ePBR on BVI

Explains how enhanced policy-based routing on Bridge Virtual Interfaces applies ingress security policies and traffic steering to Layer 2 traffic before Layer 3 routing.

Enhanced Policy-Based Routing (ePBR) on Bridge Virtual Interface (BVI) is a routing feature that

applies ingress security policies and traffic steering to Layer 2 traffic entering a Provider Edge (PE) router through a BVI
processes packets before they are routed to a Layer 3 interface, and
provides granular control over traffic handling through dedicated redirect, drop, and transmit actions.

Table 1. Feature History Table
Feature Name	Release Information	Feature Description
ePBR on BVI	Release 26.1.1	Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100, K100]) (select variants only); Centralized Systems (8400 [ASIC: K100]) (select variants only); Modular Systems (8800 [LC ASIC: P100]) (select variants only) You can ensure secure and efficient traffic handling at the network ingress by applying ePBR policies directly to the BVI. This feature allows the Cisco IOS XR software to intercept and steer inbound Layer 2 traffic before it transitions to Layer 3 routing. This feature is supported on: 8212-48FH-M 8404-SYS-D 8711-32FH-M 8711-48Z-M 8712-MOD-M 88-LC1-36EH 88-LC1-52Y8H-EM 88-LC1-12TH24FH-E

The ePBR on BVI feature allows you to apply ingress security policies and traffic steering to Layer 2 traffic entering a PE router from a VPN through a BVI before it is routed to a Layer 3 interface.

By applying ePBR policies to a BVI, you can:

Redirect: Forward traffic to a specific next-hop, bypassing the standard routing table.
Drop: Discard malicious or unauthorized traffic at the ingress interface.
Transmit: Explicitly permit traffic to follow standard routing table lookups.

For more information on ePRB, see ePBR drop and transmit actions.

Limitations for ePBR on BVI

These are the limitations for ePBR on BVI. For more restrictions about policy-based routing, see Restrictions for implementing policy-based routing.

The policy supports only the ingress direction on the BVI.
Supports up to 6k scale limits.

How ePBR on BVI works

In a PE environment, managing Layer 2 traffic from customer VPNs requires granular control before the traffic transitions to Layer 3 routing. Applying ePBR directly to the BVI allows the system to intercept and steer this traffic based on the requirements.

Summary

Consider a topology where the PE router connects CE devices to the core network using a BVI as the Layer 3 gateway.

CE1 and CE2 : Customer edge devices.
- CE1 : Source router in VPN1 with IP address 3.0.0.4.
- CE2 : Source router in VPN2 with IP address 3.0.0.9.
PE1 : Provider edge router.
Core : Core router with IP address 5.0.0.2.
BVI20 : The routed interface with IP address 3.0.0.8 on PE1 that acts as the gateway for Bridge Group BG1 and Bridge Domain BD1.
BVI-INBOUND-PBR_POLICY : The service policy "BVI-INBOUND-PBR_POLICY" is configured on the BVI20 interface on PE1 to define specific actions, such as transmit, drop, and redirect, which manage inbound traffic from the CEs before it reaches the core router.

Workflow

Figure 1. Network topology for ePBR on BVI

These stages describe how Cisco IOS XR software manages inbound traffic steering and filtering on a BVI using ePBR:

The CE devices CE1 or CE2 send an inbound packet containing Ethernet, VLAN, and IP headers to the PE1 router through the Layer 2 bridge domain.
The Cisco IOS XR software receives the packet and directs it to the BVI20 interface for Layer 3 processing.
The Cisco IOS XR software evaluates the packet against the BVI-INBOUND-PBR_POLICY attached to the BVI.

Based on the policy match, the Cisco IOS XR software performs one of the following actions:


If the packet matches the...	Then the Cisco IOS XR software...
transmit class	transmits the packet normally using standard routing lookups.
drop class	discards the packet at the ingress interface.
redirect class	steers the packet to the core next-hop at IP 5.0.0.2.

If the packet does not match any specific class, the Cisco IOS XR software applies the class-default action and forwards the traffic according to the standard routing table.

Result

The ePBR process results in the automated filtering and steering of inbound Layer 2 traffic, ensuring that packets are handled according to security and traffic engineering policies before they reach the network core.

