Enterprise Campus Solution

Policy-Based Routing Guide

Steer selected traffic with explicit policy while preserving normal routing behavior.

Back to Enterprise Campus Solutions

Overview

Policy-Based Routing (PBR) lets the network steer selected traffic according to policy rather than destination routing alone. It is useful for campus security, WAN edge selection, service insertion, migration, and special application paths.

PBR should be narrow and intentional. The default routing table should still carry normal traffic, while policy rules handle traffic that truly needs a different path.

When To Use PBR

ScenarioPBR Use
Firewall or inspection insertionSend selected VLANs or applications through security services.
WAN edge selectionSteer traffic from a branch, building, or application toward a chosen uplink.
MigrationRedirect legacy services while new routing is introduced.
Guest or IoT segmentationSend edge segments through controlled service paths.
TroubleshootingTemporarily steer a narrow class of traffic for validation.

Policy Components

ComponentPurposeDesign Note
Match criteriaDefines which traffic is selected.Keep selectors specific and documented.
Next hopDefines where selected traffic goes.Use reachable and monitored next hops.
FallbackDefines behavior when policy path fails.Avoid silent blackholing.
Application pointInterface or routing boundary where policy is applied.Apply close to the source when practical.

Traffic Flow

Packet enters xSONiC switch
        |
        v
Does it match PBR policy?
        | yes
        v
Forward to configured next hop
        |
        v
If no match or fallback applies, use normal routing table

Design Warnings

RiskMitigation
Policy sprawlKeep PBR limited to documented use cases.
Hidden asymmetric routingValidate return path and firewall state.
Next-hop failureDefine fallback and monitoring behavior.
Operational confusionLabel policies by business purpose, not only ACL number.
Overlapping match rulesOrder and test policy behavior carefully.

Deployment Checklist

  1. Document the business reason for each policy.
  2. Define exact source, destination, protocol, or segment matches.
  3. Confirm the intended next hop and return path.
  4. Decide fallback behavior for next-hop failure.
  5. Apply policy at a controlled boundary and test with representative traffic.
  6. Monitor counters to confirm policy hit rate and path behavior.

xSONiC Platform Fit

XS-AA access and aggregation switches fit PBR use cases at campus routing boundaries. They can steer guest, IoT, branch, or selected application traffic toward firewall, WAN, inspection, or migration paths while preserving normal routing for the rest of the network.

Engineering Position

PBR is a precision tool, not a substitute for a clean routing design. It should be used when a narrow traffic class needs a different path for a stated business reason: inspection, migration, WAN selection, or service insertion. If every new requirement becomes another broad policy rule, the network becomes harder to reason about and harder to recover during incidents.

Every PBR rule should have an owner, a match definition, a next-hop decision, a fallback behavior, and an expiry or review date. The operator should also be able to prove that return traffic follows a valid path, especially when firewalls, NAT, or stateful inspection are involved.

Failure Modes To Test

Failure ModeWhy It MattersTest Evidence
Next-hop lossSelected traffic may blackhole if fallback is not defined.Failed next-hop replay and route-table output.
Overlapping matchA broad rule may catch traffic intended for another path.Ordered rule list and per-rule hit counters.
Asymmetric returnStateful services can drop return traffic.Forward and return packet capture.
Policy driftRules may survive after the migration or exception is gone.Owner, ticket, review date, and config diff.

Engineering Validation Checkpoint

Policy-based routing must prove both intended forwarding and safe fallback. Validate 5 flows, 3 rules, 2 groups, and 1 failed next hop. Record route lookup, policy hit counters, ACL interaction, and rollback behavior.

CheckEvidence to collectReject condition
Policy matchFlow tuple, rule hit counters, next hop, and route table output.Traffic matches the wrong policy or bypasses a required security path.
Failure handlingNext-hop failure, fallback route, packet loss, and recovery timing.Traffic blackholes or loops when a policy path fails.
Change controlConfig diff, staged rollout, rollback, and telemetry export.Operators cannot prove the policy change caused or did not cause an incident.

Engineering FAQ

When should PBR be avoided?

Avoid PBR when ordinary routing, VRF separation, or firewall policy can solve the problem with clearer behavior. PBR is appropriate for narrow exceptions, but it becomes a risk when it hides broad design debt or sends operators to multiple places to understand one packet path.

What should be documented for every rule?

Document the source, destination, protocol or application, intended next hop, fallback behavior, rule owner, business reason, and review date. Also capture rule hit counters during the pilot so the team can see whether the policy is actually matching the expected traffic.

Australian-Made Deployment Scope

Australian-made Policy-Based Routing Guide solutions for global deployment.

xSONiC delivers Australian-made open networking and data center infrastructure solutions using qualified global components, with Australian architecture review, integration planning, validation, documentation, and commercial accountability.

Australian-made deployment scope

Architecture review, solution configuration, validation planning, documentation, and commercial accountability are handled in Australia.

Qualified global components

Switching, optics, storage, server, and packet visibility components are selected against port speed, OS, telemetry, power, and deployment requirements.

Procurement validation

The bill of materials is checked against RFP requirements, rollback path, optics compatibility, support model, and export screening before order release.

Global deployment support

xSONiC supports international buyers through Australian project ownership, acceptance evidence, documentation, and post-delivery escalation.

References Reviewed

Related Products

Products commonly paired with this solution.

Use these related platforms as a starting point for sizing, comparison, and follow-up discussion.

XS-AA-24X1-4X25-ACC front panel product image

XS-AA-24X1-4X25-ACC

Access & Aggregation

24x 1G RJ45 campus access switch with 4x 25G SFP28 for enterprise access and aggregation networks.

124Gbps class
Campus switching class
XS-AA-48X1-4X25-ACC front panel product image

XS-AA-48X1-4X25-ACC

Access & Aggregation

48x1G RJ45 access switch with 4x25G uplinks for campus edge, SMB, and enterprise access deployments.

210Gbps
510Mpps
XS-AA-48X1-6X25-ACC front panel product image

XS-AA-48X1-6X25-ACC

Access & Aggregation

48x 1G RJ45 campus access switch with 6x 25G SFP28 for enterprise access and aggregation networks.

198Gbps class
Campus switching class
XS-AA-24X10-6X100-AGG front panel product image

XS-AA-24X10-6X100-AGG

Access & Aggregation

24x10G aggregation switch with 6x100G uplinks for campus distribution, private cloud leaf, and enterprise core roles.

1.2Tbps
890Mpps
XS-AA-48X25-8X100-AGG front panel product image

XS-AA-48X25-8X100-AGG

Access & Aggregation

48x 25G SFP28 aggregation/core switch with 8x 100G QSFP28 for enterprise access and aggregation networks.

2Tbps class
Campus switching class
XS-AA-32X100-CORE front panel product image

XS-AA-32X100-CORE

Access & Aggregation

32x 100G QSFP28 aggregation/core switch with 2x 10G SFP+ auxiliary for enterprise access and aggregation networks.

3.2Tbps class
Campus switching class
Next Step

Move from Policy-Based Routing Guide into implementation.

Use the related products below to continue comparing platforms, or open a conversation if you need help mapping the solution to your environment.