Configuring Policy-Based Routing (PBR)
Prerequisites for PBR
For Cisco ME 3600X, the PBR feature is supported with the application SDM template. For Cisco ME 3800X, this feature is supported with the scaled license.
Note
The PBR feature does not work with the default template.
Restrictions for PBR
Note
PBR is not supported on a VRF interface.
- PBR is an ingress only feature.
- These IPv4 PBR commands are supported:
–
match ip address
–
set ip next-hop
- The command set ip default next-hop is not supported.
- The switch does not support route-map deny statements.
- Local PBR is not supported.
- IPv4 PBR recursive next-hop is not supported.
- IPv6 PBR is not supported in software.
- IPv6 PBR recursive next-hop is not supported.
Information About PBR
PBR Overview
Policy-based routing (PBR) provides a mechanism for expressing and implementing forwarding/routing of data packets based on the policies defined by the network administrators. It provides a more flexible mechanism for routing packets through routers, complementing the existing mechanism provided by routing protocols such as RIP, OSPF, or EIGRP. Instead of routing by the destination address, policy-based routing allows network administrators to determine and implement routing policies to allow or deny paths.
A policy contains one or more route-map(s). A policy can be applied to one or more input interfaces. A policy is identified by a unique tag. Each route map is assigned a unique sequence number, so that classification up to the first match across multiple route-maps is executed in rank order. A match is found when sections of a packet’s Layer 3 and Layer 4 headers are equivalent to those specified in a route-map’s access control list, packet-length range entry, and/or IP source address entry. PBR policy application is bypassed if no match is found.
How to Configure PBR
Configuring PBR
To configure PBR on an interface, use the following commands beginning in global configuration mode:
|
|
|
Step 1 |
Switch(config)# route-map map-tag [ permit | deny ] [ sequence-number ] |
Defines a route map to control where packets are output. This command puts the switch into route-map configuration mode. |
Step 2 |
Switch(config-route-map)# match ip address { access-list-number | name } |
Specifies the match criteria. Although there are many route-map matching options, here you can specify only length and/or ip address.
- ip address matches the source or destination IP address that is permitted by one or more standard or extended access lists.
If you do not specify a match command, the route map applies to all packets. |
Step 3 |
Switch(config-route-map)# set ip next-hop ip-address |
Specifies the action(s) to take on the packets that match the criteria. You can specify any or all of the following:
- next-hop: Sets next hop to which to route the packet.
|
Step 4 |
Switch(config-route-map)# interface interface-type interface-number |
Specifies the interface, and puts the switch into interface configuration mode. |
Step 5 |
Switch(config-if)# ip policy route-map map-tag |
Identifies the route map to use for PBR. One interface can have only one route map tag; but you can have several route map entries, each with its own sequence number. Entries are evaluated in order of their sequence numbers until the first match occurs. If no match occurs, packets are routed as usual. |
The set commands can be used in conjunction with each other. They are evaluated in the order shown in Step 3 in the previous task table. A usable next hop implies an interface. Once the local switch finds a next hop and a usable interface, it routes the packet.
Configuration Examples for PBR
Note
The examples shown below involve the use of the access-list command (ACL). The log keyword should not be used with this command in policy-based routing (PBR) because logging is not supported at the interrupt level for ACLs.
ip access-list ext pbr-acl1
10 permit ip 20.1.0.0 0.0.255.255 30.0.0.0 0.0.0.255
ip access-list ext pbr-acl2
20 permit ip 20.2.0.0 0.0.255.255 30.0.0.0 0.0.0.255
match ip address pbr-acl1
set ip next-hop 11.1.1.2,
match ip address pbr-acl2
route-map 111111 permit 10
match ip address pbr-acl1
route-map 222221 permit 20
match ip address pbr-acl2
Interface Configuration Physical Port:
ip address 20.1.1.1 255.0.0.0
Interface Configuration on Switchport SVI
ip address 10.1.1.1 255.255.255.0
Interface Configuration on EFP BD SVI
switchport trunk allowed vlan non
service instance ether 10
ip address 10.1.1.1 255.255.255.0