Cisco 7600 Series Router Software Configuration Guide, Cisco IOS Release 15S
Configuring IPv6 Policy Based Routing
Downloads: This chapterpdf (PDF - 137.0KB) The complete bookPDF (PDF - 14.63MB) | Feedback

Table of Contents

Configuring IPv6 Policy Based Routing

Understanding IPv6 Policy Based Routing

Policy Based Routing

Packet Matching

Packet Forwarding Using Set Statements

Restrictions for IPv6 PBR

Configuring IPv6 PBR

Verification

Troubleshooting Tips

Configuring IPv6 Policy Based Routing

This chapter describes how to configure the IPv6 policy-based routing (PBR) in Cisco IOS Software Release 15.2(1)S.


Note For complete syntax and usage information for the commands used in this chapter, see the Cisco 7600 Series Router Command Reference at this URL: http://www.cisco.com/en/US/products/ps6922/prod_command_reference_list.html


This chapter includes the following sections:

Understanding IPv6 Policy Based Routing

IPv6 PBR provides a flexible mechanism to route packets and define policy for the traffic flows. It extends and complements the existing mechanisms provided by routing protocols. PBR also provides a basic packet-marking capability.

PBR performs the following tasks:

  • Classifies traffic based on extended access list criteria. It provides access to lists and then establishes the match criteria.
  • Sets IPv6 precedence bits and enables the network to differentiate classes of service.
  • Routes packets to specific traffic-engineered paths. You can route the packets to allow a specific quality of service (QoS) through the network.

The Cisco 7600 Series Router implements this feature using the Earl7 forwarding engines capability to classify traffic through an Access Control List (ACL) Ternary Content Addressable Memory (TCAM) lookup. The ACL TCAM lookup classifies traffic based on the combination of a variety of Layer 3 and Layer 4 traffic parameters. Once classified, the ACL TCAM drives results for matching flows. The Feature Manager (FM) component converts the route map policy configured on an interface into a series of values, masks and results (VMRs) and programs these in the ACL TCAM.

Policy Based Routing

All packets received on a PBR-enabled interface are passed through enhanced packet filters known as route maps. Route maps are composed of statements that are marked as permit or deny , and they are interpreted in these ways:

  • If a packet matches all match statements for a route map that is marked as permit , the router subjects the packet to PBR using the set statements.
  • If the packet matches any match statements for a route map that is marked as deny , the router does not subject the packet to PBR and forwards it normally.
  • If the statement is marked as permit and the packets do not match any route map statements, the router sends the packets back through the normal forwarding channels and performs destination-based routing.

Packet Matching

The IPv6 PBR match criterion for a sequence is specified through a combination of IPv6 access-lists and packet length operations. Match statements are evaluated first by the criteria specified in the match ipv6 address command and then by criteria specified in the match length command. Therefore, if both an ACL and a length statement are used, a packet is first subjected to an ACL match. Only packets that pass the ACL match are subjected to the length match. Finally, only packets that pass both the ACL and the length statement are policy routed.

Packet Forwarding Using Set Statements

PBR for IPv6 packet forwarding is controlled using a number of set statements in the PBR route map. Listed below are the forwarding actions in order of decreasing priority, and the manner in which these options are reflected in the result from the VMRs programmed in the ACL TCAM. When more than one kind of packet forwarding action is specified in a sequence, the one with the highest priority is chosen.

Table 65-1 Packet Forwarding Set Statements

Set Statement
Notes

set vrf vrf name

Specifies the VPN Routing and Forwarding (VRF) instance to which the packet should be sent, based on packet attributes. By default the VRF that a packet is forwarded on is the same as the VRF that receives the packet.

set ipv6 next-hop next-hop ipv6 address

Specifies the next hop for the packet. The next hop must be present in the Routing Information Base (RIB); it must be directly connected, and it must be a global IPv6 address. If the next hop is invalid, the set statement is ignored.

set interface next-hop interface

Specifies the next hop interface for the packet. A packet is forwarded out of a specified interface. An entry for the packet destination address must exist in the IPv6 RIB, and the specified output interface must be in the path set. If the interface is invalid, the set statement is ignored.

set ipv6 default next-hop default next-hop ipv6 address

Specifies the connected next hop for the packet if the usual forwarding method fails to produce the default result. It must be a global IPv6 address. This set statement is used only when there is no explicit entry for the packet destination in the IPv6 RIB.

set ipv6 next-hop recursive ipv6-address

Specifies the IPv6 address of the recursive next-hop in a PBR route map. The recursive next-hop address is installed in the routing table and can be a subnet that is not directly connected. If the recursive next-hop address is not available, traffic is routed using a default route.

set default interface default next-hop interface

Specifies the default next-hop interface, from which the matching packets are forwarded if the usual forwarding method fails to produce a result. This set statement is used only when there is no explicit entry for the packet destination in the IPv6 RIB.

Restrictions for IPv6 PBR

Following restrictions apply to the IPv6 PBR:

  • Match length is not supported in the hardware, and the PBR is applied to the software.
  • Packet marking actions are not supported in the hardware, and packets requiring marking due to PBR are punted to the software.
  • Set interface is supported in the hardware only for the serial interface. Other interfaces are supported on the software.
  • Packets containing an IPv6 hop-by-hop header need to be examined by the router and are punted to the software. Such packets are subjected to PBR in the software.
  • PBR policies using access-lists matching on IPv6 flow label, DSCP value and extension headers such as, routing, mobility, destination headers cannot be fully classified in the hardware, and are punted to the software after partial classification.
  • It is not possible to completely classify traffic in hardware, when access-lists matching on non compressible addresses are used. In such cases, the PBR is applied to the software.
  • On Tycho based systems, fragment packets that require matching on layer 4 protocol are punted to the software .
  • Currently, IPv6 PBR on SVI interfaces is applied to the software, and hardware provides only partial classification. Starting with Cisco IOS Release 15.2(4)S4, when you configure the global CLI - platform ipv6 pbr svi hardware, IPv6 PBR on SVI feature is applied directly in the hardware TCAM. As a result, the IPv6 PBR policy under SVI may impact layer 2 IPv6 PAKS in the VLAN. To overcome this impact, you can apply a sequence at the top of the route-map to deny policy-routing for PAKS within the same subnets.
  • IPv6 PBR when applied to hardware will also be applied on packets destined to a router address.
  • A set next-hop action where the next-hop is at the other end of a tunnel is not supported in the hardware.
  • For set interface and set default interface, the interface should be a point-to-point one.
  • PBR is not applied to multicast traffic and the traffic destined to link local addresses.
  • When there is no traffic flow, the TCAM entry does not change from punt to policy-route.

Configuring IPv6 PBR

To configure IPv6 PBR, complete the following steps:

Command
Purpose

Step 1

Router# enable

Enables privileged EXEC mode.

Step 2

Router# configure terminal

Enters global configuration mode.

Step 3

Router(config)# route-map map-tag [ permit | deny ] [ sequence-number ]

Defines the conditions for redistributing routes from one routing protocol into another, or enables policy routing.

  • Use the route-map command to enter route-map configuration mode.

Step 4

Router(config-route-map)# match length minimum-length maximum-length

 

or

 

Router(config-route-map)# match ipv6 address { prefix-list prefix-list-name | access-list-name }

 

Specifies the match criteria.

  • Matches the Level 3 length of the packet.
  • Matches a specified IPv6 access list.

Note If you do not specify a match command, the route map applies to all packets.

Step 5

Router(config-route-map) # set ipv6 precedence precedence-value

 

or

 

Router(config-route-map) # set ipv6 next-hop global-ipv6-address

 

or

 

Router(config-route-map) # set interface type number

 

or

 

Router(config-route-map) # set ipv6 default next-hop global-ipv6-address

 

or

 

Router(config-route-map)# set ipv6 next-hop recursive global-ipv6-address

 

or

 

Router(config-route-map) # set default interface type number

 

or

 

Router(config-route-map) # set vrf vrf-name

 

Specifies the actions to take on the packets that match the criteria.

  • Sets a precedence value in the IPv6 header.
  • Sets the next hop to which to route the packet (the next hop must be adjacent).
  • Sets an output interface for the packet.
  • Sets the next hop to which to route the packet, if there is no explicit route for this destination.
  • Sets next hop to which to route the packet if the hop is to a router which is not adjacent.
  • Sets the output interface for the packet, if there is no explicit route for this destination.
  • Sets the VRF instance selection within a route map for a policy based routing VRF selection.

Step 6

Router(config-route-map)# exit

Returns the router to global configuration mode.

Step 7

Router(config) # interface type number

Specifies an interface type and number, and places the router in interface configuration mode.

Step 8

Router (config-if)# ipv6 policy route-map route-map-name

Identifies a route map for the IPv6 PBR on an interface.

Verification

The following commands help verifying the PBR configuration.

  • The show ipv6 policy command displays PBR configuration:
Router# show ipv6 policy
Interface Routemap
GigabitEthernet0/0/0 src-1

 

  • The show route-map command displays specific route-map information, such as a count of policy matches:
Router# show route-map
route-map bill, permit, sequence 10
Match clauses:
Set clauses:
Policy routing matches:0 packets, 0 bytes
 
  • The show tcam interface command displays the supported hardware and software:

    Hardware:
Router# show tcam interface gigabitEthernet 8/9 acl in ipv6 module 8
 
ICMP Neighbor Discovery Packet Types:
na - neighbor advertisement ra - router advertisement
ns - neighbor solicit rs - router solicit
r - redirect
 
IPV6 Address Types:
full - IPv6 Full eui - IPv6 EUI
eipv4 - IPv6 embeded IPv4
-------------------------------------------------------
policy-route ipv6 host 1000::2(full) host 4000::2(full)
permit ipv6 any(eipv4) any
permit ipv6 any(eui) any
permit ipv6 any(full) any

Software:

Router# show tcam interface gigabitEthernet 4/2 acl in ipv6 module 4
 
ICMP Neighbor Discovery Packet Types:
na - neighbor advertisement ra - router advertisement
ns - neighbor solicit rs - router solicit
r - redirect
 
IPV6 Address Types:
full - IPv6 Full eui - IPv6 EUI
eipv4 - IPv6 embeded IPv4
-------------------------------------------------------
permit ipv6 any(eui) 0:FE80::/10(eui)
permit ipv6 any(full) 0:FE80::/10(eui)
permit ipv6 any(eui) FF00::/8(full)
permit ipv6 any(full) FF00::/8(full)
permit ipv6 any(eui) FE80::/10(full)
permit ipv6 any(full) FE80::/10(full)
punt ipv6 any(eui) any
punt ipv6 any(full) any
permit ipv6 any(eipv4) any
permit ipv6 any(eui) any
permit ipv6 any(full) any
 
  • The show fm ipv6 pbr all command displays the IPv6 PBR VMRs for a specified interface:
Router# show fm ipv6 pbr all
-----------------------------------------------------------------------------
FM_FEATURE_IPv6_PBR i/f: Gi3/3 rmap: empty1
=============================================================================
----------------------------------------------------
Seq. No: 65536 Seq. Result : FM_RESULT_PERMIT
----------------------------------------------------
DPort - Destination Port SPort - Source Port Pro - Protocol
PT - Packet Type DPT - Dst. Packet Type SPT - Src. Packet Type
X - XTAG TOS - TOS Value Res - VMR Result
RFM - R-Recirc. Flag MRTNPC - M-Multicast Flag R - Reflexive flag
- F-Fragment flag - T-Tcp Control N - Non-cachable
- M-More Fragments - P-Mask Priority(H-High, L-Low)
Adj. - Adj. Index C - Capture Flag T - M(Mask)/V(Value)
FM - Flow Mask NULL - Null FM SAO - Source Only FM
DAO - Dest. Only FM SADA - Sour.& Dest. Only VSADA - Vlan SADA Only
ISADA - Intf. SADA FF - Full Flow VFF - Vlan Full Flow
IFF - Intf. FF F-VFF - Either FF or VFF IFF-FF - Either IFF or FF
A-VSD - Atleast VSADA A-FF - Atleast FF A-VFF - Atleast VFF
A-SON - Atleast SAO A-DON - Atleast DAO A-SD - Atleast SADA
SHORT - Shortest ISADA-L- ISADA Least FF-L - FF Least
IFF-L - IFF Least A-SFF - Any short than FF A-EFF - Any except FF
A-EVFF - Any except VFF SA-L - Source Least DA-L - Dest. Least
SADA-L - SADA Least FF-LESS- FF Less N-FF - Not FF
N-IFF - Not IFF A-LVFF - Any less than VFF FULL - Full Pkt Type
EUI - EUI 64 Pkt Type EMBD - Embedded Pkt Type ELNK - EUI Link Overlap
ESIT - EUI Site Overlap LINK - Link Pkt Type SITE - Site Pkt Type
ERR - Flowmask Error
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
|Indx|T| Dest IPv6 Addr | Source IPv6 Addr | DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.| FM |
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
 
1 V FF00:: :: FULL EUI ---- 0 --- - ----L- ---- SHORT
M FF00:: :: EMBD EUI 0 0
TM_PERMIT_RESULT
 
2 V FF00:: :: FULL FULL ---- 0 --- - ----L- ---- SHORT
M FF00:: :: EMBD EMBD 0 0
TM_PERMIT_RESULT
 
3 V 0:FE80:: :: EUI EUI ---- 0 --- - ----L- ---- SHORT
M 0:FFC0:: :: EUI EUI 0 0
TM_PERMIT_RESULT
 
4 V FE80:: :: FULL EUI ---- 0 --- - ----L- ---- SHORT
M FFC0:: :: EMBD EUI 0 0
TM_PERMIT_RESULT
 
5 V 0:FE80:: :: EUI FULL ---- 0 --- - ----L- ---- SHORT
M 0:FFC0:: :: EUI EMBD 0 0
TM_PERMIT_RESULT
 
6 V FE80:: :: FULL FULL ---- 0 --- - ----L- ---- SHORT
M FFC0:: :: EMBD EMBD 0 0
TM_PERMIT_RESULT
 
7 V :: :: ---- ---- ---- 0 --- - ----L- ---- SHORT
M :: :: ---- ---- 0 0
TM_L3_DENY_RESULT
 
----------------------------------------------------
Seq. No: 10 Seq. Result : FM_RESULT_ADJREDIRECT
----------------------------------------------------
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
|Indx|T| Dest IPv6 Addr | Source IPv6 Addr | DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.| FM |
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
 
1 V :: :: ---- EUI ---- 0 --- - ----L- 0 SHORT
M :: :: ---- EUI 0 0
TM_PERMIT_RESULT
 
2 V :: :: ---- FULL ---- 0 --- - ----L- 0 SHORT
M :: :: ---- EMBD 0 0
TM_PERMIT_RESULT
 
3 V :: :: ---- ---- ---- 0 --- - ----L- 0 SHORT
M :: :: ---- ---- 0 0
TM_L3_DENY_RESULT
 
----------------------------------------------------
Seq. No: 65537 Seq. Result : FM_RESULT_PERMIT
----------------------------------------------------
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
|Indx|T| Dest IPv6 Addr | Source IPv6 Addr | DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.| FM |
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
 
1 V :: :: ---- EUI ---- 0 --- - ----L- ---- SHORT
M :: :: ---- EUI 0 0
TM_PERMIT_RESULT
 
2 V :: :: ---- FULL ---- 0 --- - ----L- ---- SHORT
M :: :: ---- EMBD 0 0
TM_PERMIT_RESULT
 
3 V :: :: ---- ---- ---- 0 --- - ----L- ---- SHORT
M :: :: ---- ---- 0 0
TM_L3_DENY_RESULT
 
 
Index : 0
Feature_id : 4C adj : 5733EB50 vlan : 1027 dmac : 0000.1742.3558
smac : 0018.7415.1980 encap : 1 mtu : 1518 TTL : 1
Rdt Indx : 0 recirc : 0 Non-Cachable : 0 Priority : 1
 
  • The show fm ipv6 pbr interface command displays the IPv6 PBR VMRs on a specified interface:
Router# show fm ipv6 pbr interface gigabitEthernet 3/3
-----------------------------------------------------------------------------
FM_FEATURE_IPv6_PBR i/f: Gi3/3 rmap: empty1
=============================================================================
----------------------------------------------------
Seq. No: 65536 Seq. Result : FM_RESULT_PERMIT
----------------------------------------------------
DPort - Destination Port SPort - Source Port Pro - Protocol
PT - Packet Type DPT - Dst. Packet Type SPT - Src. Packet Type
X - XTAG TOS - TOS Value Res - VMR Result
RFM - R-Recirc. Flag MRTNPC - M-Multicast Flag R - Reflexive flag
- F-Fragment flag - T-Tcp Control N - Non-cachable
- M-More Fragments - P-Mask Priority(H-High, L-Low)
Adj. - Adj. Index C - Capture Flag T - M(Mask)/V(Value)
FM - Flow Mask NULL - Null FM SAO - Source Only FM
DAO - Dest. Only FM SADA - Sour.& Dest. Only VSADA - Vlan SADA Only
ISADA - Intf. SADA FF - Full Flow VFF - Vlan Full Flow
IFF - Intf. FF F-VFF - Either FF or VFF IFF-FF - Either IFF or FF
A-VSD - Atleast VSADA A-FF - Atleast FF A-VFF - Atleast VFF
A-SON - Atleast SAO A-DON - Atleast DAO A-SD - Atleast SADA
SHORT - Shortest ISADA-L- ISADA Least FF-L - FF Least
IFF-L - IFF Least A-SFF - Any short than FF A-EFF - Any except FF
A-EVFF - Any except VFF SA-L - Source Least DA-L - Dest. Least
SADA-L - SADA Least FF-LESS- FF Less N-FF - Not FF
N-IFF - Not IFF A-LVFF - Any less than VFF FULL - Full Pkt Type
EUI - EUI 64 Pkt Type EMBD - Embedded Pkt Type ELNK - EUI Link Overlap
ESIT - EUI Site Overlap LINK - Link Pkt Type SITE - Site Pkt Type
ERR - Flowmask Error
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
|Indx|T| Dest IPv6 Addr | Source IPv6 Addr | DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.| FM |
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
 
