Fortinet white logo
Fortinet white logo

Administration Guide

Policy-based routing

Policy-based routing

NOTE: You must have an advanced features license to use policy-based routing.

Policy-based routing (PBR) allows users to define the next hop for packets based on the packetʼs source or destination IP addresses. You can specify the virtual routing and forwarding (VRF) instance that the next hop belongs to or the default VRF instance is used. You can assign the next hop to a next-hop group to use equal-cost multi-path (ECMP) routing.

Starting in FortiSwitchOS 7.2.3, you can use the GUI to configure policy-based routing.

To see which models support this feature, refer to the FortiSwitch feature matrix.

Configuring policy-based routing

Using the GUI:
  1. Go to Router > Config > Policy > Next Hop Groups to configure the next-hop group using ECMP routing.

    1. Click Add Next Hop Group.

    2. In the Name field, enter the name of the VRF instance.

    3. To configure the next hop, click +.

    4. In the IP field, enter the IPv4 address of the next hop.

    5. From the VRF dropdown list, select the VRF instance.

    6. Click Add to save the next-hop group.

  2. Go to Router > Config > Policy > PBR Maps to configure the PBR map.

    1. Click Add PBR Map.

    2. In the Name field, enter the name of the PBR map.

    3. In the Comments field, enter a description of the PBR map.

    4. To configure the PBR rule, click +.

    5. In the Source field, enter the source IPv4 address and mask.

    6. In the Destination field, enter the destination IPv4 address and mask.

    7. In the IP field, enter the IPv4 address of the next hop.

    8. From the VRF dropdown list, select the VRF instance that the next-hop address belongs to. If you do not select a VRF instance, the default VRF is used.

    9. From the Group dropdown list, select a next-hop group. This setting is used for ECMP.

    10. Click Add to save the PBR map.

  3. Go to Router > Config > Policy > Interfaces.

    1. To configure the interface, click +.

    2. From the Name dropdown list, select the interface to configure.

    3. From the PBR Map Name dropdown list, select the PBR map.

    4. Click Update to save your changes.

Using the CLI:

config router policy

config nexthop-group

edit <name_of_next-hop_group>

config nexthop

edit <configuration_identifier>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <VRF_name>

next

end

next

end

config pbr-map

edit <PBR_map_name>

set comments <string>

config rule

edit <rule_sequence_number>

set src <IPv4_address_mask>

set dst <IPv4_address_mask>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <VRF_name>

set nexthop-group name <next-hop_group_name>

next

end

next

end

config interface

edit <interface_name>

set pbr-map-name <PBR_policy_map_name>

next

end

end

Variable

Description

config nexthop-group Configure the next-hop group using ECMP routing.
<name_of_next-hop_group> Enter the name of the next-hop group. No default
config nexthop Configure the next hop.
<configuration_identifier> Enter the configuration identifier. No default
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <VRF_name> Enter the VRF instance name. No default
config pbr-map Configure the PBR map.
<PBR_map_name> Enter the name of the PBR map. No default
comments <string> Enter a descriptive comment. No default
config rule Configure the PBR rule.
<rule_sequence_number> Enter a rule identifier. The range of values is 1-10000. No default
src <IPv4_address_mask> Enter the source IPv4 address and mask. 0.0.0.0 0.0.0.0
dst <IPv4_address_mask> Enter the destination IPv4 address and mask. 0.0.0.0 0.0.0.0
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <VRF_name> Enter the name of the VRF instance that the next-hop address belongs to. If the name is not specified, the default VRF is used. No default
nexthop-group name <next-hop_group_name> Enter the next-hop group name. This setting is used for ECMP. No default
config interface Configure the interface.
<interface_name> Enter the name of the interface to configure. No default
pbr-map-name <PBR_map_name> Enter the name of the PBR map. The PBR map is created with the config pbr-map command. No default

Example

This example creates the “pbrmap1” policy for vlan10, which is an ingress switch virtual interface (SVI). The policy has three rules:

  • Rule 1 finds packets with a source address of 22.1.1.0/24 and forwards them to the next hop, 12.1.1.2, which belongs to the default VRF instance.
  • Rule 2 finds packets with a destination address of 33.1.1.0/24 and forwards them to the ECMP route with the two next-hop IP addresses in the next-hop group . Both next hops belong to the default VRF instance.
  • Rule 3 finds packets with a destination address of 11.1.1.0/24 and forwards them to the next hop, 13.1.1.2, which belongs to the “vrfv4” VRF instance.

config router policy

config nexthop-group

edit "nhgroup1"

config nexthop

edit 1

set nexthop-ip 12.1.1.4

next

edit 2

set nexthop-ip 12.1.1.5

next

end

next

end

config pbr-map

edit "pbrmap1"

config rule

edit 1

set src 22.1.1.0 255.255.255.0

set nexthop-ip 12.1.1.2

next

edit 2

set dst 33.1.1.0 255.255.255.0

set nexthop-group-name "nhgroup1"

next

edit 3

set src 11.1.1.0 255.255.255.0

set nexthop-ip 13.1.1.2

set nexthop-vrf-name "vrfv4"

next

end

next

end

config interface

edit "vlan10"

set pbr-map-name "pbrmap1"

next

end

end

Checking the PBR configuration

Use the following command get information about the specified PBR rule. If the PBR rule is not specified , all rules are returned.

get router info pbr map ["<map-name> <sequence-number> <interface-name>"]

For example:

get router info pbr map "pbrmap1 1 vlan10"

Use the following command to get information about the PBR next-hop group:

get router info pbr nexthop-group

Policy-based routing

Policy-based routing

NOTE: You must have an advanced features license to use policy-based routing.

