Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 6.x
Configuring Policy Based Routing
Downloads: This chapterpdf (PDF - 121.0KB) The complete bookPDF (PDF - 6.2MB) | The complete bookePub (ePub - 1.41MB) | The complete bookMobi (Mobi - 2.5MB) | Feedback

Table of Contents

Configuring Policy-Based Routing

Finding Feature Information

Information About Policy-Based Routing

Policy Route Maps

Set Criteria for Policy-Based Routing

Local Policy Routing

Licensing Requirements for Policy-Based Routing

Prerequisites for Policy-Based Routing

Guidelines and Limitations for Policy-Based Routing

Default Settings

Configuring Policy-Based Routing

Enabling the Policy-Based Routing Feature

Configuring a Route Policy

Configuring Local Policy Routing

Verifying the Policy-Based Routing Configuration

Configuration Examples for Policy Based-Routing

Configuration Example for Local Policy Routing

Related Topics

Additional References

Related Documents

Standards

Feature History for Policy-Based Routing

Finding Feature Information

Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https//tool.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the New and Changed Information section or the Feature History table below.

Information About Policy-Based Routing

Policy-based routing allows you to configure a defined policy for IPv4 and IPv6 traffic flows, lessening reliance on routes derived from routing protocols. All packets received on an interface with policy-based routing enabled are passed through enhanced packet filters or route maps . The route maps dictate the policy, determining where to forward packets.

Route maps are composed of match and set statements that you can mark as permit or deny. You can interpret the statements as follows:

  • If the packets match any route map statements, all the set statements are applied. One of these actions involves choosing the next hop.
  • If a statement is marked as deny, the packets that meet the match criteria are sent back through the normal forwarding channels and destination-based routing is performed.
  • If the statement is marked as permit and the packets do not match any route-map statements, the packets are sent back through the normal forwarding channels and destination-based routing is performed.

For more information, see the “Route Maps” section.

Policy-based routing includes the following features:

  • Source-based routing—Routes traffic that originates from different sets of users through different connections across the policy routers.
  • Quality of Service (QoS)—Differentiates traffic by setting the precedence or type of service (ToS) values in the IP packet headers at the periphery of the network and leveraging queuing mechanisms to prioritize traffic in the core or backbone of the network (see the Cisco Nexus 7000 Series NX-OS Quality of Service Configuration Guide ).
  • Load sharing—Distributes traffic among multiple paths based on the traffic characteristics.

This section includes the following topics:

Policy Route Maps

Each entry in a route map contains a combination of match and set statements. The match statements define the criteria for whether appropriate packets meet the particular policy (that is, the conditions to be met). The set clauses explain how the packets should be routed once they have met the match criteria.

You can mark the route-map statements as permit or deny. If the statement is marked as a deny, the packets that meet the match criteria are sent back through the normal forwarding channels (destination-based routing is performed). If the statement is marked as permit and the packets meet the match criteria, all the set clauses are applied. If the statement is marked as permit and the packets do not meet the match criteria, those packets are also forwarded through the normal routing channel.


NotePolicy routing is specified on the interface that receives the packets, not on the interface from which the packets are sent. Policy routing is specified on the interface that receives the packets, not on the interface from which the packets are sent.


Set Criteria for Policy-Based Routing

The set criteria in a route map is evaluated in the order listed in the route map. Set criteria specific to route maps used for policy-based routing are as follows:

1. List of interfaces through which the packets can be routed—If more than one interface is specified, the first interface that is found to be up is used for forwarding the packets.

2. List of specified IP addresses—The IP address can specify the adjacent next-hop router in the path toward the destination to which the packets should be forwarded. The first IP address associated with a currently up connected interface is used to route the packets.


Note You can optionally configure the set criteria for next-hop addresses to load balance traffic across up to 16 IP addresses. In this case, Cisco NX-OS sends all traffic for each IP flow to a particular IP next-hop address.


3. List of default interfaces—If there is no explicit route available to the destination address of the packet being considered for policy routing, the route map routes it to the first up interface in the list of specified default interfaces.

4. List of default next-hop IP addresses—Route to the interface or the next-hop address specified by this set statement only if there is no explicit route for the destination address of the packet in the routing table.


Note You can optionally configure the set criteria for the default next-hop addresses to load balance traffic across a maximum of 16 IP addresses. In this case, Cisco NX-OS sends all traffic for each IP flow to a particular IP next-hop address.


If the packets do not meet any of the defined match criteria, those packets are routed through the normal destination-based routing process.

Local Policy Routing

Local policy routing allows you to apply a route map to local (device-generated) traffic. All packets originating on the device that are not normally policy routed are subject to local policy routing.

Licensing Requirements for Policy-Based Routing

The following table shows the licensing requirements for this feature:

 

Product
License Requirement

Cisco NX-OS

Policy-based routing requires an Enterprise Services license. For a complete explanation of the Cisco NX-OS licensing scheme and how to obtain and apply licenses, see the Cisco NX-OS Licensing Guide.

Prerequisites for Policy-Based Routing

Policy-based routing has the following prerequisites:

  • Install the correct license.
  • You must enable policy-based routing (see the “Enabling the Policy-Based Routing Feature” section).
  • Assign an IP address on the interface and bring the interface up before you apply a route map on the interface for policy-based routing.
  • If you configure VDCs, install the appropriate license and enter the desired VDC (see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide for configuration information and the Cisco NX-OS Licensing Guide for licensing information).

Guidelines and Limitations for Policy-Based Routing

Policy-based routing has the following configuration guidelines and limitations:

  • A policy-based routing route map can have only one match or set statement per route-map statement.
  • A match command cannot refer to more than one ACL in a route map used for policy-based routing.
  • The same route map can be shared among different interfaces for policy-based routing as long as the interfaces belong to the same virtual routing and forwarding (VRF) instance.
  • Setting a tunnel interface or an IP address via a tunnel interface as a next hop in a policy-based routing policy is not supported. Applying policy-based routing or ip policy route-map on tunnel interfaces is also not supported.
  • Policy-based routing is not supported with inbound traffic on FEX ports.
  • Using a prefix-list as a match criteria is not supported. Do not use a prefix-list in a policy-based routing route-map.
  • Beginning with Cisco NX-OS Release 6.1, policy-based routing and WCCPv2 are supported on the same interface if bank chaining is disabled.
  • Beginning with Cisco NX-OS Release 6.1(3), you can configure the device to support deny access control entries (ACEs) in a sequence for the following sequence-based features: VACLs, policy-based routing, and QoS. For more information, see the “Configuring VLAN ACLs” chapter in the Cisco Nexus 7000 Series NX-OS Security Configuration Guide . In previous releases, an ACL used in a policy-based routing route map cannot include a deny statement.
  • If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Default Settings

Table 1-1 lists the default settings for policy-based routing parameters.

 

Table 1-1 Default Policy-based Routing Parameters

Parameters
Default

Policy-based routing

Disabled

Configuring Policy-Based Routing

This section includes the following topics:


NoteIf you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.


Enabling the Policy-Based Routing Feature

You must enable the policy-based routing feature before you can configure a route policy.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. feature pbr

3. (Optional) show feature

4. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

feature pbr

 

Example:

switch(config)# feature pbr

Enables the policy-based routing feature.

Step 3

show feature

 

Example:

switch(config)# show feature

(Optional) Displays enabled and disabled features.

Step 4

copy running-config startup-config

 

Example:

switch(config)# copy running-config startup-config

(Optional) Saves this configuration change.

Use the no feature pbr command to disable the policy-based routing feature and remove all associated configuration.

 

Command
Purpose

no feature pbr

 

Example:

switch(config)# no feature pbr

Disables policy-based routing and removes all associated configuration.

Configuring a Route Policy

You can use route maps in policy-based routing to assign routing policies to the inbound interface. See the “Configuring Route Maps” section.

SUMMARY STEPS

1. configure terminal

2. interface type slot/port

3. ip policy route-map map - name

or

ipv6 policy route-map map - name

4. (Optional) exit

5. (Optional) exit

6. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

interface type slot/port

 

Example:

switch(config)# interface ethernet 1/2

switch(config-if)#

Enters interface configuration mode.

Step 3

ip policy route-map map-name

 

Example:

switch(config-if)# ip policy route-map Testmap

Assigns a route map for IPv4 policy-based routing to the interface.

ipv6 policy route-map map-name

 

Example:

switch(config-if)# ipv6 policy route-map TestIPv6map

Assigns a route map for IPv6 policy-based routing to the interface.

Step 4

exit

 

Example :

switch(config-if)# exit

switch(config)#

(Optional) Exits interface configuration mode.

Step 5

copy running-config startup-config

 

Example:

switch(config)# copy running-config startup-config

(Optional) Saves this configuration change.

 

This example shows how to add a route map to an interface:

switch# configure terminal

switch(config)# interface ethernet 1/2

switch(config-if)# ip policy route-map Testmap

switch(config)# exit

switch(config)# copy running-config startup-config

 

You can configure the following optional match parameters for route maps in route-map configuration mode:

 

Command
Purpose

match ip address access-list-name name [ name... ]

 

Example:

switch(config-route-map)# match ip address access-list-name ACL1

Matches an IPv4 address against one or more IP access control lists (ACLs). This command is used for policy-based routing and is ignored by route filtering or redistribution.

match ipv6 address access-list-name name [ name ... ]

 

Example:

switch(config-route-map)# match ipv6 address access-list-name ACLv6

Matches an IPv6 address against one or more IPv6 ACLs. This command is used for policy-based routing and is ignored by route filtering or redistribution.

match length min max

 

Example:

switch(config-route-map)# match length 64 1500

Matches against the length of the packet. This command is used for policy-based routing.

match mac-list maclist [... maclist ]

 

Example:

switch(config-route-map)# match mac-list MacList10

Matches against a list of MAC addresses. This command is used for policy-based routing.

match metric metric-value [ +- deviation-number ] [... metric-value [ +- deviation-number ]]

 

Example:

switch(config-route-map)# match metric 10

Matches against the routing protocol metric. This command is used for policy-based routing.

match vlan vlan-range

 

Example:

switch(config-route-map)# match vlan 64

Matches against the VLAN ID of the packet. This command is used for policy-based routing.

You can configure the following optional set parameters for route maps in route-map configuration mode:

 

Command
Purpose

set ip next-hop address1 [ address2... ] { load-share | peer-address }

 

Example:

switch(config-route-map)# set ip next-hop 192.0.2.1

Sets the IPv4 next-hop address for policy-based routing. This command uses the first valid next-hop address if multiple addresses are configured.

Use the optional load-share keyword to load balance traffic across a maximum of 16 next-hop addresses.

set ip default next-hop address1 [ address2... ] { load-share }

 

Example:

switch(config-route-map)# set ip default next-hop 192.0.2.2

Sets the IPv4 next-hop address for policy-based routing when there is no explicit route to a destination. This command uses the first valid next-hop address if multiple addresses are configured.

Use the optional load-share keyword to load balance traffic across a maximum of 16 next-hop addresses.

set ipv6 next-hop address1 [ address2... ] { load-share | peer-address }

 

Example:

switch(config-route-map)# set ipv6 next-hop 2001:0DB8::1

Sets the IPv6 next-hop address for policy-based routing. This command uses the first valid next-hop address if multiple addresses are configured.

Use the optional load-share keyword to load balance traffic across a maximum of 16 next-hop addresses.

set ipv6 default next-hop address1 [ address2... ]

 

Example:

switch(config-route-map)# set ipv6 default next-hop 2001:0DB8::2

Sets the IPv6 next-hop address for policy-based routing when there is no explicit route to a destination. This command uses the first valid next-hop address if multiple addresses are configured.

set interface { null0 | tunnel-te )

Example:

switch(config-route-map)# set interface null0

Sets the interface used for routing. Use the null0 interface to drop packets. Use the tunnel-te interface to forward packets on the MPLS TE tunnel.

set vrf vrf-name

 

Example:

switch(config-route-map)# set vrf MainVRF

Sets the VRF for next-hop resolution.

Cisco NX-OS routes the packet as soon as it finds a next hop and an interface.

Configuring Local Policy Routing

You can enable local policy routing for packets generated by the device and specify which route map the device should use.

SUMMARY STEPS

1. configure terminal

2. {ip | ipv6} local policy route-map map - name

3. (Optional) show {ip | ipv6} local policy

4. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

{ip | ipv6} local policy route-map map-name

 

Example:

switch(config)# ip local policy route-map pbr-src-90

Configures IPv4 or IPv6 local policy route maps for packets generated by the device.

Step 3

show {ip | ipv6} local policy

 

Example :

switch(config)# show ip local policy

(Optional) Displays the route map used for IPv4 or IPv6 local policy routing.

Step 4

copy running-config startup-config

 

Example:

switch# copy running-config startup-config

(Optional) Saves this configuration change.

Verifying the Policy-Based Routing Configuration

To display policy-based routing configuration information, perform one of the following tasks:

 

Command
Purpose

show [ip | ipv6] policy [name]

Displays information about an IPv4 or IPv6 policy.

show {ip | ipv6} local policy [ vrf name ]

Displays the route map used for IPv4 or IPv6 local policy routing.

show route-map [name] pbr-statistics

Displays policy statistics.

Use the route-map map-name pbr-statistics to enable policy statistics. Use the clear route-map map-name pbr-statistics to clear these policy statistics

Configuration Examples for Policy Based-Routing

This example shows how to configure a simple route policy on an interface:

feature pbr
ip access-list pbr-sample
permit tcp host 10.1.1.1 host 192.168.2.1 eq 80
!
route-map pbr-sample
match ip address pbr-sample
set ip next-hop 192.168.1.1
!
route-map pbr-sample pbr-statistics
 
interface ethernet 1/2
ip policy route-map pbr-sample
 

The following output verifies this configuration:

switch# show route-map pbr-sample
 
route-map pbr-sample, permit, sequence 10
Match clauses:
ip address (access-lists): pbr-sample
Set clauses:
ip next-hop 192.168.1.1
 
switch# show route-map pbr-sample pbr-statistics
 
route-map pbr-sample, permit, sequence 10
Policy routing matches: 84 packets
 
Default routing: 233 packets

Configuration Example for Local Policy Routing

The following example sends packets with a destination IP address matching that allowed by extended access list 131 to the router at IP address 172.30.3.20:

ip local policy route-map xyz
!
route-map xyz
match ip address 131
set ip next-hop 172.30.3.20

Related Topics

The following topics can give more information on Policy Based Routing:

Additional References

For additional information related to implementing IP, see the following sections:

Related Documents

Related Topic
Document Title

Policy-based routing CLI commands

Cisco Nexus 7000 Series NX-OS Unicast Routing Command Reference

VDCs and VRFs

Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide

Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

Feature History for Policy-Based Routing

Table 1-2 lists the release history for this feature.

 

Table 1-2 Feature History for Policy-Based Routing

Feature Name
Releases
Feature Information

Local policy routing

6.2(2)

Introduced this feature.

Policy-based routing

6.1(3)

Added support for deny access control entries (ACEs) in a sequence for the following sequence-based features: VACLs, policy-based routing, and QoS.

Policy-based routing

6.1(1)

Added support for policy-based routing and WCCPv2 on the same interface if bank chaining is disabled.

Interfaces

5.2(1)

Added support for set interface route-map command.

IPv6 policies

4.2(1)

Added support for IPv6 policies.

Policy-based routing

4.0(1)

This feature was introduced.