-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the tasks for configuring policy-based routing (PBR) on Catalyst 4500 series switches and includes these major sections:
A switch running the LAN Base license level supports PBR for IPv4 and IPv6.
Note For complete syntax and usage information for the switch commands used in this chapter, see the
Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch.
If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference , you can locate it in the Cisco IOS Master Command List, All Releases.
Note To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com, or refer to the software release notes for a specific release.
PBR gives you a flexible method of routing packets by allowing you to define policies for traffic flows, lessening reliance on routes derived from routing protocols. PBR gives you more control over routing by extending and complementing the existing mechanisms provided by routing protocols. PBR allows you to specify paths for certain traffic, such as priority traffic over a high-cost link.
You can set up PBR as a way to route packets based on configured policies. For example, you can implement routing policies to allow or deny paths based on the identity of a particular end system, or an application protocol. Enable PBR to provide the following advantages:
Some applications or traffic can benefit from source-specific routing; for example, you can transfer stock records to a corporate office on a higher-bandwidth, higher-cost link for a short time while sending routine application data, such as e-mail, over a lower-bandwidth, lower-cost link
Policies can be based on IP address, port numbers, or protocols. For a simple policy, use any one of these descriptors; for a complicated policy, all of them.
All packets received on an interface with PBR enabled (except those sent directly to the switch IP) are handled by enhanced packet filters known as route maps. The route maps dictate the policy that determines where the packets are forwarded.
Route maps contain statements that can be marked as permit or deny. They are interpreted in the following ways:
You can implement PBR by applying a route map on an incoming interface. A given interface can have only one route-map configured. A route map is configured at the global configuration parser mode. You can then apply this route map on one or more interfaces (in the interface configuration parser sub-mode).
Each route map statement contains match and set commands. The match command denotes the match criteria to be applied on the packet data. The set command denotes the PBR action to be taken on the packet.
The following example shows a single route map called rm-test and six route map statements:
The numbers 21, 22,... 26 are the sequence numbers of the route-map statements.
When a packet is received on an interface configured with a route map, the forwarding logic processes each route map statement according to the sequence number.
If the route map statement encountered is a route-map... permit statement:
If the route map statement encountered is a route-map... deny statement:
Note The set command has no effect inside a route-map... deny statement.
A route map statement can have multiple set commands that are applied in the following priority:
set ip next-hop verify-availability
If both the set ip next-hop and set ip next-hop recursive commands are present in the same route-map statement, the next-hop set command is applied.
If the set ip next-hop command is not available then the set ip next-hop recursive command is applied.
If the set ip recursive-next-hop and the set interface command are not present, then the packet is routed using the default routing table; it is not dropped. If the packet is required to be dropped, use the set next-hop recursive command followed by a set interface null0 configuration command.
If multiple equal-cost routes to the subnet have been configured by the set ip next-hop recursive command, load balancing will occur only if all the adjacencies to the routes are resolved. If any of the adjacencies have not been resolved, then load balancing will not happen and only one of the routes whose adjacency is resolved will be used. If none of the adjacencies are resolved, then packets will be processed in software, resulting in at least one of the adjacencies to be resolved and programmed in hardware. PBR relies on routing protocols or other means to resolve all adjacencies and make load balancing happen.
Access Control Lists (ACLs) define the allowed match criteria for packets. Each ACL is applied to incoming packets in a certain order, stopping only when the packet characteristics match the ACL being applied. Unlike policy maps, route maps do not support the "match any" match semantics.
IPv6 packets are matched via a match ipv6 address statement in the associated PBR route-map. IPv6 PBR requires IPv6 ACL, although the statement may specify either an IPv6 ACL or an IPv6 Prefixlist,
Consider a route map called rm-test defined as follows:
– Matches ACL 101 in sequence #21.
– PBR is switched through next-hop 21.1.1.1.
Note ACL 101 is also matched in sequence #23, but the processing doesn't reach that point
– In sequence #21, the ACL 101 action denies this packet (because all ACLs have an implicit deny). Processing advances to sequence #22.
– In sequence #22, ACL 102 matches TCP port 102, but the ACL action is deny. Processing advances to sequence #23.
– In sequence #23, ACL 2102 matches TCP port 102, and the ACL action is permit.
– Packet is switched to output interface VLAN 23.
– Processing moves from sequence #21 to #24, because all ACLs in these sequence numbers have a deny action for port 105.
– In sequence #25, ACL 105 has a permit action for TCP port 105.
– The route-map deny command takes effect, and the packet is routed using the default IP routing table.
The Catalyst 4500 series switch supports matching route map actions with a packet by installing entries in the TCAM that match the set of packets described by the ACLs in the match criteria of the route map. These TCAM entries point at adjacencies that either perform the necessary output actions or forward the packet to software if either hardware does not support the action or its resources are exhausted.
If the route map specifies a set interface … action, packets that match the match statement are routed in the software. Some packets may be dropped. Similarly, if the route-map specifies a set default interface… action and there is no matching IP route for the packet, the packet is routed in the software.