Policy-based routing (PBR) allows users to define the next hop for packets based on the packetʼs source or destination IP addresses. You can specify the virtual routing and forwarding (VRF) instance that the next hop belongs to or the default VRF instance is used. You can assign the next hop to a next-hop group to use equal-cost multi-path (ECMP) routing.

Starting in FortiSwitchOS 7.2.3, you can use the GUI to configure policy-based routing.

To see which models support this feature, refer to the FortiSwitch feature matrix.

Configuring policy-based routing

Using the GUI:
  1. Go to Router > Config > Policy > Next Hop Groups to configure the next-hop group using ECMP routing.

    1. Click Add Next Hop Group.

    2. In the Name field, enter the name of the VRF instance.

    3. To configure the next hop, click +.

    4. In the IP field, enter the IPv4 address of the next hop.

    5. From the VRF dropdown list, select the VRF instance.

    6. Click Add to save the next-hop group.

  2. Go to Router > Config > Policy > PBR Maps to configure the PBR map.

    1. Click Add PBR Map.

    2. In the Name field, enter the name of the PBR map.

    3. In the Comments field, enter a description of the PBR map.

    4. To configure the PBR rule, click +.

    5. In the Source field, enter the source IPv4 address and mask.

    6. In the Destination field, enter the destination IPv4 address and mask.

    7. In the IP field, enter the IPv4 address of the next hop.

    8. From the VRF dropdown list, select the VRF instance that the next-hop address belongs to. If you do not select a VRF instance, the default VRF is used.

    9. From the Group dropdown list, select a next-hop group. This setting is used for ECMP.

    10. Click Add to save the PBR map.

  3. Go to Router > Config > Policy > Interfaces.

    1. To configure the interface, click +.

    2. From the Name dropdown list, select the interface to configure.

    3. From the PBR Map Name dropdown list, select the PBR map.

    4. Click Update to save your changes.

Using the CLI:

config router policy

config nexthop-group

edit <name_of_next-hop_group>

config nexthop

edit <configuration_identifier>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <VRF_name>

next

end

next

end

config pbr-map

edit <PBR_map_name>

set comments <string>

config rule

edit <rule_sequence_number>

set src <IPv4_address_mask>

set dst <IPv4_address_mask>

set nexthop-ip <IPv4_address>

set nexthop-vrf-name <VRF_name>

set nexthop-group name <next-hop_group_name>

next

end

next

end

config interface

edit <interface_name>

set pbr-map-name <PBR_policy_map_name>

next

end

end

Variable

Description

config nexthop-group Configure the next-hop group using ECMP routing.
<name_of_next-hop_group> Enter the name of the next-hop group. No default
config nexthop Configure the next hop.
<configuration_identifier> Enter the configuration identifier. No default
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <VRF_name> Enter the VRF instance name. No default
config pbr-map Configure the PBR map.
<PBR_map_name> Enter the name of the PBR map. No default
comments <string> Enter a descriptive comment. No default
config rule Configure the PBR rule.
<rule_sequence_number> Enter a rule identifier. The range of values is 1-10000. No default
src <IPv4_address_mask> Enter the source IPv4 address and mask. 0.0.0.0 0.0.0.0
dst <IPv4_address_mask> Enter the destination IPv4 address and mask. 0.0.0.0 0.0.0.0
nexthop-ip <IPv4_address> Enter the IPv4 address of the next hop. 0.0.0.0
nexthop-vrf-name <VRF_name> Enter the name of the VRF instance that the next-hop address belongs to. If the name is not specified, the default VRF is used. No default
nexthop-group name <next-hop_group_name> Enter the next-hop group name. This setting is used for ECMP. No default
config interface Configure the interface.
<interface_name> Enter the name of the interface to configure. No default
pbr-map-name <PBR_map_name> Enter the name of the PBR map. The PBR map is created with the config pbr-map command. No default

Example

This example creates the “pbrmap1” policy for vlan10, which is an ingress switch virtual interface (SVI). The policy has three rules:

  • Rule 1 finds packets with a source address of 22.1.1.0/24 and forwards them to the next hop, 12.1.1.2, which belongs to the default VRF instance.
  • Rule 2 finds packets with a destination address of 33.1.1.0/24 and forwards them to the ECMP route with the two next-hop IP addresses in the next-hop group . Both next hops belong to the default VRF instance.
  • Rule 3 finds packets with a destination address of 11.1.1.0/24 and forwards them to the next hop, 13.1.1.2, which belongs to the “vrfv4” VRF instance.

config router policy

config nexthop-group

edit "nhgroup1"

config nexthop

edit 1

set nexthop-ip 12.1.1.4

next

edit 2

set nexthop-ip 12.1.1.5

next

end

next

end

config pbr-map

edit "pbrmap1"

config rule

edit 1

set src 22.1.1.0 255.255.255.0

set nexthop-ip 12.1.1.2

next

edit 2

set dst 33.1.1.0 255.255.255.0

set nexthop-group-name "nhgroup1"

next

edit 3

set src 11.1.1.0 255.255.255.0

set nexthop-ip 13.1.1.2

set nexthop-vrf-name "vrfv4"

next

end

next

end

config interface

edit "vlan10"

set pbr-map-name "pbrmap1"

next

end

end

Checking the PBR configuration

Use the following command get information about the specified PBR rule. If the PBR rule is not specified , all rules are returned.

get router info pbr map ["<map-name> <sequence-number> <interface-name>"]

For example:

get router info pbr map "pbrmap1 1 vlan10"

Use the following command to get information about the PBR next-hop group:

get router info pbr nexthop-group