IPv6 PBR provides a flexible mechanism to route packets and define policy for the traffic flows. It extends and complements the existing mechanisms provided by routing protocols. PBR also provides a basic packet-marking capability.
PBR performs the following tasks:
Classifies traffic based on extended access list criteria. It provides access to lists and then establishes the match criteria.
Sets IPv6 precedence bits and enables the network to differentiate classes of service.
Routes packets to specific traffic-engineered paths. You can route the packets to allow a specific quality of service (QoS) through the network.
The Cisco 7600 Series Router implements this feature using the Earl7 forwarding engines capability to classify traffic through an Access Control List (ACL) Ternary Content Addressable Memory (TCAM) lookup. The ACL TCAM lookup classifies traffic based on the combination of a variety of Layer 3 and Layer 4 traffic parameters. Once classified, the ACL TCAM drives results for matching flows. The Feature Manager (FM) component converts the route map policy configured on an interface into a series of values, masks and results (VMRs) and programs these in the ACL TCAM.
Policy Based Routing
All packets received on a PBR-enabled interface are passed through enhanced packet filters known as route maps. Route maps are composed of statements that are marked as permit or deny, and they are interpreted in these ways:
If a packet matches all match statements for a route map that is marked as permit, the router subjects the packet to PBR using the set statements.
If the packet matches any match statements for a route map that is marked as deny, the router does not subject the packet to PBR and forwards it normally.
If the statement is marked as permit and the packets do not match any route map statements, the router sends the packets back through the normal forwarding channels and performs destination-based routing.
The IPv6 PBR match criterion for a sequence is specified through a combination of IPv6 access-lists and packet length operations. Match statements are evaluated first by the criteria specified in the match ipv6 address command and then by criteria specified in the match length command. Therefore, if both an ACL and a length statement are used, a packet is first subjected to an ACL match. Only packets that pass the ACL match are subjected to the length match. Finally, only packets that pass both the ACL and the length statement are policy routed.
Packet Forwarding Using Set Statements
PBR for IPv6 packet forwarding is controlled using a number of set statements in the PBR route map. Listed below are the forwarding actions in order of decreasing priority, and the manner in which these options are reflected in the result from the VMRs programmed in the ACL TCAM. When more than one kind of packet forwarding action is specified in a sequence, the one with the highest priority is chosen.
Table 65-1 Packet Forwarding Set Statements
set vrf vrf name
Specifies the VPN Routing and Forwarding (VRF) instance to which the packet should be sent, based on packet attributes. By default the VRF that a packet is forwarded on is the same as the VRF that receives the packet.
set ipv6 next-hop next-hop ipv6 address
Specifies the next hop for the packet. The next hop must be present in the Routing Information Base (RIB); it must be directly connected, and it must be a global IPv6 address. If the next hop is invalid, the set statement is ignored.
set interface next-hop interface
Specifies the next hop interface for the packet. A packet is forwarded out of a specified interface. An entry for the packet destination address must exist in the IPv6 RIB, and the specified output interface must be in the path set. If the interface is invalid, the set statement is ignored.
set ipv6 default next-hop default next-hop ipv6 address
Specifies the connected next hop for the packet if the usual forwarding method fails to produce the default result. It must be a global IPv6 address. This set statement is used only when there is no explicit entry for the packet destination in the IPv6 RIB.
set ipv6 next-hop recursive ipv6-address
Specifies the IPv6 address of the recursive next-hop in a PBR route map. The recursive next-hop address is installed in the routing table and can be a subnet that is not directly connected. If the recursive next-hop address is not available, traffic is routed using a default route.
set default interface default next-hop interface
Specifies the default next-hop interface, from which the matching packets are forwarded if the usual forwarding method fails to produce a result. This set statement is used only when there is no explicit entry for the packet destination in the IPv6 RIB.
Restrictions for IPv6 PBR
Following restrictions apply to the IPv6 PBR:
Match length is not supported in the hardware, and the PBR is applied to the software.
Packet marking actions are not supported in the hardware, and packets requiring marking due to PBR are punted to the software.
Set interface is supported in the hardware only for the serial interface. Other interfaces are supported on the software.
Packets containing an IPv6 hop-by-hop header need to be examined by the router and are punted to the software. Such packets are subjected to PBR in the software.
PBR policies using access-lists matching on IPv6 flow label, DSCP value and extension headers such as, routing, mobility, destination headers cannot be fully classified in the hardware, and are punted to the software after partial classification.
It is not possible to completely classify traffic in hardware, when access-lists matching on non compressible addresses are used. In such cases, the PBR is applied to the software.
On Tycho based systems, fragment packets that require matching on layer 4 protocol are punted to the software.
Currently, IPv6 PBR on SVI interfaces is applied to the software, and hardware provides only partial classification. Starting with Cisco IOS Release 15.2(4)S4, when you configure the global CLI - platform ipv6 pbr svi hardware, IPv6 PBR on SVI feature is applied directly in the hardware TCAM. As a result, the IPv6 PBR policy under SVI may impact layer 2 IPv6 PAKS in the VLAN. To overcome this impact, you can apply a sequence at the top of the route-map to deny policy-routing for PAKS within the same subnets.
IPv6 PBR when applied to hardware will also be applied on packets destined to a router address.
A set next-hop action where the next-hop is at the other end of a tunnel is not supported in the hardware.
For set interface and set default interface, the interface should be a point-to-point one.
PBR is not applied to multicast traffic and the traffic destined to link local addresses.
When there is no traffic flow, the TCAM entry does not change from punt to policy-route.
Configuring IPv6 PBR
To configure IPv6 PBR, complete the following steps: