- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring Virtual Switching Systems
- Programmability
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Engine 6L-E
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Supervisor Engine 8-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring EVC-Lite
- Configuring SmartPort Macros
- Configuring Cisco IOS Auto Smartport Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering, and MVR
- Configuring IPv6 Multicast Listener Discovery Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring Cisco Discovery Protocol
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Bidirectional Forwarding Detection
- Configuring Campus Fabric
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring AVC with DNS-AS
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- X.509v3 Certificates for SSH Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Wired Guest Access
- Configuring Auto Identity
- Configuring Port Security
- Configuring Auto Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Configuring the Cisco IOS DHCP Server
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- DHCPv6 Options Support
- Configuring Network Security with ACLs
- Support for IPv6
- Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring ERSPAN
- Configuring Wireshark
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Onboard Failure Logging (OBFL)
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring Call Home
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- Configuring MIB Support
- Configuring Easy Virtual Networks
- ROM Monitor
- Acronyms and Abbreviations
- Index
Configuring Policy-Based Routing
This chapter describes the tasks for configuring policy-based routing (PBR) on a Catalyst 4500 series switch and includes these major sections:
- Policy-Based Routing
- Policy-Based Routing Configuration Tasks
- Policy-Based Routing Configuration Examples
Note For complete syntax and usage information for the switch commands used in this chapter, see the
Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch.
If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference , you can locate it in the Cisco IOS Master Command List, All Releases.
Note To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release.
Policy-Based Routing
Policy-Based Routing (PBR) gives you a flexible method of routing packets by allowing you to define policies for traffic flows, lessening reliance on routes derived from routing protocols. PBR gives you more control over routing by extending and complementing the existing mechanisms provided by routing protocols. PBR allows you to specify paths for certain traffic, such as priority traffic over a high-cost link.
You can set up PBR as a way to route packets based on configured policies. For example, you can implement routing policies to allow or deny paths based on the identity of a particular end system, or an application protocol. Enable PBR to provide the following advantages:
- Equal access
- Protocol-sensitive routing
- Source-sensitive routing
- Routing based on interactive versus batch traffic
- Routing based on dedicated links
Some applications or traffic can benefit from source-specific routing; for example, you can transfer stock records to a corporate office on a higher-bandwidth, higher-cost link for a short time while sending routine application data, such as e-mail, over a lower-bandwidth, lower-cost link
Policies can be based on IP address, port numbers, or protocols. For a simple policy, use any one of these descriptors; for a complicated policy, all of them.
Route Maps
Understanding Route Maps
All packets received on an interface with PBR enabled (except those sent directly to the switch IP) are handled by enhanced packet filters known as route maps. The route maps dictate the policy that determines where the packets are forwarded.
Route maps contain statements that can be marked as permit or deny. They are interpreted in the following ways:
- If a statement is marked as deny, the packets meeting the match criteria are sent back using the normal forwarding channels and destination-based routing is performed.
- If the statement is marked as permit and a packet matches the access-lists, then the first valid set clause is applied to that packet.
You can implement PBR by applying a route map on an incoming interface. A given interface can have only one route-map configured. A route map is configured at the global configuration parser mode. You can then apply this route map on one or more interfaces (in the interface configuration parser sub-mode).
Each route map statement contains match and set commands. The match command denotes the match criteria to be applied on the packet data. The set command denotes the PBR action to be taken on the packet.
The following example shows a single route map called rm-test and six route map statements:
The numbers 21, 22,... 26 are the sequence numbers of the route-map statements.
PBR Route-Map Processing Logic
When a packet is received on an interface configured with a route map, the forwarding logic processes each route map statement according to the sequence number.
If the route map statement encountered is a route-map... permit statement:
- The packet is matched against the criteria in the match command. This command may refer to an ACL that may itself have one or more permit and/or deny expressions. The packet is matched against the expressions in the ACL, and a permit/deny decision is reached.
- If the decision reached is permit, then the PBR logic executes the action specified by the set command on the packet.
- If the decision reached is deny, then the PBR action (specified in the set command) is not applied. Instead the processing logic moves forward to look at the next route-map statement in the sequence (the statement with the next higher sequence number). If no next statement exists, PBR processing terminates, and the packet is routed using the default IP routing table.
If the route map statement encountered is a route-map... deny statement:
- The packet is matched against the criteria given in the match command. This command may refer to an ACL that may itself have one or more permit and/or deny expressions. The packet is matched against the expressions in the ACL, and a permit/deny decision is reached.
- If the criteria decision is permit, then the PBR processing terminates, and the packet is routed using the default IP routing table.
- If the criteria decision is deny, then the PBR processing logic moves forward to look at the next route-map statement in the sequence (the statement with the next higher sequence number). If no next statement exists, PBR processing terminates, and the packet is routed using the default IP routing table.
Note The set command has no effect inside a route-map... deny statement.
A route map statement can have multiple set commands that are applied in the following priority:
set ip next-hop verify-availability
If both the set ip next-hop and set ip next-hop recursive commands are present in the same route-map statement, the next-hop set command is applied.
If the set ip next-hop command is not available then the set ip next-hop recursive command is applied.
If the set ip recursive-next-hop and the set interface command are not present, then the packet is routed using the default routing table; it is not dropped. If the packet is required to be dropped, use the set next-hop recursive command followed by a set interface null0 configuration command.
Load Balancing with Recursive Next Hop
If multiple equal-cost routes to the subnet have been configured by the set ip next-hop recursive command, load balancing will occur only if all the adjacencies to the routes are resolved. If any of the adjacencies have not been resolved, then load balancing will not happen and only one of the routes whose adjacency is resolved will be used. If none of the adjacencies are resolved, then packets will be processed in software, resulting in at least one of the adjacencies to be resolved and programmed in hardware. PBR relies on routing protocols or other means to resolve all adjacencies and make load balancing happen.
Packet Matching Criteria
Access Control Lists (ACLs) define the allowed match criteria for packets. Each ACL is applied to incoming packets in a certain order, stopping only when the packet characteristics match the ACL being applied. Unlike policy maps, route maps do not support the "match any" match semantics.
IPv6 packets are matched via a match ipv6 address statement in the associated PBR route-map. IPv6 PBR requires IPv6 ACL, although the statement may specify either an IPv6 ACL or an IPv6 Prefixlist,
PBR Route-Map Processing Logic Example
Consider a route map called rm-test defined as follows:
– Matches ACL 101 in sequence #21.
– PBR is switched through next-hop 21.1.1.1.
Note ACL 101 is also matched in sequence #23, but the processing doesn't reach that point
– In sequence #21, the ACL 101 action denies this packet (because all ACLs have an implicit deny). Processing advances to sequence #22.
– In sequence #22, ACL 102 matches TCP port 102, but the ACL action is deny. Processing advances to sequence #23.
– In sequence #23, ACL 2102 matches TCP port 102, and the ACL action is permit.
– Packet is switched to output interface VLAN 23.
– Processing moves from sequence #21 to #24, because all ACLs in these sequence numbers have a deny action for port 105.
– In sequence #25, ACL 105 has a permit action for TCP port 105.
– The route-map deny command takes effect, and the packet is routed using the default IP routing table.
The Catalyst 4500 series switch supports matching route map actions with a packet by installing entries in the TCAM that match the set of packets described by the ACLs in the match criteria of the route map. These TCAM entries point at adjacencies that either perform the necessary output actions or forward the packet to software if either hardware does not support the action or its resources are exhausted.
If the route map specifies a set interface … action, packets that match the match statement are routed in the software. Some packets may be dropped. Similarly, if the route-map specifies a set default interface… action and there is no matching IP route for the packet, the packet is routed in the software.
