The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Multi-VRF Selection Using Policy-Based Routing (PBR) feature allows a specified interface on a provider edge (PE) router to route packets to Virtual Private Networks (VPNs) based on packet length or match criteria defined in an IP access list.
You can enable VPN routing and forwarding (VRF) selection by policy routing packets through a route map, through the global routing table, or to a specified VRF.
You can enable policy-routing packets for VRF instances by using route map commands with set commands.
This feature and the Directing MPLS VPN Traffic Using a Source IP Address feature can be configured together on the same interface.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The Multi-VRF Selection Using Policy-Based Routing feature is an extension of the VRF Selection Based on Source IP Address feature. The PBR implementation of the VRF selection feature allows you to policy route VPN traffic based on match criteria. Match criteria are defined in an IP access list and/or are based on packet length. The following match criteria are supported in Ciscosoftware:
Policy routing is defined in the route map. The route map is applied to the incoming interface with the ip policy route-map interface configuration command. An IP access list is applied to the route map with the match ip address route-map configuration command. Packet length match criteria are applied to the route map with the match length route-map configuration command. The set action is defined with the set vrf route-map configuration command. The match criteria are evaluated, and the appropriate VRF is selected by the set command. This combination allows you to define match criteria for incoming VPN traffic and policy route VPN packets out to the appropriate VRF.
To enable policy-routing packets for VRF instances, you can use route map commands with the following set commands. They are listed in the order in which the router uses them during the routing of packets.
When you configure PBR, you can use the following four set commands to change normal routing and forwarding behavior. Configuring any of these set commands, with the potential exception of the set ip next-hop command, overrides the routing behavior of packets entering the interface if the packets do not belong to a VRF. The packets are routed from the egress interface across the global routing table.
The Multi-VRF Selection Using Policy-Based Routing (PBR) feature supports inherit-VRF and inter-VRF. With inherit-VRF routing, packets arriving at a VRF interface are routed by the same outgoing VRF interface. With inter-VRF routing, packets arriving at a VRF interface are routed via any other outgoing VRF interface.
VRF-to-global routing causes packets that enter any VRF interface to be routed via the global routing table. When a packet arrives on a VRF interface, the destination lookup normally is done only in the corresponding VRF table. If a packet arrives on a global interface, the destination lookup is done in the global routing table.
The Multi-VRF Selection Using Policy-Based Routing (PBR) feature modifies the following set commands to support inherit-VRF, inter-VRF, and VRF-to-global routing. The commands are listed in the order in which the router uses them during the routing of packets.
Define the match criteria for multi-VRF selection using PBR so that you can selectively route the packets instead of using their default routing and forwarding.
The match criteria for multi-VRF selection using PBR are defined in an access list. Standard, named, and extended access lists are supported.
You can define the match criteria based on the packet length by configuring the match length route-map configuration command. This configuration option is defined entirely within a route map.
The following sections explain how to configure PBR route selection:
The tasks in the following sections assume that the VRF and associated IP address are already defined.
To configure Multi-VRF Selection using PBR with a named extended access list, complete the following steps.
The tasks in the following sections assume that the VRF and associated IP address are already defined.
Incoming packets are filtered through the match criteria that are defined in the route map. After a successful match occurs, the set vrf command configuration determines the VRF through which the outbound VPN packets will be policy routed.
You must define the VRF before you configure the route map; otherwise an error message appears on the console.
A receive entry must be added to the VRF selection table with the ip vrf receive command. If a match and set operation occurs in the route map but there is no receive entry in the local VRF table, the packet will be dropped if the packet destination is local.
The route map is attached to the incoming interface with the ip policy route-map interface configuration command.
The source IP address must be added to the VRF selection table. VRF selection is a one-way (unidirectional) feature. It is applied to the incoming interface. If a match and set operation occurs in the route map but there is no receive entry in the local VRF table, the packet is dropped if the packet destination is local.
To verify the configuration of the Multi-VRF Selection Using Policy-Based Routing (PBR) feature, perform the following steps. You can enter the commands in any order.
In the following example, three standard access lists are created to define match criteria for three different subnetworks. Any packets received on FastEthernet interface 0/1/0 will be policy routed through the PBR-VRF-Selection route map to the VRF that is matched in the same route-map sequence. If the source IP address of the packet is part of the 10.1.0.0/24 subnet, VRF1 will be used for routing and forwarding.
access-list 40 permit source 10.1.0.0 0.0.255.255 access-list 50 permit source 10.2.0.0 0.0.255.255 access-list 60 permit source 10.3.0.0 0.0.255.255 route-map PBR-VRF-Selection permit 10 match ip address 40 set vrf VRF1 ! route-map PBR-VRF-Selection permit 20 match ip address 50 set vrf VRF2 ! route-map PBR-VRF-Selection permit 30 match ip address 60 set vrf VRF3 ! interface FastEthernet 0/1/0 ip address 192.168.1.6 255.255.255.252 ip vrf forwarding VRF4 ip policy route-map PBR-VRF-Selection ip vrf receive VRF1 ip vrf receive VRF2 ip vrf receive VRF3
The following example shows a set ip vrf next-hop command that applies policy-based routing to the VRF interface named myvrf and specifies that the IP address of the next hop is 10.0.0.2:
Router(config)# route-map map1 permit Router(config)# set vrf myvrf Router(config-route-map)# set ip vrf myvrf next-hop 10.0.0.2 Router(config-route-map)# match ip address 101 Router(config-route-map)# end
The following example shows a set ip global command that specifies that the router should use the next hop address 10.0.0.1 in the global routing table:
Router(config-route-map)# set ip global next-hop 10.0.0.1
Related Topic |
Document Title |
---|---|
MPLS commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Cisco IOS Multiprotocol Label Switching Command Reference |
IP access list commands |
Cisco IOS Security Command Reference |
Standard |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC |
Title |
---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
-- |
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Multi-VRF Selection Using Policy-Based Routing |
Feature Name |
Releases |
Feature Information |
---|---|---|
Multi-VRF Selection Using Policy-Based Routing (PBR) |
12.2(33)SRB1 12.2(33)SXH1 12.4(24)T |
The Multi-VRF Selection Using Policy-Based Routing (PBR) feature allows a specified interface on a provider edge (PE) router to route packets to VPNs based on packet length or match criteria defined in an IP access list. This feature and the Directing MPLS VPN Traffic Using a Source IP Address feature can be configured together on the same interface. In 12.2(33)SRB1, this feature was introduced. In 12.2(33)SXH1, support was added. The following commands were modified: set ip global next-hop and set ip vrf next-hop. In 12.4(24)T, this feature was integrated. |
CE router--customer edge router. A router that is part of a customer network and that interfaces to a provider edge (PE) router.
Inherit-VRF routing--Packets arriving at a VRF interface are routed by the same outgoing VRF interface.
Inter-VRF routing--Packets arriving at a VRF interface are routed via any other outgoing VRF interface.
IP --Internet Protocol. Network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, type-of-service specification, fragmentation and reassembly, and security. Defined in RFC 791.
PBR --policy-based routing. PBR allows a user to manually configure how received packets should be routed.
PE router--provider edge router. A router that is part of a service provider's network and that is connected to a CE router. It exchanges routing information with CE devices by using static routing or a routing protocol such as BGP, RIPv1, or RIPv2.
VPN --Virtual Private Network. A collection of sites sharing a common routing table. A VPN provides a secure way for customers to share bandwidth over an ISP backbone network.
VRF --A VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table.
VRF-lite --A feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.