The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains these sections:
Today, insertion of service appliances (also referred to as service nodes or service endpoints) such as firewalls, load-balancers, etc are needed to secure and optimize applications within a data center. This section describes the Layer 4-Layer 7 service insertion and redirection features offered on VXLAN EVPN fabrics that provides sophisticated mechanisms to onboard and selectively redirect traffic to these services.
The following guidelines and limitations apply to PBR over VXLAN.
The following platforms support PBR over VXLAN:
Cisco Nexus 9332C and 9364C switches
Cisco Nexus 9300-EX switches
Cisco Nexus 9300-FX/FX2/FX3 switches
Cisco Nexus 9300-GX switches
Cisco Nexus 9504 and 9508 switches with -EX/FX line cards
PBR over VXLAN doesn't support the following features:VTEP ECMP, and the load-share keyword in the set {ip | ipv6} next-hop ip-address command.
When you configure bestpath as-path multipath-relax , BGP installs all the multi-paths for IPv4 as best-path in URIB with least metric available among the paths.
When you configure bestpath as-path multipath-relax , BGP doesn't install all the multi-paths for IPv6 as best-path in U6RIB. It will still have the individual metric available for those paths.
Enable the policy-based redirect feature before you can configure a route policy.
To configure basic PBR, in cases where the advanced (and recommended) ePBR functions are not deployed, see the following sections:
|
Step 1 |
Use the configure terminal command to enter global configuration mode. Example: |
|
Step 2 |
Use the [no] feature pbr command to enable the policy-based routing feature. Example: |
|
Step 3 |
(Optional) Use the show feature command to display enabled and disabled features. Example: |
|
Step 4 |
(Optional) Use the copy running-config startup-config command to save this configuration change. Example: |
Configure the RACL TCAM region (using TCAM carving) before you apply the policy-based routing policy. For instructions, see the “Configuring ACL TCAM Region Sizes” section in the Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.2(x).
You can use route maps in policy-based routing to assign routing policies to the inbound interface. Cisco NX-OS routes the packets when it finds a next hop and an interface.
 Note |
The switch has a RACL TCAM region by default for IPv4 traffic. |
|
Step 1 |
Use the configure terminal command to enter global configuration mode. Example: |
|
Step 2 |
Use the interface type slot/port command to enter interface configuration mode. Example: |
|
Step 3 |
Use the {ip | ipv6} policy route-map map-name command to assign a route map for IPv4 or IPv6 policy-based routing to the interface. Example: |
|
Step 4 |
Use the route-map map-name [permit | deny] [seq] command to create a route map or enter route-map configuration mode for an existing route map. Example: |
|
Step 5 |
Use the match {ip | ipv6} address access-list-name name [name...] command to match an IPv4 or IPv6 address against one or more IPv4 or IPv6 access control lists (ACLs). Example: |
|
Step 6 |
Use the set ip next-hop address1 command to set the IPv4 next-hop address for policy-based routing. Example: |
|
Step 7 |
Use the set ipv6 next-hop address1 command to set the IPv6 next-hop address for policy-based routing. Example: |
|
Step 8 |
Use the set interface null0 command to set the interface that is used for routing. Example: |
|
Step 9 |
Use the copy running-config startup-config command to save this configuration change. Example: |
To display the policy-based redirect configuration information, perform one of the following tasks:
Use the route-map map-name pbr-statistics command to enable policy statistics.
Use the clear route-map map-name pbr-statistics command to clear these policy statistics.
|
Command |
Purpose |
|---|---|
|
show [ip | ipv6] policy [name] |
Displays information about an IPv4 or IPv6 policy. |
|
show route-map [name] pbr-statistics |
Displays policy statistics. |
Perform the following configuration on all tenant VTEPs, excluding the service VTEP.
feature pbr
ipv6 access-list IPV6_App_group_1
10 permit ipv6 any 2001:10:1:1::0/64
ip access-list IPV4_App_group_1
10 permit ip any 10.1.1.0/24
ipv6 access-list IPV6_App_group_2
10 permit ipv6 any 2001:20:1:1::0/64
ip access-list IPV4_App_group_2
10 permit ip any 20.1.1.0/24
route-map IPV6_PBR_Appgroup1 permit 10
match ipv6 address IPV6_App_group_2
set ipv6 next-hop 2001:100:1:1::20 (next hop is that of the firewall)
route-map IPV4_ PBR_Appgroup1 permit 10
match ip address IPV4_App_group_2
set ip next-hop 10.100.1.20 (next hop is that of the firewall)
route-map IPV6_PBR_Appgroup2 permit 10
match ipv6 address IPV6_App_group1
set ipv6 next-hop 2001:100:1:1::20 (next hop is that of the firewall)
route-map IPV4_ PBR_Appgroup2 permit 10
match ip address IPV4_App_group_1
set ip next-hop 10.100.1.20 (next hop is that of the firewall)
interface Vlan10
! tenant SVI appgroup 1
vrf member appgroup
ip address 10.1.1.1/24
no ip redirect
ipv6 address 2001:10:1:1::1/64
no ipv6 redirects
fabric forwarding mode anycast-gateway
ip policy route-map IPV4_ PBR_Appgroup1
ipv6 policy route-map IPV6_PBR_Appgroup1
interface Vlan20
! tenant SVI appgroup 2
vrf member appgroup
ip address 20.1.1.1/24
no ip redirect
ipv6 address 2001:20:1:1::1/64
no ipv6 redirects
fabric forwarding mode anycast-gateway
ip policy route-map IPV4_ PBR_Appgroup2
ipv6 policy route-map IPV6_PBR_Appgroup2
On the service VTEP, the PBR policy is applied on the tenant VRF SVI. This ensures the traffic post decapsulation will be redirected to firewall.
feature pbr
ipv6 access-list IPV6_App_group_1
10 permit ipv6 any 2001:10:1:1::0/64
ip access-list IPV4_App_group_1
10 permit ip any 10.1.1.0/24
ipv6 access-list IPV6_App_group_2
10 permit ipv6 any 2001:20:1:1::0/64
ip access-list IPV4_App_group_2
10 permit ip any 20.1.1.0/24
route-map IPV6_PBR_Appgroup1 permit 10
match ipv6 address IPV6_App_group_2
set ipv6 next-hop 2001:100:1:1::20 (next hop is that of the firewall)
route-map IPV6_PBR_Appgroup permit 20
match ipv6 address IPV6_App_group1
set ipv6 next-hop 2001:100:1:1::20 (next hop is that of the firewall)
route-map IPV4_ PBR_Appgroup permit 10
match ip address IPV4_App_group_2
set ip next-hop 10.100.1.20 (next hop is that of the firewall)
route-map IPV4_ PBR_Appgroup permit 20
match ip address IPV4_App_group_1
set ip next-hop 10.100.1.20 (next hop is that of the firewall)
interface vlan1000
!L3VNI SVI for Tenant VRF
vrf member appgroup
ip forward
ipv6 forward
ipv6 ipv6 address use-link-local-only
ip policy route-map IPV4_ PBR_Appgroup
ipv6 policy route-map IPV6_PBR_Appgroup
Feedback