Note The scale of hardware-based PBR is determined by the TCAM size and the time required for the CPU to flatten the ACL before programming into the hardware. The time take to flatten the ACL increases when a PBR policy requires a considerable number of route-maps. For example, a PBR policy of 1,200 route-maps (each containing ACLs with permit ACEs only) may require 6-7 minutes of flatten time before programming into hardware. This process may repeat if an adjacency change requires PBR reprogramming.
Beginning in Cisco IOS XE Release 3.8.0E and Cisco IOS Release 15.2(4)E, you can configure Policy-Based Routing (PBR) to use object tracking, to verify the most viable next-hop IP address to which to forward packets, using an Internet Control Message Protocol (ICMP) ping as the verification method. PBR used with object tracking is most suitable for devices that have multiple Ethernet connections as the next hop. Normally, Ethernet interfaces connect to digital subscriber line (DSL) modems or cable modems, and do not detect a failure upstream in the ISP broadband network. The Ethernet interface remains up, and any form of static routing points to that interface. Using PBR with object tracking allows you to back-up two Ethernet interfaces, determine the interface that is available by sending ICMP pings to verify if the IP address can be reached, and then route traffic to that interface.
To verify the next-hop IP address for the device, PBR informs the object tracking process that it is interested in tracking a certain object. The tracking process, in turn, informs PBR when the state of the object changes.
The set next-hop verify-availability command is not supported with the following:
Virtual routing and forwarding (VRF) allows multiple routing instances in Cisco software. Beginning in Cisco IOS Release XE 3.7 0E and IOS 15.2(3)E, the Policy-Based Routing (PBR) feature is VRF-aware and works on multiple routing instances, beyond the default or global routing table.
Incoming packets are filtered through the match criteria that are defined in the route map. After a successful match occurs, the set command configuration determines the VRF through which outbound packets are policy routed.
The Policy-Based Routing feature supports inherit-VRF, inter-VRF, and VRF-to-global routing.
With inherit-VRF, packets arriving at a virtual routing and forwarding (VRF) interface are routed, by looking-up the same VRF’s routing table.
With inter-VRF routing, packets arriving at a VRF interface are routed, by looking-up a different VRF’s routing table, as specified by the set command.
With VRF-to-global routing, packets arriving at a VRF interface are routed via the global routing table.
With global-to-VRF routing, packets arriving at the global interface (an interface that is not part of a VRF) are routed via a VRF routing table.
– on interfaces that belong to different VRFs
– on one VRF interface and another global interface (an interface that is not part of a VRF).
To configure PBR, perform the tasks described in the following sections. The task in the first section is required; the tasks in the remaining sections are optional. For configuration examples, see the “Policy-Based Routing Configuration Examples” section.
To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then you must apply that route-map on a particular interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
To enable IPv4 PBR on an interface, perform this task:
|
|
|
---|---|---|
Switch(config)# route-map map-tag [ permit | deny ] [ sequence-number ] |
Defines a route map to control where packets are sent. This command puts the switch into route-map configuration mode. |
|
Switch(config-route-map)# match ip address { access-list-number | name } [...access-list-number | name ] |
Specifies the match criteria. The match criteria take the form of one or more Standard or Extended IP access-lists. The access-lists can specify the source and destination IP addresses, protocol types, and port numbers. |
|
Switch(config-route-map)# set ip next-hop ip-address [... ip-address ] |
Specifies the next-hop IP address to which matching packets are sent. The next-hop IP address specified here must belong to a subnet that is directly connected to this switch. If more than one next-hop IP address is specified, the first usable next-hop is chosen for routing matching packets. If the next-hop is (or becomes) unavailable for some reason, the next one in the list is chosen. |
|
Switch(config-route-map)# set ip next-hop verify-availability [ next-hop-address-sequence track object ] |
(Optional) Configures the route map to verify the reachability of the tracked object. Note This option is not supported for IPv6 traffic. For information about defining new tracked object, see Verifying Next-Hop IP using Object Tracking |
|
Switch(config-route-map)# set ip next-hop recursive ip-address |
Specifies a recursive next-hop IP address. Note The recursive next-hop can be a subnet that is not directly connected. The set ip next-hop recursive command does not ensure that packets are routed through the recursive-next-hop if there is an intermediate node with a shorter route to the destination such that the route does not pass through the recursive-next-hop. |
|
Switch(config-route-map)# set interface interface-type interface-number |
Specifies the output interface from which the packet will be sent. This action specifies that the packet is forwarded out of the local interface. The interface must be a Layer 3 interface (not a switchport). Packets are forwarded on the specified interface only if one of the following conditions is met:
If the destination IP address on the packet does not meet either of these conditions, the packet is dropped. This action forces matching packets to be switched in software.k |
|
Switch(config-route-map)# set ip default next-hop ip-address [... ip-address ] |
Sets next hop to which to route the packet if there is no explicit route for the destination IP address in the packet. Before forwarding the packet to the next hop, the switch looks up the packet’s destination address in the unicast routing table. If a match is found, the packet is forwarded by way of the routing table. If no match is found, the packet is forwarded to the specified next hop. |
|
Switch(config-route-map)# set default interface interface-type interface-number [... type...number ] |
Specifies the output interface from which the packet will be sent if there is no explicit route for this destination. Before forwarding the packet to the next hop, the switch looks up the packet’s destination address in the unicast routing table. If a match is found, the packet is forwarded by using the routing table. If no match is found, the packet is forwarded to the specified output interface. Packets are forwarded on the specified interface only if one of the following conditions is met:
If the destination IP address on the packet does not meet either of these conditions, the packet is dropped. This action forces matching packets to be switched in software. |
|
Switch(config-route-map)# interface interface-type interface-number |
Specifies the interface. This command puts the switch into interface configuration mode. |
|
Identifies the route map to use for PBR. One interface can only have one route map tag, but you can have multiple route map entries with different sequence numbers. These entries are evaluated in sequence number order until the first match. If no match exists, packets are routed as usual. |
Use the set commands with each other. These commands are evaluated in the order shown in Step 3 in the previous task table. A usable next hop implies an interface. Once the local switch finds a next hop and a usable interface, it routes the packet.