1 V FF00:: :: FULL EUI ---- 0 --- - ----L- ---- SHORT
M FF00:: :: EMBD EUI 0 0
TM_PERMIT_RESULT
 
2 V FF00:: :: FULL FULL ---- 0 --- - ----L- ---- SHORT
M FF00:: :: EMBD EMBD 0 0
TM_PERMIT_RESULT
 
3 V 0:FE80:: :: EUI EUI ---- 0 --- - ----L- ---- SHORT
M 0:FFC0:: :: EUI EUI 0 0
TM_PERMIT_RESULT
 
4 V FE80:: :: FULL EUI ---- 0 --- - ----L- ---- SHORT
M FFC0:: :: EMBD EUI 0 0
TM_PERMIT_RESULT
 
5 V 0:FE80:: :: EUI FULL ---- 0 --- - ----L- ---- SHORT
M 0:FFC0:: :: EUI EMBD 0 0
TM_PERMIT_RESULT
 
6 V FE80:: :: FULL FULL ---- 0 --- - ----L- ---- SHORT
M FFC0:: :: EMBD EMBD 0 0
TM_PERMIT_RESULT
 
7 V :: :: ---- ---- ---- 0 --- - ----L- ---- SHORT
M :: :: ---- ---- 0 0
TM_L3_DENY_RESULT
 
----------------------------------------------------
Seq. No: 10 Seq. Result : FM_RESULT_ADJREDIRECT
----------------------------------------------------
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
|Indx|T| Dest IPv6 Addr | Source IPv6 Addr | DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.| FM |
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
 
1 V :: :: ---- EUI ---- 0 --- - ----L- 0 SHORT
M :: :: ---- EUI 0 0
TM_PERMIT_RESULT
 
2 V :: :: ---- FULL ---- 0 --- - ----L- 0 SHORT
M :: :: ---- EMBD 0 0
TM_PERMIT_RESULT
 
3 V :: :: ---- ---- ---- 0 --- - ----L- 0 SHORT
M :: :: ---- ---- 0 0
TM_L3_DENY_RESULT
 
----------------------------------------------------
Seq. No: 65537 Seq. Result : FM_RESULT_PERMIT
----------------------------------------------------
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
|Indx|T| Dest IPv6 Addr | Source IPv6 Addr | DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.| FM |
+----+-+----------------------------------------+----------------------------------------+----+----+----+---+---+-+------+----+------+
 
1 V :: :: ---- EUI ---- 0 --- - ----L- ---- SHORT
M :: :: ---- EUI 0 0
TM_PERMIT_RESULT
 
2 V :: :: ---- FULL ---- 0 --- - ----L- ---- SHORT
M :: :: ---- EMBD 0 0
TM_PERMIT_RESULT
 
3 V :: :: ---- ---- ---- 0 --- - ----L- ---- SHORT
M :: :: ---- ---- 0 0
TM_L3_DENY_RESULT
 
 
Index : 0
Feature_id : 4C adj : 5733EB50 vlan : 1027 dmac : 0000.1742.3558
smac : 0018.7415.1980 encap : 1 mtu : 1518 TTL : 1
Rdt Indx : 0 recirc : 0 Non-Cachable : 0 Priority : 1
 

Troubleshooting Tips

Table 65-2 lists the troubleshooting issues while configuring IPv6 PBR:

Table 65-2 Troubleshooting IPv6 Issues

Problem
Solution

When you suspect an un-specified problem.

  • Use the debug fm ipv6 [all | events | pbr | vmrs] command

all - Displays all IPv6 debugging information.

events - Displays debugging information about FM IPv6 events.

pbr - Displays debugging information about FM IPv6 policy based routing.

vmrs - Displays debugging information about FM IPv6 VMRs.

  • Use the debug ipv6 policy command to display the IPv6 policy routing packet activity.