- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring Virtual Switching Systems
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Engine 6L-E
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Supervisor Engine 8-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring EVC-Lite
- Configuring Cisco IOS Auto Smartport Macros
- Configuring SmartPort Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering, and MVR
- Configuring IPv6 Multicast Listener Discovery Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring Cisco Discovery Protocol
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Bidirectional Forwarding Detection
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Wired Guest Access
- Configuring Port Security
- Configuring Auto Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring Network Security with ACLs
- Support for IPv6
- Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring Wireshark
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Onboard Failure Logging (OBFL)
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring Call Home
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- Configuring MIB Support
- ROM Monitor
- Acronyms and Abbreviations
Catalyst 4500 Series Switch Software Configuration Guide, IOS XE 3.7.xE and IOS 15.2(3)Ex
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- April 15, 2020
Chapter: Configuring Policy-Based Routing
Configuring Policy-Based Routing
This chapter describes the tasks for configuring policy-based routing (PBR) on a Catalyst 4500 series switch and includes these major sections:
- Policy-Based Routing
- Policy-Based Routing Configuration Tasks
- Policy-Based Routing Configuration Examples
Note
For complete syntax and usage information for the switch commands used in this chapter, see the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html
If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the Cisco IOS library. See related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
Note To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release.
Policy-Based Routing
Policy-Based Routing (PBR) gives you a flexible method of routing packets by allowing you to define policies for traffic flows, lessening reliance on routes derived from routing protocols. PBR gives you more control over routing by extending and complementing the existing mechanisms provided by routing protocols. PBR allows you to specify paths for certain traffic, such as priority traffic over a high-cost link.
You can set up PBR as a way to route packets based on configured policies. For example, you can implement routing policies to allow or deny paths based on the identity of a particular end system, or an application protocol. Enable PBR to provide the following advantages:
- Equal access
- Protocol-sensitive routing
- Source-sensitive routing
- Routing based on interactive versus batch traffic
- Routing based on dedicated links
Some applications or traffic can benefit from source-specific routing; for example, you can transfer stock records to a corporate office on a higher-bandwidth, higher-cost link for a short time while sending routine application data, such as e-mail, over a lower-bandwidth, lower-cost link
Policies can be based on IP address, port numbers, or protocols. For a simple policy, use any one of these descriptors; for a complicated policy, all of them.
Route-Maps
All packets received on an interface with PBR enabled (except those sent directly to the switch IP) are handled by enhanced packet filters known as route maps. The route maps dictate the policy that determines where the packets are forwarded.
Route maps contain statements that can be marked as permit or deny. They are interpreted in the following ways:
- If a statement is marked as deny, the packets meeting the match criteria are sent back using the normal forwarding channels and destination-based routing is performed.
- If the statement is marked as permit and a packet matches the access-lists, then the first valid set clause is applied to that packet.
You can implement PBR by applying a route-map on an incoming interface. A given interface can have only one route-map configured. A route-map is configured at the global configuration parser mode. You can then apply this route-map on one or more interfaces (in the interface configuration parser sub-mode).
Each route-map statement contains match and set commands. The match command denotes the match criteria to be applied on the packet data. The set command denotes the PBR action to be taken on the packet.
The following example shows a single route-map called rm-test and six route-map statements:
The numbers 21, 22,... 26 are the sequence numbers of the route-map statements.
PBR Route-Map Processing Logic
When a packet is received on an interface configured with a route-map, the forwarding logic processes each route-map statement according to the sequence number.
If the route-map statement encountered is a route-map... permit statement:
- The packet is matched against the criteria in the match command. This command may refer to an ACL that may itself have one or more permit and/or deny expressions. The packet is matched against the expressions in the ACL, and a permit/deny decision is reached.
- If the decision reached is permit, then the PBR logic executes the action specified by the set command on the packet.
- If the decision reached is deny, then the PBR action (specified in the set command) is not applied. Instead the processing logic moves forward to look at the next route-map statement in the sequence (the statement with the next higher sequence number). If no next statement exists, PBR processing terminates, and the packet is routed using the default IP routing table.
If the route-map statement encountered is a route-map... deny statement:
- The packet is matched against the criteria given in the match command. This command may refer to an ACL that may itself have one or more permit and/or deny expressions. The packet is matched against the expressions in the ACL, and a permit/deny decision is reached.
- If the criteria decision is permit, then the PBR processing terminates, and the packet is routed using the default IP routing table.
- If the criteria decision is deny, then the PBR processing logic moves forward to look at the next route-map statement in the sequence (the statement with the next higher sequence number). If no next statement exists, PBR processing terminates, and the packet is routed using the default IP routing table.
Note The set command has no effect inside a route-map... deny statement.
A route-map statement can have multiple set commands, which are applied in the following priority:
If both the set ip next-hop and set ip next-hop recursive commands are present in the same route-map statement, the next-hop set command is applied.
If the set ip next-hop command is not available then the set ip next-hop recursive command is applied.
If the set ip recursive-next-hop and the set interface command are not present, then the packet is routed using the default routing table; it is not dropped. If the packet is required to be dropped, use the set next-hop recursive command followed by a set interface null0 configuration command.
Load Balancing with Recursive Next-Hop
If multiple equal-cost routes to the subnet have been configured by the set ip next-hop recursive command, load balancing will occur only if all the adjacencies to the routes are resolved. If any of the adjacencies have not been resolved, then load balancing will not happen and only one of the routes whose adjacency is resolved will be used. If none of the adjacencies are resolved, then packets will be processed in software, resulting in at least one of the adjacencies to be resolved and programmed in hardware. PBR relies on routing protocols or other means to resolve all adjacencies and make load balancing happen.
Packet Matching Criteria
Access Control Lists (ACLs) define the allowed match criteria for packets. Each ACL is applied to incoming packets in a certain order, stopping only when the packet characteristics match the ACL being applied. Unlike policy maps, route maps do not support the "match any" match semantics.
IPv6 packets are matched via a match ipv6 address statement in the associated PBR route-map. IPv6 PBR requires IPv6 ACL, although the statement may specify either an IPv6 ACL or an IPv6 Prefixlist,
PBR Route-Map Processing Logic Example
Consider a route-map called rm-test defined as follows:
– Matches ACL 101 in sequence #21.
– PBR is switched through next-hop 21.1.1.1.
Note ACL 101 is also matched in sequence #23, but the processing doesn't reach that point
– In sequence #21, the ACL 101 action denies this packet (because all ACLs have an implicit deny). Processing advances to sequence #22.
– In sequence #22, ACL 102 matches TCP port 102, but the ACL action is deny. Processing advances to sequence #23.
– In sequence #23, ACL 2102 matches TCP port 102, and the ACL action is permit.
– Packet is switched to output interface VLAN 23.
– Processing moves from sequence #21 to #24, because all ACLs in these sequence numbers have a deny action for port 105.
– In sequence #25, ACL 105 has a permit action for TCP port 105.
– The route-map deny takes effect, and the packet is routed using the default IP routing table.
The Catalyst 4500 series switch supports matching route-map actions with a packet by installing entries in the TCAM that match the set of packets described by the ACLs in the match criteria of the route map. These TCAM entries point at adjacencies that either perform the necessary output actions or forward the packet to software if either hardware does not support the action or its resources are exhausted.
If the route-map specifies a set interface … action, packets that match the match statement are routed in the software. Some packets may be dropped. Similarly, if the route-map specifies a set default interface… action and there is no matching IP route for the packet, the packet is routed in the software.
Note The scale of hardware-based PBR is determined by the TCAM size and the time required for the CPU to flatten the ACL before programming into the hardware. The time take to flatten the ACL increases when a PBR policy requires a considerable number of route-maps. For example, a PBR policy of 1,200 route-maps (each containing ACLs with permit ACEs only) may require 6-7 minutes of flatten time before programming into hardware. This process may repeat if an adjacency change requires PBR reprogramming.
IPv4 and IPv6 Policy-Based Routing for VRF Instances
Virtual routing and forwarding (VRF) allows multiple routing instances in Cisco software. Beginning in Cisco IOS Release XE 3.7 0E and IOS 15.2(3)E, the Policy-Based Routing (PBR) feature is VRF-aware and works on multiple routing instances, beyond the default or global routing table.
Incoming packets are filtered through the match criteria that are defined in the route map. After a successful match occurs, the set command configuration determines the VRF through which outbound packets are policy routed.
Inherit-VRF, Inter-VRF, Global-to-VRF, and VRF-to-Global Routing
The Policy-Based Routing feature supports inherit-VRF, inter-VRF, and VRF-to-global routing.
With inherit-VRF, packets arriving at a virtual routing and forwarding (VRF) interface are routed, by looking-up the same VRF’s routing table.
With inter-VRF routing, packets arriving at a VRF interface are routed, by looking-up a different VRF’s routing table, as specified by the set command.
With VRF-to-global routing, packets arriving at a VRF interface are routed via the global routing table.
With global-to-VRF routing, packets arriving at the global interface (an interface that is not part of a VRF) are routed via a VRF routing table.
Restrictions for VRF-Aware Policy-Based Routing
– on interfaces that belong to different VRFs
– on one VRF interface and another global interface (an interface that is not part of a VRF).
- The set vrf and set ip global next-hop commands can be configured with the set default interface, set interface, set ip default next-hop, and set ip next-hop commands. But the set vrf and set ip global next-hop commands take precedence over the set default interface, set interface, set ip default next-hop, and set ip next-hop commands. No error message is displayed if you attempt to configure the set vrf command with any of these three set commands.
- When you use the set vrf command you specify the VRF table to be looked-up; this overrides the default or global routing table. If a route is not specified in the VRF routing table, then packets are dropped (even if a route exists in the global routing table).
- The set global and set vrf commands cannot be simultaneously applied to a route map.
- The set ip next hop recursive command is not supported when used within a VRF instance.