Refer to the section Policy-Based Routing Configuration Examples for examples of IPv4 PBR.
Use the show route-map map-tag command to display the existing route map.
Note Packet and byte counters in the output of the show route-map map-tag command are not updated.
Note With IOS XE 3.6.0E and IOS 15.2(2)E, IPv6 PBR is not supported on Supervisor Engine 8-E.
To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then you must apply that route-map on a particular interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
To enable IPv6 PBR on an interface, perform this task:
Note The recursive option is supported for IPv4, but not for IPv6. An interface can have either an ipv4 route map or an ipv6 route map. An interface can be bound to only one route map.
Use the set commands with each other. These commands are evaluated in the order shown in Step 3 in the previous task table. A usable next hop implies an interface. Once the local switch finds a next hop and a usable interface, it routes the packet.
Refer to the following document for IPv6 PBR configuration examples.
http://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/112218-policy-based-routing-ipv6-configex.html
Note Packet and byte counters in the output of the show route-map map-tag command are updated only for software switched packets. Counters for hardware switched packets are not updated.
Packets that are generated by the switch are not normally policy-routed. To enable local PBR for such packets, indicate which route map the switch should use by entering this command:
|
|
---|---|
|
|
---|---|
All packets originating on the switch are then subject to local PBR.
Use the show ip local policy command to display the route map used for local PBR, if one exists.
To enable PBR for multiple routing instances, configure your device in the following way:
To verify the PBR configuration for VRF instances, enter the following steps in any order:
|
|
|
---|---|---|
Switch# show ip access list [access-list-number |access-list-name] |
Displays the subnet ranges defined as match criteria in the standard access lists. |
|
The following example shows you how to configure PBR for VRF instances:
To verify the next-hop IP address using PBR with Object Tracking, perform the following steps:
Note The set ip next-hop verify-availability command is not supported on VRF instances, on a virtual switching system (VSS), and with IPv6 traffic.
The following example shows you how to verify the next-hop IP address in a route map:
The following PBR commands in config-route-map mode are in the CLI but not supported in Cisco IOS for the Catalyst 4500 series switches. If you attempt to use these commands, an error message displays:
The following sections provide PBR configuration examples:
For information on how to configure policy-based routing, see the section “Policy-Based Routing Configuration Tasks” in this chapter.
The following example provides two sources with equal access to two different service providers. Packets arriving on interface fastethernet 3/1 from the source 10.1.1.1 are sent to the switch at 6.6.6.6 if the switch has no explicit route for the destination of the packet. Packets arriving from the source 2.2.2.2 are sent to the switch at 7.7.7.7 if the switch has no explicit route for the destination of the packet. All other packets for which the switch has no explicit route to the destination are discarded.
Note If the packets you want to drop do not match either of the first two route-map clauses, then change |
set default interface null0 to set interface null0.
The following example illustrates how to route traffic from different sources to different places (next hops). Packets arriving from source 10.1.1.1 are sent to the next hop at 3.3.3.3; packets arriving from source 2.2.2.2 are sent to the next hop at 3.3.3.5.
The following example illustrates how to stop processing a given route map sequence, and to jump to the next sequence. Packets arriving from source 10.1.1.1 skip sequence 10 and jump to sequence 20. All other packets from subnet 10.1.1.0 follow the set statement in sequence 10.
The following show command illustrates that route map pbrv6-test has only one permit sequence.
In the example policy, IPv6 packets with an address matching the criteria defined by the access control list v6_acl are forwarded to the next hop 2006::2. If next-hop 2006::2 is unreachable, the matching packets are forwarded to 2005::2. If both next-hops are unreachable, the packets are forwarded using the routing table lookup. For packets that do not match the filter criteria, a standard routing table lookup is performed for packet forwarding.