Note The scale of hardware-based PBR is determined by the TCAM size and the time required for the CPU to flatten the ACL before programming into the hardware. The time take to flatten the ACL increases when a PBR policy requires a considerable number of route-maps. For example, a PBR policy of 1,200 route-maps (each containing ACLs with permit ACEs only) may require 6-7 minutes of flatten time before programming into hardware. This process may repeat if an adjacency change requires PBR reprogramming.
Policy-Based Routing with Object Tracking
Beginning in Cisco IOS XE Release 3.8.0E and Cisco IOS Release 15.2(4)E, you can configure Policy-Based Routing (PBR) to use object tracking, to verify the most viable next-hop IP address to which to forward packets, using an Internet Control Message Protocol (ICMP) ping as the verification method. PBR used with object tracking is most suitable for devices that have multiple Ethernet connections as the next hop. Normally, Ethernet interfaces connect to digital subscriber line (DSL) modems or cable modems, and do not detect a failure upstream in the ISP broadband network. The Ethernet interface remains up, and any form of static routing points to that interface. Using PBR with object tracking allows you to back-up two Ethernet interfaces, determine the interface that is available by sending ICMP pings to verify if the IP address can be reached, and then route traffic to that interface.
To verify the next-hop IP address for the device, PBR informs the object tracking process that it is interested in tracking a certain object. The tracking process, in turn, informs PBR when the state of the object changes.
Restrictions for Policy-Based Routing with Object Tracking
The set next-hop verify-availability command is not supported with the following:
IPv4 and IPv6 Policy-Based Routing for VRF Instances
Virtual routing and forwarding (VRF) allows multiple routing instances in Cisco software. Beginning in Cisco IOS Release XE 3.7 0E and IOS 15.2(3)E, the Policy-Based Routing (PBR) feature is VRF-aware and works on multiple routing instances, beyond the default or global routing table.
Incoming packets are filtered through the match criteria that are defined in the route map. After a successful match occurs, the set command configuration determines the VRF through which outbound packets are policy routed.
Inherit-VRF, Inter-VRF, Global-to-VRF, and VRF-to-Global Routing
The Policy-Based Routing feature supports inherit-VRF, inter-VRF, and VRF-to-global routing.
With inherit-VRF, packets arriving at a virtual routing and forwarding (VRF) interface are routed, by looking-up the same VRF’s routing table.
With inter-VRF routing, packets arriving at a VRF interface are routed, by looking-up a different VRF’s routing table, as specified by the set command.
With VRF-to-global routing, packets arriving at a VRF interface are routed via the global routing table.
With global-to-VRF routing, packets arriving at the global interface (an interface that is not part of a VRF) are routed via a VRF routing table.
Restrictions for VRF-Aware Policy-Based Routing
– on interfaces that belong to different VRFs
– on one VRF interface and another global interface (an interface that is not part of a VRF).
- The set vrf and set ip global next-hop commands can be configured with the set default interface, set interface, set ip default next-hop, and set ip next-hop commands. But the set vrf and set ip global next-hop commands take precedence over the set default interface, set interface, set ip default next-hop, and set ip next-hop commands. No error message is displayed if you attempt to configure the set vrf command with any of these three set commands.
- The set global and set vrf commands cannot be simultaneously applied to a route map.
- When you use the set vrf command you specify the VRF table to be looked-up; this overrides the default or global routing table. If a route is not specified in the VRF routing table, then packets are dropped (even if a route exists in the global routing table).
- The set next-hop verify-availability and the set ip next hop recursive commands are not supported within VRF instances.
Policy-Based Routing Configuration Tasks
To configure PBR, perform the tasks described in the following sections. The task in the first section is required; the tasks in the remaining sections are optional. For configuration examples, see the “Policy-Based Routing Configuration Examples” section.
- Enabling IPv4 PBR (Required)
- Enabling IPv6 PBR (Required)
- Enabling Local IPv4 and Local IPv6 PBR (Optional)
- Verifying Next-Hop IP using Object Tracking (Optional)
- Unsupported Commands (Optional)
- Configuring IPv4 and IPv6 PBR for VRF Instances (Optional)
- Unsupported Commands
Enabling IPv4 PBR
To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then you must apply that route-map on a particular interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
To enable IPv4 PBR on an interface, perform this task:
|
|
|
---|---|---|
Switch(config)# route-map map-tag [ permit | deny ] [ sequence-number ] |
Defines a route map to control where packets are sent. This command puts the switch into route-map configuration mode. |
|
Switch(config-route-map)# match ip address { access-list-number | name } [...access-list-number | name ] |
Specifies the match criteria. The match criteria take the form of one or more Standard or Extended IP access-lists. The access-lists can specify the source and destination IP addresses, protocol types, and port numbers. |
|
Switch(config-route-map)# set ip next-hop ip-address [... ip-address ] |
Specifies the next-hop IP address to which matching packets are sent. The next-hop IP address specified here must belong to a subnet that is directly connected to this switch. If more than one next-hop IP address is specified, the first usable next-hop is chosen for routing matching packets. If the next-hop is (or becomes) unavailable for some reason, the next one in the list is chosen. |
|
Switch(config-route-map)# set ip next-hop verify-availability [ next-hop-address-sequence track object ] |
(Optional) Configures the route map to verify the reachability of the tracked object. Note This option is not supported for IPv6 traffic. For information about defining new tracked object, see Verifying Next-Hop IP using Object Tracking |
|
Switch(config-route-map)# set ip next-hop recursive ip-address |
Specifies a recursive next-hop IP address. Note The recursive next-hop can be a subnet that is not directly connected. The set ip next-hop recursive command does not ensure that packets are routed through the recursive-next-hop if there is an intermediate node with a shorter route to the destination such that the route does not pass through the recursive-next-hop. |
|
Switch(config-route-map)# set interface interface-type interface-number |
Specifies the output interface from which the packet will be sent. This action specifies that the packet is forwarded out of the local interface. The interface must be a Layer 3 interface (not a switchport). Packets are forwarded on the specified interface only if one of the following conditions is met:
If the destination IP address on the packet does not meet either of these conditions, the packet is dropped. This action forces matching packets to be switched in software.k |
|
Switch(config-route-map)# set ip default next-hop ip-address [... ip-address ] |
Sets next hop to which to route the packet if there is no explicit route for the destination IP address in the packet. Before forwarding the packet to the next hop, the switch looks up the packet’s destination address in the unicast routing table. If a match is found, the packet is forwarded by way of the routing table. If no match is found, the packet is forwarded to the specified next hop. |
|
Switch(config-route-map)# set default interface interface-type interface-number [... type...number ] |
Specifies the output interface from which the packet will be sent if there is no explicit route for this destination. Before forwarding the packet to the next hop, the switch looks up the packet’s destination address in the unicast routing table. If a match is found, the packet is forwarded by using the routing table. If no match is found, the packet is forwarded to the specified output interface. Packets are forwarded on the specified interface only if one of the following conditions is met:
If the destination IP address on the packet does not meet either of these conditions, the packet is dropped. This action forces matching packets to be switched in software. |
|
Switch(config-route-map)# interface interface-type interface-number |
Specifies the interface. This command puts the switch into interface configuration mode. |
|
Identifies the route map to use for PBR. One interface can only have one route map tag, but you can have multiple route map entries with different sequence numbers. These entries are evaluated in sequence number order until the first match. If no match exists, packets are routed as usual. |
Use the set commands with each other. These commands are evaluated in the order shown in Step 3 in the previous task table. A usable next hop implies an interface. Once the local switch finds a next hop and a usable interface, it routes the packet.
Refer to the section Policy-Based Routing Configuration Examples for examples of IPv4 PBR.
Use the show route-map map-tag command to display the existing route map.
Note Packet and byte counters in the output of the show route-map map-tag command are not updated.
Enabling IPv6 PBR
Note With IOS XE 3.6.0E and IOS 15.2(2)E, IPv6 PBR is not supported on Supervisor Engine 8-E.
To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then you must apply that route-map on a particular interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
For IPv6 PBR to work on the Catalyst 4900M, Catalyst 4948E and Catalyst 4948E-F Series Switches, IPv4 and IPv6 routing must be enabled the device.
To enable IPv6 PBR on an interface, perform this task:
Note The recursive option is supported for IPv4, but not for IPv6. An interface can have either an ipv4 route map or an ipv6 route map. An interface can be bound to only one route map.
Use the set commands with each other. These commands are evaluated in the order shown in Step 3 in the previous task table. A usable next hop implies an interface. Once the local switch finds a next hop and a usable interface, it routes the packet.
Refer to the following document for IPv6 PBR configuration examples.
http://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/112218-policy-based-routing-ipv6-configex.html
Note Packet and byte counters in the output of the show route-map map-tag command are updated only for software switched packets. Counters for hardware switched packets are not updated.
Enabling Local IPv4 and Local IPv6 PBR
Packets that are generated by the switch are not normally policy-routed. To enable local PBR for such packets, indicate which route map the switch should use by entering this command:
IPv4
|
|
---|---|
IPv6
|
|
---|---|
All packets originating on the switch are then subject to local PBR.
Use the show ip local policy command to display the route map used for local PBR, if one exists.
Configuring IPv4 and IPv6 PBR for VRF Instances
To enable PBR for multiple routing instances, configure your device in the following way:
Verifying the PBR Configuration for VRF Instances
To verify the PBR configuration for VRF instances, enter the following steps in any order:
|
|
|
---|---|---|
Switch# show ip access list [access-list-number |access-list-name] |
Displays the subnet ranges defined as match criteria in the standard access lists. |
|
The following example shows you how to configure PBR for VRF instances:
Verifying Next-Hop IP using Object Tracking
To verify the next-hop IP address using PBR with Object Tracking, perform the following steps:
Note The set ip next-hop verify-availability command is not supported on VRF instances, on a virtual switching system (VSS), and with IPv6 traffic.
The following example shows you how to verify the next-hop IP address in a route map:
Unsupported Commands
The following PBR commands in config-route-map mode are in the CLI but not supported in Cisco IOS for the Catalyst 4500 series switches. If you attempt to use these commands, an error message displays:
Policy-Based Routing Configuration Examples
The following sections provide PBR configuration examples:
For information on how to configure policy-based routing, see the section “Policy-Based Routing Configuration Tasks” in this chapter.
Equal Access
The following example provides two sources with equal access to two different service providers. Packets arriving on interface fastethernet 3/1 from the source 10.1.1.1 are sent to the switch at 6.6.6.6 if the switch has no explicit route for the destination of the packet. Packets arriving from the source 2.2.2.2 are sent to the switch at 7.7.7.7 if the switch has no explicit route for the destination of the packet. All other packets for which the switch has no explicit route to the destination are discarded.
Note If the packets you want to drop do not match either of the first two route-map clauses, then change |
set default interface null0 to set interface null0.
Differing Next Hops
The following example illustrates how to route traffic from different sources to different places (next hops). Packets arriving from source 10.1.1.1 are sent to the next hop at 3.3.3.3; packets arriving from source 2.2.2.2 are sent to the next hop at 3.3.3.5.
Deny ACE
The following example illustrates how to stop processing a given route map sequence, and to jump to the next sequence. Packets arriving from source 10.1.1.1 skip sequence 10 and jump to sequence 20. All other packets from subnet 10.1.1.0 follow the set statement in sequence 10.
Examples of the show Command
The following show command illustrates that route map pbrv6-test has only one permit sequence.
In the example policy, IPv6 packets with an address matching the criteria defined by the access control list v6_acl are forwarded to the next hop 2006::2. If next-hop 2006::2 is unreachable, the matching packets are forwarded to 2005::2. If both next-hops are unreachable, the packets are forwarded using the routing table lookup. For packets that do not match the filter criteria, a standard routing table lookup is performed for packet forwarding.