Policy-Based Routing Configuration Tasks
To configure PBR, perform the tasks described in the following sections. The task in the first section is required; the tasks in the remaining sections are optional. For configuration examples, see the “Policy-Based Routing Configuration Examples” section.
- Enabling IPv4 PBR (Required)
- Enabling IPv6 PBR (Required)
- Enabling Local IPv4 and Local IPv6 PBR (Optional)
- Unsupported Commands (Optional)
- Configuring IPv4 and IPv6 PBR for VRF Instances (Optional)
- Unsupported Commands
Enabling IPv4 PBR
To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then you must apply that route-map on a particular interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
To enable IPv4 PBR on an interface, perform this task:
Use the set commands with each other. These commands are evaluated in the order shown in Step 3 in the previous task table. A usable next hop implies an interface. Once the local switch finds a next hop and a usable interface, it routes the packet.
Refer to the section Policy-Based Routing Configuration Examples for examples of IPv4 PBR.
Use the show route-map map-tag command to display the existing route map.
Note Packet and byte counters in the output of the show route-map map-tag command are not updated.
Enabling IPv6 PBR
Note With IOS XE 3.6.0E and IOS 15.2(2)E, IPv6 PBR is not supported on Supervisor Engine 8-E.
To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then you must apply that route-map on a particular interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
For IPv6 PBR to work on the Catalyst 4900M, Catalyst 4948E and Catalyst 4948E-F Series Switches, IPv4 and IPv6 routing must be enabled the device.
To enable IPv6 PBR on an interface, perform this task:
Note The recursive option is supported for IPv4, but not for IPv6. An interface can have either an ipv4 route map or an ipv6 route map. An interface can be bound to only one route map.
Use the set commands with each other. These commands are evaluated in the order shown in Step 3 in the previous task table. A usable next hop implies an interface. Once the local switch finds a next hop and a usable interface, it routes the packet.
Refer to the following document for IPv6 PBR configuration examples.
http://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/112218-policy-based-routing-ipv6-configex.html
Note Packet and byte counters in the output of the show route-map map-tag command are updated only for software switched packets. Counters for hardware switched packets are not updated.
Enabling Local IPv4 and Local IPv6 PBR
Packets that are generated by the switch are not normally policy-routed. To enable local PBR for such packets, indicate which route map the switch should use by entering this command:
IPv4
|
|
|
|---|---|
IPv6
|
|
|
|---|---|
All packets originating on the switch are then subject to local PBR.
Use the show ip local policy command to display the route map used for local PBR, if one exists.
Configuring IPv4 and IPv6 PBR for VRF Instances
To enable PBR for multiple routing instances, configure your device in the following way:
Verifying the PBR Configuration for VRF Instances
To verify the PBR configuration for VRF instances, enter the following steps in any order:
|
|
|
|
|---|---|---|
Switch# show ip access list [access-list-number |access-list-name] |
Displays the subnet ranges defined as match criteria in the standard access lists. |
|
The following example shows you how to configure PBR for VRF instances:
Unsupported Commands
The following PBR commands in config-route-map mode are in the CLI but not supported in Cisco IOS for the Catalyst 4500 series switches. If you attempt to use these commands, an error message displays:
- match-length
- set ip qos and set ipv6 qos
- set ip tos and set ipv6 tos
- set ip precedence and set ipv6 precedence
- set ip df and set ipv6 df
Note The recursive option is not supported on IPv6.
Policy-Based Routing Configuration Examples
The following sections provide PBR configuration examples:
For information on how to configure policy-based routing, see the section “Policy-Based Routing Configuration Tasks” in this chapter.
Equal Access
The following example provides two sources with equal access to two different service providers. Packets arriving on interface fastethernet 3/1 from the source 1.1.1.1 are sent to the switch at 6.6.6.6 if the switch has no explicit route for the destination of the packet. Packets arriving from the source 2.2.2.2 are sent to the switch at 7.7.7.7 if the switch has no explicit route for the destination of the packet. All other packets for which the switch has no explicit route to the destination are discarded.
Note If the packets you want to drop do not match either of the first two route-map clauses, then change |
set default interface null0 to set interface null0.
Differing Next Hops
The following example illustrates how to route traffic from different sources to different places (next hops). Packets arriving from source 1.1.1.1 are sent to the next hop at 3.3.3.3; packets arriving from source 2.2.2.2 are sent to the next hop at 3.3.3.5.
Deny ACE
The following example illustrates how to stop processing a given route map sequence, and to jump to the next sequence. Packets arriving from source 1.1.1.1 skip sequence 10 and jump to sequence 20. All other packets from subnet 1.1.1.0 follow the set statement in sequence 10.
Examples of the show Command
The following show command illustrates that route map pbrv6-test has only one permit sequence.
In the example policy, IPv6 packets with an address matching the criteria defined by the access control list v6_acl are forwarded to the next hop 2006::2. If next-hop 2006::2 is unreachable, the matching packets are forwarded to 2005::2. If both next-hops are unreachable, the packets are forwarded using the routing table lookup. For packets that do not match the filter criteria, a standard routing table lookup is performed for packet forwarding.
Feedback