Configuring Policy-Based Routing

This chapter describes how to configure policy based routing on the Cisco NX-OS device.

This chapter includes the following sections:

Information About Policy-Based Routing

Policy-based routing allows you to configure a defined policy for IPv4 traffic flows, lessening reliance on routes derived from routing protocols. All packets received on an interface with policy-based routing enabled are passed through enhanced packet filters or route maps . The route maps dictate the policy, determining where to forward packets.

Route maps are composed of match and set statements that you can mark as permit or deny. You can interpret the statements as follows:

  • If the packets match any route map statements, all the set statements are applied. One of these actions involves choosing the next-hop.

  • If the statement is marked as permit and the packets do not match any route-map statements, the packets are sent back through the normal forwarding channels and destination-based routing is performed.

For more information, see the Route Maps section.

Policy-based routing includes the following features:

  • Source-based routing—Routes traffic that originates from different sets of users through different connections across the policy routers.

  • Load sharing—Distributes traffic among multiple paths based on the traffic characteristics.

Policy Route Maps

Route-Maps are used to filter routes that are distributed across various routing protocols and between different entities in a given routing protocol. Each entry in a route map contains a combination of match and set statements. The match statements define the criteria for whether appropriate packets meet the particular policy (that is, the conditions to be met). The set clauses explain how the packets should be routed once they have met the match criteria.

You can mark the route-map statements as permit or deny. If the statement is marked as a deny, the packets that meet the match criteria are sent back through the normal forwarding channels (destination-based routing is performed). If the statement is marked as permit and the packets meet the match criteria, all the set clauses are applied. If the statement is marked as permit and the packets do not meet the match criteria, those packets are also forwarded through the normal routing channel.


Note

Policy routing is specified on the interface that receives the packets, not on the interface from which the packets are sent.

Set Criteria for Policy-Based Routing

The set criteria in a route map is evaluated in the order listed in the route map. Set criteria specific to route maps used for policy-based routing are as follows:

  1. List of specified IP addresses—The IP address can specify the adjacent next-hop router in the path toward the destination to which the packets should be forwarded. The first IP address associated with a currently up connected interface is used to route the packets.


    Note

    You can optionally configure the set criteria for next-hop addresses to load balance traffic across up to 16 IP addresses. In this case, Cisco NX-OS sends all traffic for each IP flow to a particular IP next-hop address.

  2. NULL interface—Traffic that matches the match statement is dropped if you use the set null interface.

    If the packets do not meet any of the defined match criteria, those packets are routed through the normal destination-based routing process

Prerequisites for Policy-Based Routing

Policy-based routing has the following prerequisites:

  • Install the correct license.

  • You must enable policy-based routing (see the Enabling the Policy-Based Routing Feature section).

  • Assign an IP address on the interface and bring the interface up before you apply a route map on the interface for policy-based routing.

Guidelines and Limitations for Policy-Based Routing

Policy-based routing has the following configuration guidelines and limitations:

  • A match command cannot refer to more than one ACL in a route map used for policy-based routing.

  • An ACL used in a policy-based routing route map cannot include a deny statement.

  • The same route map can be shared among different interfaces for policy-based routing as long as the interfaces belong to the same virtual routing and forwarding (VRF) instance.

Default Settings

Table below lists the default settings for policy-based routing parameters.

Table 1. Default Policy-based Routing Parameters

Parameters

Default

Policy-based routing

Disabled

Configuring Policy-Based Routing


Note

If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Enabling the Policy-Based Routing Feature

You must enable the policy-based routing feature before you can configure a route policy.

SUMMARY STEPS

  1. configure terminal
  2. feature pbr
  3. (Optional) show feature
  4. (Optional) copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

feature pbr

Example:

switch(config)# feature pbr

Enables the policy-based routing feature.

Step 3

(Optional) show feature

Example:

switch(config)# show feature
 (Optional)

Displays enabled and disabled features.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Saves this configuration change.

Example

Use the no feature pbr command to disable the policy-based routing feature and remove all associated configuration.

Command

Purpose

no feature pbr

Example:

switch(config)# no feature pbr

Disables policy-based routing and removes all associated configuration.

Configuring a Route Policy

You can use route maps in policy-based routing to assign routing policies to the inbound interface. See the Configuring Route Maps section.

SUMMARY STEPS

  1. configure terminal
  2. interface type slot/port
  3. ip policy route-map map-name
  4. (Optional) exit
  5. (Optional) exit
  6. (Optional) copy running-config startup-config

DETAILED STEPS

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

interface type slot/port

Example:

switch(config)# interface ethernet 1/2
switch(config-if)#

Enters interface configuration mode.

Step 3

ip policy route-map map-name

Example:

switch(config-if)# ip policy route-map Testmap

Assigns a route map for IPv4 policy-based routing to the interface.

Step 4

(Optional) exit

Example:

switch(config-route-map)# exit
 (Optional)

Exits route-map configuration mode.

Step 5

(Optional) exit

Example:

switch(config)# exit
 (Optional)

Exits global configuration mode.

Step 6

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Saves this configuration change.

Example

This example shows how to add a route map to an interface:

switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# ip policy route-map Testmap
switch(config)# exit
switch(config)# copy running-config startup-config

You can configure the following optional match parameters for route maps in route-map configuration mode:

Command

Purpose

match ip address access-list-name name [ name... ]

Example:

switch(config-route-map)# match ip address access-list-name ACL1

Matches an IPv4 address against one or more IP access control lists (ACLs). This command is used for policy-based routing and is ignored by route filtering or redistribution.

You can configure the following optional set parameters for route maps in route-map configuration mode:

Command

Purpose

set ip next-hop address1 [address2... ] { load-share }

Example:

switch(config-route-map)# set ip next-hop 192.0.2.1

Sets the IPv4 next-hop address for policy-based routing. This command uses the first valid next-hop address if multiple addresses are configured.

Use the optional load-share keyword to load balance traffic across a maximum of 16 next-hop addresses.

set ip default next-hop address1 [ address2... ] { load-share }

Example:

switch(config-route-map)# set ip default next-hop 192.0.2.2

Sets the IPv4 next-hop address for policy-based routing when there is no explicit route to a destination. This command uses the first valid next-hop address if multiple addresses are configured.

Use the optional load-share keyword to load balance traffic across a maximum of 16 next-hop addresses.

Cisco NX-OS routes the packet as soon as it finds a next-hop and an interface.

Verifying the Policy-Based Routing Configuration

To display policy-based routing configuration information, perform one of the following tasks:

Command

Purpose
show ip policy [name]

Displays information about an IPv4 policy.
show route-map [name] pbr-statistics

Displays policy statistics.

Use the route-map map-name pbr-statistics to enable policy statistics. Use the clear route-map map-name pbr-statistics to clear these policy statistics.

Displaying Policy-Based Routing Statistics

Use the show route-map rmap-name pbr-statistics command to display the statistics for policy-based routing. The statistics are maintained for each route-map sequence. It shows the number of packets that are policy-routed based on the match condition in a given route-map sequence. All other packets that are routed using the default routing table (could be due to unreachable next-hops in the set command) are also displayed. The PBR statistics collection must be turned on before any statistics can be shown.

This example shows how to display PBR statistics:

switch(config)# show route-map pbr-sample pbr-statistics

Clearing Policy-Based Routing Statistics

Use the clear route-map rmap-name pbr-statistics command to clear the counters maintained for PBR statistics of a route-map.

This example shows how to clear PBR statistics:

switch(config)# clear route-map pbr-sample pbr-statistics

Configuration Examples for Policy Based-Routing

This example shows how to configure a simple route policy on an interface:

feature pbr
ip access-list pbr-sample
permit tcp host 10.1.1.1 host 192.168.2.1 eq 80
!
route-map pbr-sample
match ip address pbr-sample
set ip next-hop 192.168.1.1
!
route-map pbr-sample pbr-statistics
 
interface ethernet 1/2
ip policy route-map pbr-sample

The following output verifies this configuration:

n3000# show route-map pbr-sample
 
route-map pbr-sample, permit, sequence 10
Match clauses:
ip address (access-lists): pbr-sample
Set clauses:
ip next-hop 192.168.1.1
 
n3000# show route-map pbr-sample pbr-statistics
 
route-map pbr-sample, permit, sequence 10
Policy routing matches: 84 packets

Feature History for Policy-Based Routing

Table below lists the release history for this feature.

Table 2. Feature History for Policy-Based Routing

Feature Name

Releases

Feature Information

Policy-based routing

6.0(2)A7(1)

This feature was introduced.