-
null
- About Policy-Based Routing
- Licensing Requirements for Policy-Based Routing
- Prerequisites for Policy-Based Routing
- Guidelines and Limitations
- Default Settings
- Configuring Policy-Based Routing
- Verifying the Policy-Based Routing Configuration
- Configuration Examples for Policy-Based Routing
- Related Documents
Configuring Policy-Based Routing
This chapter describes how to configure policy-based routing on the Cisco NX-OS device.
This chapter includes the following sections:
- About Policy-Based Routing
- Licensing Requirements for Policy-Based Routing
- Prerequisites for Policy-Based Routing
- Guidelines and Limitations
- Default Settings
- Configuring Policy-Based Routing
- Verifying the Policy-Based Routing Configuration
- Configuration Examples for Policy-Based Routing
- Related Documents
About Policy-Based Routing
With policy-based routing, you can configure a defined policy for IPv4 and IPv6 traffic flows that lessens the reliance on routes derived from routing protocols. All packets received on an interface with policy-based routing enabled are passed through enhanced packet filters or route maps. The route maps dictate the policy that determines where to forward packets.
Policy-based routing includes the following features:
- Source-based routing—Routes traffic that originates from different sets of users through different connections across the policy routers.
- Quality of Service (QoS)—Differentiates traffic by setting the precedence or type of service (ToS) values in the IP packet headers at the periphery of the network and leveraging queuing mechanisms to prioritize traffic in the core or backbone of the network (see the Cisco Nexus 9000 Series NX-OS Quality of Service Configuration Guide).
- Load sharing—Distributes traffic among multiple paths based on the traffic characteristics.
Policy Route Maps
Each entry in a route map contains a combination of match and set statements. The match statements define the criteria for whether appropriate packets meet the particular policy (that is, the conditions to be met). The set clauses explain how the packets should be routed once they have met the match criteria.
You can mark the route-map statements as permit or deny. You can interpret the statements as follows:
- If the statement is marked as permit and the packets meet the match criteria, the set clause is applied. One of these actions involves choosing the next hop.
- If a statement is marked as deny, the packets that meet the match criteria are sent back through the normal forwarding channels, and destination-based routing is performed.
- If the statement is marked as permit and the packets do not match any route-map statements, the packets are sent back through the normal forwarding channels, and destination-based routing is performed.
Note
Policy-based routing is specified on the interface that receives the packets, not on the interface from which the packets are sent.
Set Criteria for Policy-Based Routing
The Cisco Nexus 9000 Series switches support the following set commands for route maps used in policy-based routing:
These set commands are mutually exclusive within the route-map sequence.
In the first command, the IP address specifies the adjacent next-hop router in the path toward the destination to which the packets should be forwarded. The first IP address associated with a currently up connected interface is used to route the packets.
Note You can optionally configure this command for next-hop addresses to load balance traffic for up to 32 IP addresses. In this case, Cisco NX-OS sends all traffic for each IP flow to a particular IP next-hop address.
If the packets do not meet any of the defined match criteria, those packets are routed through the normal destination-based routing process.
Route-Map Processing Logic
When a packet is received on an interface that is configured with a route map, the forwarding logic processes each route-map statement according to the sequence number.
If the route-map statement encountered is a route-map...permit statement, the packet is matched against the criteria in the match command. This command may refer to an ACL that has one or more access control entries (ACEs). If the packet matches the permit ACEs in the ACL, the policy-based routing logic executes the action specified by the set command on the packet.
If the route-map statement encountered is a route-map... deny statement, the packet is matched against the criteria in the match command. This command may refer to an ACL that has one or more ACEs. If the packet matches the permit ACEs in the ACL, policy-based routing processing terminates, and the packet is routed using the default IP routing table.
Note The set command has no effect inside a route-map... deny statement.
- If the route-map configuration does not contain a match statement, the policy-based routing logic executes the action specified by the set command on the packet. All packets are routed using policy-based routing.
- If the route-map configuration references a match statement but the match statement references a non-existing ACL or an existing ACL without any access control entries (ACEs), the packet is routed using the default routing table.
- If the next-hop specified in the set {ip | ipv6} next-hop command is down, is not reachable, or is removed, the packet is routed using the default routing table.
Policy-Based Routing Filtering Options
You can identify traffic by using additional options. The following list includes most but not all additional filtering options.
Policy-based routing ACLs support the following additional filtering options:
- Layer 3 source and/or destination address
- TCP and UDP ports
- Precedence level*
- Differentiated Services Code Point (DSCP) value*
- TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set*
- Established TCP connections*
- Packet length*
*Cisco Nexus 9508 switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards do not support these filtering options.
Licensing Requirements for Policy-Based Routing
The following table shows the licensing requirements for this feature:
Prerequisites for Policy-Based Routing
Guidelines and Limitations
Policy-based routing has the following configuration guidelines and limitations:
- A policy-based routing route map can have only one match statement per route-map statement.
- A policy-based routing route map can have only one set statement per route-map statement, unless you are using IP SLA policy-based routing. For information on IP SLA policy-based routing, see the Cisco Nexus 9000 Series NX-OS IP SLAs Configuration Guide.
Note Cisco Nexus 9508 switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards do not support IP SLA.
- A match command cannot refer to more than one ACL in a route map used for policy-based routing.
- The same route map can be shared among different interfaces for policy-based routing as long as the interfaces belong to the same virtual routing and forwarding (VRF) instance.
- Using a prefix list as a match criteria is not supported. Do not use a prefix list in a policy-based routing route map.
- Policy-based routing supports only unicast traffic. Multicast traffic is not supported.
- Policy-based routing is not supported with inbound traffic on FEX ports.
- Policy-based routing is not supported on FEX ports for Cisco Nexus 9300-EX Series switches.
- Only Cisco Nexus 9508 switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards support policy-based routing with Layer 3 port-channel subinterfaces.
- An ACL used in a policy-based routing route map cannot include deny access control entries (ACEs).
- Policy-based routing is supported only in the default system routing mode.
- The Cisco Nexus 9000 Series switches do not support the set vrf and set default next-hop commands.
- Policy-based routing traffic cannot be balanced if the next hop is recursive over ECMP paths. Instead, use the set {ip | ipv6} next-hop ip-address load-share command to specify the adjacent next hops.
- When you configure multiple features on an interface (such as PBR and ingress ACL), the ACLs for those features are merged for TCAM optimization. As a result, statistics are not supported.
- For PBR with VXLAN, the load-share keyword is not required.
Note Cisco Nexus 9508 switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards do not support policy-based routing with VXLAN.
- The Cisco Nexus 9000 Series switches support policy-based ACLs (PBACLs), also referred to as object-group ACLs. For more information, see the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
Note Cisco Nexus 9508 switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards do not support PBACLs.
- Cisco Nexus 9200 and 9300-EX Series switches support IPv4 and IPv6 policy-based routing. Cisco Nexus 9500 Series switches with the X9732C-EX line card support only IPv4 policy-based routing.
- Cisco Nexus 9500 Series switches with the X97xx-EX line cards support IPv4 (and not IPv6) policy-based routing.
- Cisco Nexus 9508 switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards support IPv4 and IPv6 policy-based routing. For these line cards, PBR policy has a higher priority over attached and local routes. Explicit white listing might be required if protocol neighbors are directly attached.
- The following guidelines and limitations apply to PBR over VXLAN EVPN:
– PBR over VXLAN EVPN is supported only for Cisco Nexus 9300-EX and 9300-FX platform switches.
– PBR over VXLAN EVPN does not support the following features: IP SLAs, VTEP ECMP, and the load-share keyword in the set {ip | ipv6} next-hop ip-address command.
Default Settings
Table 16-1 lists the default settings for policy-based routing.
|
|
|
|---|---|
Configuring Policy-Based Routing
This section includes the following topics:
Enabling the Policy-Based Routing Feature
You must enable the policy-based routing feature before you can configure a route policy.
SUMMARY STEPS
DETAILED STEPS
Configuring a Route Policy
You can use route maps in policy-based routing to assign routing policies to the inbound interface. Cisco NX-OS routes the packets as soon as it finds a next hop and an interface.
BEFORE YOU BEGIN
For switches other than the Cisco Nexus 9508 with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards, you must configure the IPv6 RACL TCAM region (using TCAM carving) before you apply the policy-based routing policy for IPv6 traffic. For instructions, see the “Configuring ACL TCAM Region Sizes” section in the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
Note The switch has an IPv4 RACL TCAM region by default for IPv4 traffic.
SUMMARY STEPS
3. {ip | ipv6} policy route-map map-name
4. route-map map-name [permit | deny] [seq]
5. match {ip | ipv6} address access-list-name name [name...]
6. (Optional) set ip next-hop address1 [address2...] [load-share] [ drop-on-fail ]
7. (Optional) set ipv6 next-hop address1 [address2...] [load-share] [ drop-on-fail ]
DETAILED STEPS
Verifying the Policy-Based Routing Configuration
To display the policy-based routing configuration information, perform one of the following tasks:
|
|
|
|---|---|
| Note Cisco Nexus 9508 switches with N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards do not support PBR statistics. |
Use the route-map map-name pbr-statistics command to enable policy statistics. Use the clear route-map map-name pbr-statistics command to clear these policy statistics.
Configuration Examples for Policy-Based Routing
This example shows how to configure a simple route policy on an interface:
permit tcp host 10.1.1.1 host 192.168.2.1 eq 80
route-map pbr-sample pbr-statistics
ip policy route-map pbr-sample
The following output verifies this configuration:
switch# show route-map pbr-sample
route-map pbr-sample, permit, sequence 10
ip address (access-lists): pbr-sample
switch# show route-map pbr-sample pbr-statistics
route-map pbr-sample, permit, sequence 10
Policy routing matches: 84 packets
Related Documents
|
|
|
|---|---|
Feedback