beautypg.com

Configuring a pbr policy, Configure the acls – Brocade BigIron RX Series Configuration Guide User Manual

Page 724

background image

646

BigIron RX Series Configuration Guide

53-1002484-04

Configuring a PBR policy

23

PBR ignores explicit or implicit deny ip any any ACL entries, to ensure that for route maps that
use multiple ACLs, the traffic is compared to all the ACLs. PBR also ignores any deny clauses in
an ACL. Traffic that matches a deny clause is routed normally using Layer 3 paths.

PBR always selects the first next hop from the next hop list that is up. If a PBR policy's next hop
goes down, the policy uses another next hop if available. If no next hops are available, the
device routes the traffic in the normal way.

PBR is not supported for fragmented packets. If the PBR’s ACL filters on Layer 4 information
like TCP/UDP ports, fragmented packed are routed normally.

You can change route maps or ACL definitions dynamically and do not need to rebind the PBR
policy to an interface.

The CAM can hold up to 1024 ACL, PBR, and Rate Limiting entries and this maximum is divided
as follows:

ACL – 416 entries

Rate Limiting – 416, entries shared with PBR

Configuring a PBR policy

To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally
or on individual interfaces. The device programs the ACLs into the Layer 4 CAM on the interfaces
and routes traffic that matches the ACLs according to the instructions in the route maps.

To configure a PBR policy:

Configure ACLs that contain the source IP addresses for the IP traffic you want to route using
PBR.

Configure a route map that matches on the ACLs and sets the route information.

Apply the route map to an interface.

Configure the ACLs

PBR uses route maps to change the routing attributes in IP traffic. This section shows an example
of how to configure a standard ACL to identify the source subnet for IP traffic. Refer to the

Chapter

22, “Access Control List”

for details on how to configure ACLs.

To configure a standard ACL to identify a source subnet, enter a command such as the following.

BigIron RX(config)# access-list 99 permit 209.157.23.0 0.0.0.255

The command in this example configures a standard ACL that permits traffic from subnet
209.157.23.0/24. After you configure a route map that matches based on this ACL, the software
uses the route map to set route attributes for the traffic, thus enforcing PBR.

NOTE

Do not use an access group to apply the ACL to an interface. Instead, use a route map to apply the
ACL globally or to individual interfaces for PBR, as shown in the following sections.

Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard>

or

Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname>

See also other documents in the category Brocade Computer Accessories: