Policy Routing (PBR) - Маршрутизация на основе политик
Policy-based routing (PBR) позволяет маршрутизировать трафик на основе политик, а не только destination IP адреса. PBR дает гибкость в управлении потоками трафика, позволяя принимать решения на основе source IP, protocol, port, и других параметров.
Обзор
Что такое Policy Routing
Традиционный routing:
- Решения основаны только на destination IP
- Используется таблица маршрутизации
- Longest prefix match
Policy-based routing (PBR):
- Решения на основе множества критериев
- Source IP, destination IP, protocol, ports, DSCP
- Приоритет выше чем routing table
- Гибкое управление трафиком
Основные концепции
Route Map:
- Набор правил (rules)
- Каждое правило имеет номер и action
- Match conditions и set actions
Match Criteria:
- Source/destination IP address
- Protocol (TCP, UDP, ICMP)
- Ports (source/destination)
- DSCP/TOS
- Packet length
- Interface
Set Actions:
- Next-hop IP
- Interface
- Source address (NAT)
- Table (routing table)
- DSCP/TOS
Когда использовать PBR
Типичные сценарии:
- Multi-homing - разный трафик через разные ISP
- QoS - приоритизация критичного трафика
- Load balancing - распределение нагрузки
- Traffic engineering - оптимизация путей
- Security - изоляция трафика
- Cost optimization - cheaper/expensive links
Базовая конфигурация
Простой Policy Route
Направить трафик с определенной подсети через specific gateway:
# Policy route map
set policy route POLICY-1 rule 10 source address 192.168.1.0/24
set policy route POLICY-1 rule 10 set next-hop 203.0.113.1
# Default action (permit остальной трафик)
set policy route POLICY-1 rule 999 action permit
# Применить к интерфейсу (входящий трафик)
set interfaces ethernet eth1 policy route POLICY-1
commit
saveКак работает:
- Трафик приходит на eth1
- Source IP проверяется против правил
- Если match 192.168.1.0/24 → next-hop 203.0.113.1
- Остальной трафик → обычная таблица маршрутизации
Типичные сценарии
Сценарий 1: Multi-homing (два ISP)
VLAN 10 через ISP1, VLAN 20 через ISP2:
# WAN интерфейсы
set interfaces ethernet eth0 address 203.0.113.1/30
set interfaces ethernet eth0 description 'ISP1'
set interfaces ethernet eth2 address 198.51.100.1/30
set interfaces ethernet eth2 description 'ISP2'
# LAN VLANs
set interfaces ethernet eth1 vif 10 address 192.168.10.1/24
set interfaces ethernet eth1 vif 20 address 192.168.20.1/24
# Policy route для VLAN 10 → ISP1
set policy route ISP1-ROUTE rule 10 source address 192.168.10.0/24
set policy route ISP1-ROUTE rule 10 set next-hop 203.0.113.2
# Policy route для VLAN 20 → ISP2
set policy route ISP2-ROUTE rule 10 source address 192.168.20.0/24
set policy route ISP2-ROUTE rule 10 set next-hop 198.51.100.2
set interfaces ethernet eth1 vif 10 policy route ISP1-ROUTE
set interfaces ethernet eth1 vif 20 policy route ISP2-ROUTE
# Default route и NAT
set protocols static route 0.0.0.0/0 next-hop 203.0.113.2
set nat source rule 100 outbound-interface name eth0
set nat source rule 100 translation address masquerade
set nat source rule 200 outbound-interface name eth2
set nat source rule 200 translation address masquerade
commit
saveСценарий 2: Protocol-based routing
HTTP/HTTPS через ISP1, остальное через ISP2:
# HTTP/HTTPS через ISP1
set policy route WEB-TRAFFIC rule 10 protocol tcp
set policy route WEB-TRAFFIC rule 10 destination port 80,443
set policy route WEB-TRAFFIC rule 10 set next-hop 203.0.113.2
# Остальной трафик через ISP2
set policy route WEB-TRAFFIC rule 20 set next-hop 198.51.100.2
set interfaces ethernet eth1 policy route WEB-TRAFFIC
commitСценарий 3: Application-based routing
VoIP через dedicated ISP:
# VoIP через ISP1
set policy route APP-ROUTE rule 10 protocol udp
set policy route APP-ROUTE rule 10 destination port 5060-5061,10000-20000
set policy route APP-ROUTE rule 10 set next-hop 203.0.113.2
# Video через ISP2
set policy route APP-ROUTE rule 20 protocol tcp
set policy route APP-ROUTE rule 20 destination port 1935,8080
set policy route APP-ROUTE rule 20 set next-hop 198.51.100.2
# Default
set policy route APP-ROUTE rule 999 set next-hop 203.0.113.2
set interfaces ethernet eth1 policy route APP-ROUTE
commitПродвинутые конфигурации
Multiple routing tables
# Policy route в table 100
set policy route ISP2-TABLE rule 10 source address 192.168.20.0/24
set policy route ISP2-TABLE rule 10 set table 100
# Static route в table 100
set protocols static table 100 route 0.0.0.0/0 next-hop 198.51.100.2
set interfaces ethernet eth1 vif 20 policy route ISP2-TABLE
commitPBR с DSCP marking
Маркировка VoIP трафика:
# VoIP с DSCP marking
set policy route VOIP-ROUTE rule 10 protocol udp
set policy route VOIP-ROUTE rule 10 destination port 5060-5061,10000-20000
set policy route VOIP-ROUTE rule 10 set next-hop 203.0.113.2
set policy route VOIP-ROUTE rule 10 set dscp ef
set interfaces ethernet eth1 policy route VOIP-ROUTE
commitИнтеграция с облачными платформами
Yandex Cloud
Multi-homing с Yandex Cloud NAT Gateway:
# Primary через Yandex Cloud NAT Gateway
set interfaces ethernet eth0 address 10.0.1.10/24
set interfaces ethernet eth0 description 'Yandex Cloud NAT Gateway'
# Secondary через Elastic IP
set interfaces ethernet eth1 address 10.0.2.10/24
set interfaces ethernet eth1 description 'Elastic IP'
# LAN VLANs
set interfaces ethernet eth2 vif 10 address 192.168.10.1/24
set interfaces ethernet eth2 vif 20 address 192.168.20.1/24
# Production через NAT Gateway
set policy route YC-ROUTING rule 10 source address 192.168.10.0/24
set policy route YC-ROUTING rule 10 set next-hop 10.0.1.1
# Management через Elastic IP
set policy route YC-ROUTING rule 20 source address 192.168.20.0/24
set policy route YC-ROUTING rule 20 set next-hop 10.0.2.1
set interfaces ethernet eth2 vif 10 policy route YC-ROUTING
set interfaces ethernet eth2 vif 20 policy route YC-ROUTING
commitPBR для Yandex Cloud services:
# Direct routing к Yandex Object Storage
set policy route YC-SERVICES rule 10 destination address 213.180.193.0/24
set policy route YC-SERVICES rule 10 set next-hop 10.0.1.1
# Yandex Monitoring
set policy route YC-SERVICES rule 20 destination address 100.64.0.0/10
set policy route YC-SERVICES rule 20 set next-hop 10.0.1.1
# Other через Elastic IP
set policy route YC-SERVICES rule 999 set next-hop 10.0.2.1
set interfaces ethernet eth2 policy route YC-SERVICES
commitSplit tunneling для Yandex Cloud VPN:
# Internal networks через VPN
set policy route YC-VPN rule 10 destination address 10.0.0.0/8
set policy route YC-VPN rule 10 set interface wg0
# Internet через direct
set policy route YC-VPN rule 20 set next-hop 10.0.1.1
set interfaces ethernet eth2 policy route YC-VPN
commitVK Cloud
Multi-homing в VK Cloud:
# Primary через VK Cloud NAT
set interfaces ethernet eth0 address 10.0.1.10/24
set interfaces ethernet eth0 description 'VK Cloud Primary'
# Backup через Floating IP
set interfaces ethernet eth1 address 10.0.2.10/24
set interfaces ethernet eth1 description 'VK Cloud Backup'
set interfaces ethernet eth2 address 192.168.1.1/24
# Critical через Primary
set policy route VK-CRITICAL rule 10 source address 192.168.1.0/25
set policy route VK-CRITICAL rule 10 set next-hop 10.0.1.1
# Non-critical через Backup
set policy route VK-CRITICAL rule 20 source address 192.168.1.128/25
set policy route VK-CRITICAL rule 20 set next-hop 10.0.2.1
set interfaces ethernet eth2 policy route VK-CRITICAL
commitPBR для VK Cloud metadata service:
# Metadata service routing
set policy route VK-META rule 10 destination address 169.254.169.254/32
set policy route VK-META rule 10 set next-hop 10.0.1.1
# Normal internet
set policy route VK-META rule 999 action permit
set interfaces ethernet eth2 policy route VK-META
commitМониторинг и диагностика
Проверка Policy Routes
# Список всех policy routes
show policy route
# Детали route map
show policy route POLICY-1
# Применение к интерфейсам
show interfacesТестирование PBR
# Traceroute с source
traceroute 8.8.8.8 source-address 192.168.10.10
# Ping с source
ping 8.8.8.8 source-address 192.168.10.10Debugging
# Routing tables
show ip route
# Specific table
show ip route table 100
# Traffic capture
sudo tcpdump -i eth0 -n src 192.168.10.10Troubleshooting
PBR не работает
Диагностика:
# Проверить применение
show interfaces ethernet eth1
# Проверить policy
show policy route POLICY-1
# Traceroute
traceroute 8.8.8.8 source-address 192.168.10.10Решение:
# Применить policy
set interfaces ethernet eth1 policy route POLICY-1
commitAsymmetric routing
Решение:
# Firewall для established connections
set firewall ipv4 forward filter rule 10 action accept
set firewall ipv4 forward filter rule 10 state established
set firewall ipv4 forward filter rule 10 state related
commitЛучшие практики
- Планирование - документируйте policy routes
- Rule numbering - используйте increments по 10 (10, 20, 30…)
- Testing - тестируйте с traceroute/ping
- Failover - используйте routing table как fallback
- NAT - настройте NAT для всех outbound interfaces
- Performance - минимизируйте количество правил
- Описания - добавляйте описания к правилам
- Backup - регулярный backup конфигурации
- Avoid loops - тщательно планируйте next-hops
Дополнительные ресурсы
Access List Policy
Access lists фильтруют трафик по IP адресам для применения в routing protocols и других политиках.
Базовый Access List
# Permit specific network
set policy access-list 10 rule 10 action permit
set policy access-list 10 rule 10 source address 192.168.1.0/24
# Deny specific host
set policy access-list 10 rule 20 action deny
set policy access-list 10 rule 20 source address 192.168.1.50/32
# Permit all other
set policy access-list 10 rule 999 action permit
set policy access-list 10 rule 999 source address any
commitПрименение к BGP
set protocols bgp neighbor 10.0.0.1 address-family ipv4-unicast filter-list export 10
commitPrefix List Policy
Prefix lists фильтруют маршруты по IP префиксам с возможностью match по длине префикса.
Базовый Prefix List
# Permit /24 сети из 10.0.0.0/8
set policy prefix-list LOCAL-NETS rule 10 action permit
set policy prefix-list LOCAL-NETS rule 10 prefix 10.0.0.0/8
set policy prefix-list LOCAL-NETS rule 10 le 24
# Deny default route
set policy prefix-list NO-DEFAULT rule 20 action deny
set policy prefix-list NO-DEFAULT rule 20 prefix 0.0.0.0/0
commitОператоры:
- le (less-equal) - максимальная длина префикса
- ge (greater-equal) - минимальная длина префикса
Пример: Фильтр для BGP
# Prefix list
set policy prefix-list CUSTOMER-IN rule 10 action permit
set policy prefix-list CUSTOMER-IN rule 10 prefix 203.0.113.0/24
# Применить к BGP neighbor
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast prefix-list import CUSTOMER-IN
commitRoute Map Policy
Route maps - мощный инструмент для изменения атрибутов маршрутов (metric, preference, community, etc.).
Базовый Route Map
# Match и set
set policy route-map RM-IN rule 10 action permit
set policy route-map RM-IN rule 10 match ip address prefix-list LOCAL-NETS
set policy route-map RM-IN rule 10 set local-preference 200
# Deny остальное
set policy route-map RM-IN rule 999 action deny
commitИзменение BGP атрибутов
# Route map для изменения MED
set policy route-map SET-MED rule 10 action permit
set policy route-map SET-MED rule 10 match ip address prefix-list CUSTOMER-NETS
set policy route-map SET-MED rule 10 set metric 100
# AS-PATH prepend
set policy route-map PREPEND rule 10 action permit
set policy route-map PREPEND rule 10 set as-path prepend '65000 65000'
# Применить к BGP
set protocols bgp neighbor 10.0.0.1 address-family ipv4-unicast route-map import SET-MED
set protocols bgp neighbor 10.0.0.2 address-family ipv4-unicast route-map export PREPEND
commitMatch Conditions
Route map поддерживает множественные match conditions:
# Match prefix list
set policy route-map RM rule 10 match ip address prefix-list MY-LIST
# Match AS-PATH
set policy route-map RM rule 20 match as-path AS-PATH-LIST
# Match community
set policy route-map RM rule 30 match community COMM-LIST
# Match metric
set policy route-map RM rule 40 match metric 100
# Match interface
set policy route-map RM rule 50 match interface eth0
commitSet Actions
# Set local preference
set policy route-map RM rule 10 set local-preference 200
# Set metric (MED)
set policy route-map RM rule 10 set metric 50
# Set next-hop
set policy route-map RM rule 10 set ip-next-hop 10.0.0.1
# Set community
set policy route-map RM rule 10 set community '65000:100'
# Set AS-PATH prepend
set policy route-map RM rule 10 set as-path prepend '65000'
# Set weight
set policy route-map RM rule 10 set weight 100
commitAS Path Policy
AS Path lists фильтруют BGP routes на основе AS PATH attribute.
AS Path Access List
# Match specific AS
set policy as-path-list FROM-AS65001 rule 10 action permit
set policy as-path-list FROM-AS65001 rule 10 regex '_65001_'
# Match transit через AS
set policy as-path-list VIA-AS65002 rule 10 action permit
set policy as-path-list VIA-AS65002 rule 10 regex '_65002_'
# Match origin AS
set policy as-path-list ORIGIN-AS65003 rule 10 action permit
set policy as-path-list ORIGIN-AS65003 rule 10 regex '_65003$'
commitRegex Patterns
Примеры regex:
^65000_- начинается с AS 65000_65000$- заканчивается AS 65000 (origin AS)_65000_- содержит AS 65000 (транзит)^65000$- только AS 65000 (direct peer)^$- пустой AS-PATH (локальные сети)
Применение
# Route map с AS-PATH filter
set policy route-map FILTER-AS rule 10 action deny
set policy route-map FILTER-AS rule 10 match as-path FROM-AS65001
set policy route-map FILTER-AS rule 999 action permit
# Применить к BGP
set protocols bgp neighbor 10.0.0.1 address-family ipv4-unicast route-map import FILTER-AS
commitCommunity List Policy
BGP communities для tagging и фильтрации маршрутов.
Standard Community List
# Match standard community
set policy community-list COMM-100 rule 10 action permit
set policy community-list COMM-100 rule 10 regex '65000:100'
commitExpanded Community List
# Match expanded community (regex)
set policy community-list-expanded COMM-EXP rule 10 action permit
set policy community-list-expanded COMM-EXP rule 10 regex '65000:[0-9]+'
commitWell-Known Communities
# NO_EXPORT community
set policy route-map SET-NO-EXPORT rule 10 action permit
set policy route-map SET-NO-EXPORT rule 10 set community 'no-export'
# NO_ADVERTISE community
set policy route-map SET-NO-ADV rule 10 action permit
set policy route-map SET-NO-ADV rule 10 set community 'no-advertise'
commitПрименение Communities
# Set community
set policy route-map TAG rule 10 action permit
set policy route-map TAG rule 10 match ip address prefix-list CUSTOMER-NETS
set policy route-map TAG rule 10 set community '65000:100'
# Применить к BGP export
set protocols bgp neighbor 10.0.0.1 address-family ipv4-unicast route-map export TAG
# Filter based on community
set policy route-map FILTER-COMM rule 10 action permit
set policy route-map FILTER-COMM rule 10 match community COMM-100
set protocols bgp neighbor 10.0.0.2 address-family ipv4-unicast route-map import FILTER-COMM
commitLarge Community List Policy
Large communities (RFC 8092) для расширенного tagging.
Large Community List
# Format: Global-Admin:Local-Data-Part-1:Local-Data-Part-2
set policy large-community-list LC-LIST rule 10 action permit
set policy large-community-list LC-LIST rule 10 regex '65000:100:1'
commitПрименение
# Set large community
set policy route-map SET-LC rule 10 action permit
set policy route-map SET-LC rule 10 set large-community '65000:100:1'
# Match large community
set policy route-map MATCH-LC rule 10 action permit
set policy route-map MATCH-LC rule 10 match large-community LC-LIST
commitExtended Community List Policy
Extended communities для MPLS VPN и других advanced scenarios.
Extended Community List
# Route Target
set policy extcommunity-list RT-65000-100 rule 10 action permit
set policy extcommunity-list RT-65000-100 rule 10 regex 'RT:65000:100'
# Site of Origin
set policy extcommunity-list SOO-65000-1 rule 10 action permit
set policy extcommunity-list SOO-65000-1 rule 10 regex 'SoO:65000:1'
commitLocal Route Policy
Local route policy для filtering local routes announcement.
Базовая конфигурация
# Policy для local routes
set policy local-route rule 10 action permit
set policy local-route rule 10 source 10.0.0.0/8
set policy local-route rule 999 action deny
commitКомплексный пример: ISP с BGP
# === PREFIX LISTS ===
# Customer prefixes
set policy prefix-list CUSTOMER rule 10 action permit
set policy prefix-list CUSTOMER rule 10 prefix 203.0.113.0/24
# Upstream transit
set policy prefix-list UPSTREAM rule 10 action permit
set policy prefix-list UPSTREAM rule 10 prefix 0.0.0.0/0
set policy prefix-list UPSTREAM rule 10 le 32
# === AS-PATH LISTS ===
# Filter customer AS
set policy as-path-list FROM-CUSTOMER rule 10 action permit
set policy as-path-list FROM-CUSTOMER rule 10 regex '^65001_'
# === COMMUNITY LISTS ===
# Tag customer routes
set policy community-list CUST-TAG rule 10 action permit
set policy community-list CUST-TAG rule 10 regex '65000:100'
# === ROUTE MAPS ===
# Customer import
set policy route-map CUST-IN rule 10 action permit
set policy route-map CUST-IN rule 10 match ip address prefix-list CUSTOMER
set policy route-map CUST-IN rule 10 match as-path FROM-CUSTOMER
set policy route-map CUST-IN rule 10 set local-preference 200
set policy route-map CUST-IN rule 10 set community '65000:100'
# Customer export
set policy route-map CUST-OUT rule 10 action permit
set policy route-map CUST-OUT rule 10 match community CUST-TAG
set policy route-map CUST-OUT rule 10 set as-path prepend '65000'
# Upstream import
set policy route-map UP-IN rule 10 action permit
set policy route-map UP-IN rule 10 match ip address prefix-list UPSTREAM
set policy route-map UP-IN rule 10 set local-preference 100
# Upstream export - только customer prefixes
set policy route-map UP-OUT rule 10 action permit
set policy route-map UP-OUT rule 10 match ip address prefix-list CUSTOMER
set policy route-map UP-OUT rule 999 action deny
# === BGP ===
set protocols bgp system-as 65000
# Customer
set protocols bgp neighbor 203.0.113.1 remote-as 65001
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast route-map import CUST-IN
set protocols bgp neighbor 203.0.113.1 address-family ipv4-unicast route-map export CUST-OUT
# Upstream
set protocols bgp neighbor 198.51.100.1 remote-as 174
set protocols bgp neighbor 198.51.100.1 address-family ipv4-unicast route-map import UP-IN
set protocols bgp neighbor 198.51.100.1 address-family ipv4-unicast route-map export UP-OUT
commit
saveСледующие шаги
- QoS - интеграция с QoS
- Load Balancing - комбинация с WAN LB
- VRF - изоляция routing tables
- Firewall - защита PBR трафика
- BGP - продвинутые BGP политики