Configure ePBR on BVI

Perform the following steps to configure ePBR on BVI:

Procedure

	1.	Configure the BVI interface on the local PE1 to establish the Layer 3 gateway for customer VPN traffic. Example: `Router# configure Router(config)# interface BVI20 Router(config-if)# ipv4 address 3.0.0.8 255.255.255.0 Router(config-if)# commit`
	2.	Configure the bridge domain and associate physical interfaces with the BVI to enable routing between the Layer 2 domain and the Layer 3 network. Example: `Router# configure Router(config)# l2vpn Router(config-l2vpn)# bridge group bg1 Router(config-l2vpn-bg)# bridge-domain bd1 Router(config-l2vpn-bg-bd)# interface FourhundredGigE0/1/0/27 Router(config-l2vpn-bg-bd-ac)# interface FourhundredGigE0/0/0/8 Router(config-l2vpn-bg-bd-ac)# routed interface BVI20 Router(config-l2vpn-bg-bd-bvi)# commit`
	3.	Configure a point-to-point pseudowire connection with an xconnect group and neighbor specification on remote PE2 to establish a seamless Layer 2 VPN link between local PE1 and remote PE2. Example: `Router# configure Router(config)# l2vpn Router(config-l2vpn)# xconnect group phy Router(config-l2vpn-xc)# p2p p1 Router(config-l2vpn-xc-p2p)# interface FourhundredGigE0/0/0/7 Router(config-l2vpn-xc-p2p)# interface FourhundredGigE0/0/0/11.1 Router(config-l2vpn-xc-p2p)# commit`
	4.	Configure the traffic class or classmap for IPv4 and IPv6 to identify the traffic based on specific criteria. Example: The following is an example of classmap for IPv4: Router(config)# class-map type traffic match-all ipv4_CM3 Router(config-cmap)# match destination-address ipv4 201.0.3.1 255.255.255.0 Router(config-cmap)# match source-address ipv4 192.1.1.0 255.255.255.0 Router(config-cmap)# match protocol tcp Router(config-cmap)# match destination-port 1024 Router(config-cmap)# match source-port 1024 Router(config-cmap)# match tcp-flag 0x10 Router(config-cmap)# match access-group ipv4 ipv4_acl_3 Router(config-cmap)# match flow-tag 20 Router(config-cmap)# end-class-map Example: The following is an example of classmap for IPv6: `Router(config)# class-map type traffic match-all ipv6_CM1 Router(config-cmap)# match destination-address ipv6 2001:0:0:1::1/64 Router(config-cmap)# match source-address ipv6 1111::1:0/120 Router(config-cmap)# match protocol tcp Router(config-cmap)# match destination-port 1024 Router(config-cmap)# match source-port 1024 Router(config-cmap)# match tcp-flag 0x10 Router(config-cmap)# match access-group ipv6 ipv6_acl Router(config-cmap)# match flow-tag 10 Router(config-cmap)# end-class-map`
	5.	Create the ePBR policy-map for IPv4 and IPv6 to define the actions such as redirect, drop, or transmit for the classified traffic. Example: The following is an example of ePBR policy-map for IPv4: Router(config)# policy-map type pbr BVI-INBOUND-PBR_POLICY Router(config-pmap)# class type traffic ipv4_CM1 Router(config-pmap-c)# redirect ipv4 nexthop 192.0.1.2 Router(config-pmap-c)# exit Router(config-pmap)# class type traffic ipv4_CM2 Router(config-pmap-c)# drop Router(config-pmap-c)# exit Router(config-pmap)# class type traffic ipv4_CM3 Router(config-pmap-c)# transmit Router(config-pmap-c)# exit Router(config-pmap)# class type traffic class-default Router(config-pmap-c)# transmit Router(config-pmap-c)# commit Router(config-pmap)# end-policy-map Example: The following is an example of ePBR policy-map for IPv6: Router(config)# policy-map type pbr BVI-INBOUND-PBR_POLICY Router(config-pmap)# class type traffic ipv6_CM1 Router(config-pmap-c)# redirect ipv6 nexthop 2001:101::2 Router(config-pmap-c)# exit Router(config-pmap)# class type traffic ipv6_CM2 Router(config-pmap-c)# drop Router(config-pmap-c)# exit Router(config-pmap)# class type traffic ipv6_CM3 Router(config-pmap-c)# transmit Router(config-pmap-c)# exit Router(config-pmap)# class type traffic class-default Router(config-pmap-c)# transmit Router(config-pmap-c)# commit Router(config-pmap)# end-policy-map
