-map

edit "pbrmap1"

config rule

edit 1

set src 22.1.1.0 255.255.255.0

set nexthop-ip 12.1.1.2

next

edit 2

set dst 33.1.1.0 255.255.255.0

set nexthop-group-name "nhgroup1"

next

edit 3

set src 11.1.1.0 255.255.255.0

set nexthop-ip 13.1.1.2

set nexthop-vrf-name "vrfv4"

next

end

next

end

config interface

edit "vlan10"

set pbr-map-name "pbrmap1"

next

end

end

Checking the PBR configuration

Use the following command get information about the specified PBR rule. If the PBR rule is not specified , all rules are returned.

get router info pbr map ["<map-name> <sequence-number> <interface-name>"]

For example:

get router info pbr map "pbrmap1 1 vlan10"

Use the following command to get information about the PBR next-hop group:

get router info pbr nexthop-group