	6.	Attach the policy to the BVI interface to enforce traffic steering and security rules on inbound packets. Example: `Router# configure Router(config)# interface BVI20 Router(config-if)# service-policy type pbr input BVI-INBOUND-PBR_POLICY Router(config-if)# commit`
	7.	Run these commands to verify the policies: Run the show interfaces BVI1 accounting command to verify interface statistics. Example: `Router# show interface BVI1 accounting BVI1 Protocol Pkts In Chars In Pkts Out Chars Out ARP 0 0 2 84 IPV6_ND 0 0 35 3544` Run the show controllers npu stats traps-all instance all location all to verify the NPU drop counters. Example: `Router# show controllers npu stats traps-all instance all location all Trap Type NPU Trap Punt Punt Punt Punt Configured Hardware Policer Avg-Pkt Packets Packets ID ID Dest VoQ VLAN TC Rate(pps) Rate(pps) Level Size Accepted Dropped ==================================================================================================================================================================== L3_ACL_DROP(D) 0 106 NPU_DROP --- --- --- ---------- ---------- --- N/A 0 0` Run the show ofa objects ip4pbr location or show ofa objects ip6pbr location command to verify PBR programming. Example: The following example displays the show ofa objects ip4pbr location command output: Router# show ofa objects ip4pbr location ip4pbr element 0 (hdl:0x309826b098): base \|-- dpd_slf - pending(cr/up/dl):0/0/0, sibling:0x3094b99c78, child:0, num_parents:1, visits:0 color_mask:0, last_bwalk_id:0 num_bwalks_started:0 \|-- flag - 4000 \|-- flag.is_fwalk_true - 0x1 \|-- keylen - 77 \|-- trans_id - 88551 \|-- create_trans_id - 88499 \|-- obj_handle - 0x309826b098 \|-- obj_rc - 0x0 \|-- reason - 0 \|-- table_operation - 6 \|-- total_obj_size - 600 \|-- idempotent - 0 \|-- inflight - 0 \|-- table_prop - jid=258 mtime=(UTC)2025.Oct.22 13:36:45.811468 \|-- (cont'd) - replayed=0times `-- obj_rc - 0:Success ofa_npu_mask_t npu_mask => 1 @uint32_t npu_id => 0 @ofa_policymap_name_t policymap_name => BVI-INBOUND-PBR_POLICY:0 uint32_t pbr_acl_id => 1 @uint32_t ace_seq_num => 0 @uint32_t entry_index => 0 dpa_ip_addr_t src_ip_addr => 192.1.1.0 dpa_ip_mask_t src_ip_mask => 255.255.255.0 dpa_ip_addr_t dest_ip_addr => 201.0.1.1 dpa_ip_mask_t dest_ip_mask => 255.255.255.0 uint8_t tcp_flags => 16 uint8_t tcp_flags_mask => 255 dpa_l4_port_t src_port => 1024 dpa_l4_port_mask_t src_port_mask => 65535 dpa_l4_port_t dest_port => 1024 dpa_l4_port_mask_t dest_port_mask => 65535 dpa_port_range_info src_port_range => (not set) dpa_port_range_info dest_port_range => 0/0 uint8_t proto => 6 uint8_t proto_mask => 255 uint8_t flowtag => 10 uint8_t flowtag_mask => 63 uint8_t forward_class_id => (not set) uint8_t mark_dscp => (not set) uint8_t match_dscp => (not set) uint64_t transportnh_id => 1 ofa_bool_t is_acl_delete => (not set) ofa_pbr_priority_t priority_str => dpa_pbr_class_name_st class_name => (not set) uint64_t nhg_id_match => (not set) uint64_t gid_match => (not set) uint64_t redirect_nhg_id => (not set) uint64_t redirect_gid => (not set) uint64_t rule_id => (not set) ofa_bool_t last_entry => (not set) ofa_bool_t is_drop => (not set) ofa_bool_t is_transmit => (not set) dpa_npu_mask_t npu_bmap => 4 dpa_transportnh_hdl_t transportnh_refhdl => (not set) transportnh_obj.refs_union => transportnh transportnh_obj.transportnh.refkey dpa_transportnh_id_t transportnh_id => (not set) transportnh_obj.transportnh.refhdl => 0x30983a0098 The above sample displays only a part of the actual output; the actual output displays more details.

Limitations for ePBR on BVI

How ePBR on BVI works

Summary

Workflow

Result

Configure ePBR on BVI

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example: