- MPLS Virtual Private Networks
- Multiprotocol BGP MPLS VPN
- MPLS VPN Support for EIGRP Between PE and CE
- IPv6 VPN over MPLS
- Assigning an ID Number to an MPLS VPN
- Multi-VRF Selection Using Policy-Based Routing
- VRF Aware System Message Logging
- MPLS VPN Route Target Rewrite
- MPLS VPN Show Running VRF
- MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
- MPLS VPN VRF Selection Using Policy-Based Routing
- MPLS VPN 6VPE Support Over IP Tunnels
- IPv6 VRF Aware System Message Logging
Contents
- Multi-VRF Selection Using Policy-Based Routing
- Finding Feature Information
- Prerequisites for Multi-VRF Selection Using Policy-Based Routing
- Restrictions for Multi-VRF Selection Using Policy-Based Routing
- Information About Multi-VRF Selection Using Policy-Based Routing
- Policy Routing of VPN Traffic Based on Match Criteria
- Policy-Based Routing set Commands
- Policy-routing Packets for VRF Instances
- Change of Normal Routing and Forwarding Behavior
- Support of Inherit-VRF Inter-VRF and VRF-to-Global Routing
- How to Configure Multi-VRF Selection Using Policy-Based Routing
- Defining the Match Criteria for Multi-VRF Selection Using Policy-Based Routing
- Configuring Multi-VRF Selection Using Policy-Based Routing with a Standard Access List
- Configuring Multi-VRF Selection Using Policy-Based Routing with a Named Extended Access List
- Configuring Multi-VRF Selection in a Route Map
- Configuring Multi-VRF Selection Using Policy-Based Routing and IP VRF Receive on the Interface
- Verifying the Configuration of Multi-VRF Selection Using Policy-Based Routing
- Configuration Examples for Multi-VRF Selection Using Policy-Based Routing
- Example: Defining the Match Criteria for Multi-VRF Selection Using Policy-Based Routing
- Example: Configuring Multi-VRF Selection in a Route Map
- Additional References
- Feature Information for Multi-VRF Selection Using Policy-Based Routing
- Glossary
Multi-VRF Selection Using Policy-Based Routing
The Multi-VRF Selection Using Policy-Based Routing (PBR) feature allows a specified interface on a provider edge (PE) device to route packets to Virtual Private Networks (VPNs) based on packet length or match criteria defined in an IP access list.
You can enable VPN routing and forwarding (VRF) selection by policy routing packets through a route map, through the global routing table, or to a specified VRF.
You can enable policy-routing packets for VRF instances by using route map commands with set commands.
On supported hardware, you can configure both the Multi-VRF Selection Using Policy-Based Routing feature and the MPLS VPN VRF Selection Based on a Source IP Address feature on the same interface.
- Finding Feature Information
- Prerequisites for Multi-VRF Selection Using Policy-Based Routing
- Restrictions for Multi-VRF Selection Using Policy-Based Routing
- Information About Multi-VRF Selection Using Policy-Based Routing
- How to Configure Multi-VRF Selection Using Policy-Based Routing
- Configuration Examples for Multi-VRF Selection Using Policy-Based Routing
- Additional References
- Feature Information for Multi-VRF Selection Using Policy-Based Routing
- Glossary
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Multi-VRF Selection Using Policy-Based Routing
The device must support policy-based routing (PBR) in order for you to configure this feature. For platforms that do not support PBR, use the MPLS VPN VRF Selection Based on a Source IP Address feature.
A Virtual Private Network (VPN) virtual routing and forwarding (VRF) instance must be defined before you configure this feature. An error message is displayed on the console if no VRF exists.
Restrictions for Multi-VRF Selection Using Policy-Based Routing
All commands that aid in routing also support hardware switching, except for the set ip next-hop verify availability command because Cisco Discovery Protocol information is not available in the line cards.
Protocol Independent Multicast (PIM) and multicast packets do not support policy-based routing (PBR) and cannot be configured for a source IP address that is a match criterion for this feature.
The set vrf and set ip global next-hop commands can be configured with the set default interface, set interface , set ip default next-hop, and set ip next-hop commands. But the set vrf and set ip global next-hop commands take precedence over the set default interface, set interface , set ip default next-hop, and set ip next-hop commands. No error message is displayed if you attempt to configure the set vrf command with any of these three set commands.
The Multi-VRF Selection Using Policy-Based Routing feature cannot be configured with IP prefix lists.
The set global and set vrf commands cannot be simultaneously applied to a route map.
The Multi-VRF Selection Using Policy-Based Routing feature supports VRF-lite; that is, only IP routing protocols run on the device. Multiprotocol Label Switching (MPLS) and Virtual Private Networks (VPNs) cannot be configured. However, the set vrf command will work in MPLS VPN scenarios.
Information About Multi-VRF Selection Using Policy-Based Routing
Policy Routing of VPN Traffic Based on Match Criteria
The Multi-VRF Selection Using Policy-Based Routing feature is an extension of the MPLS VPN VRF Selection Based on a Source IP Address feature. The Multi-VRF Selection Using Policy-Based Routing feature allows you to policy route Virtual Private Network (VPN) traffic based on match criteria. Match criteria are defined in an IP access list and/or are based on packet length. The following match criteria are supported in Cisco software:
IP access lists—Define match criteria based on IP addresses, IP address ranges, and other IP packet access list filtering options. Named, numbered, standard, and extended access lists are supported. All IP access list configuration options in Cisco software can be used to define match criteria.
Packet lengths—Define match criteria based on the length of a packet, in bytes. The packet length filter is defined in a route map with the match length route-map configuration command.
Policy routing is defined in the route map. The route map is applied to the incoming interface with the ip policy route-map interface configuration command. An IP access list is applied to the route map with the match ip address route-map configuration command. Packet length match criteria are applied to the route map with the match length route-map configuration command. The set action is defined with the set vrf route-map configuration command. The match criteria are evaluated, and the appropriate VRF is selected by the set command. This combination allows you to define match criteria for incoming VPN traffic and policy route VPN packets out to the appropriate virtual routing and forwarding (VRF) instance.
Policy-Based Routing set Commands
- Policy-routing Packets for VRF Instances
- Change of Normal Routing and Forwarding Behavior
- Support of Inherit-VRF Inter-VRF and VRF-to-Global Routing
Policy-routing Packets for VRF Instances
To enable policy-routing packets for virtual routing and forwarding (VRF) instances, you can use route map commands with the following set commands. They are listed in the order in which the device uses them during the routing of packets.
set tos—Sets the Type of Service (TOS) bits in the header of an IP packet.
set df—Sets the Don’t Fragment (DF) bit in the header of an IP packet.
set vrf—Routes packets through the specified interface. The destination interface can belong only to a VRF instance.
set global—Routes packets through the global routing table. This command is useful for routing ingress packets belonging to a specific VRF through the global routing table.
set ip vrf next-hop—Indicates where to output IPv4 packets that pass a match criteria of a route map for policy routing when the IPv4 next hop must be under a specified VRF.
set ipv6 vrf next-hop—Indicates where to output IPv6 packets that pass a match criteria of a route map for policy routing when the IPv6 next hop must be under a specified VRF.
set ip global next-hop—Indicates where to forward IPv4 packets that pass a match criterion of a route map for policy routing and for which the Cisco software uses the global routing table. The global keyword explicitly defines that IPv4 next-hops are under the global routing table.
set ipv6 global next-hop—Indicates where to forward IPv6 packets that pass a match criterion of a route map for policy routing and for which the Cisco software uses the global routing table. The global keyword explicitly defines that IPv6 next-hops are under the global routing table.
set interface—When packets enter a VRF, routes the packets out of the egress interface under the same VRF according to the set interface policy, provided that the Layer 2 rewrite information is available.
set ip default vrf—Provides IPv4 inherit-VRF and inter-VRF routing. With inherit-VRF routing, IPv4 packets arriving at a VRF interface are routed by the same outgoing VRF interface. With inter-VRF routing, IPv4 packets arriving at a VRF interface are routed through any other outgoing VRF interface.
set ipv6 default vrf—Provides IPv6 inherit-VRF and inter-VRF routing. With inherit-VRF routing, IPv6 packets arriving at a VRF interface are routed by the same outgoing VRF interface. With inter-VRF routing, IPv6 packets arriving at a VRF interface are routed through any other outgoing VRF interface.
set ip default global—Provides IPv4 VRF to global routing.
set ipv6 default global—Provides IPv6 VRF to global routing.
set default interface—Indicates where to output packets that pass a match criterion of a route map for policy routing and have no explicit route to the destination. The interface can belong to any VRF.
set ip default next-hop—Indicates where to output IPv4 packets that pass a match criterion of a route map for policy routing and for which the Cisco software has no explicit route to a destination.
set ipv6 default next-hop—Indicates where to IPv6 output packets that pass a match criterion of a route map for policy routing and for which the Cisco software has no explicit route to a destination.
Change of Normal Routing and Forwarding Behavior
When you configure policy-based routing (PBR), you can use the following six set commands to change normal routing and forwarding behavior. Configuring any of these set commands, with the potential exception of the set ip next-hop command, overrides the routing behavior of packets entering the interface if the packets do not belong to a virtual routing and forwarding (VRF) instance. The packets are routed from the egress interface across the global routing table.
set default interface—Indicates where to output packets that pass a match criterion of a route map for policy routing and have no explicit route to the destination.
set interface—When packets enter a VRF interface, routes the packets out of the egress interface under the same VRF according to the set interface policy, provided that the Layer 2 rewrite information is available.
NoteThe interface must be a peer-to-peer (P2P) interface.
set ip default next-hop—Indicates where to output IPv4 packets that pass a match criterion of a route map for policy routing and for which the Cisco software has no explicit route to a destination.
set ipv6 default next-hop—Indicates where to output IPv6 packets that pass a match criterion of a route map for policy routing and for which the Cisco software has no explicit route to a destination.
set ip next-hop—Indicates where to output IPv4 packets that pass a match criterion of a route map for policy routing. If an IPv4 packet is received on a VRF interface and is transmitted from another interface within the same VPN, the VRF context of the incoming packet is inherited from the interface.
set ipv6 next-hop—Indicates where to output IPv6 packets that pass a match criterion of a route map for policy routing. If an IPv6 packet is received on a VRF interface and is transmitted from another interface within the same Virtual Private Network (VPN), the VRF context of the incoming packet is inherited from the interface.
Support of Inherit-VRF Inter-VRF and VRF-to-Global Routing
The Multi-VRF Selection Using Policy-Based Routing (PBR) feature supports inherit-VRF and inter-VRF. With inherit-VRF routing, packets arriving at a virtual routing and forwarding (VRF) interface are routed by the same outgoing VRF interface. With inter-VRF routing, packets arriving at a VRF interface are routed through any other outgoing VRF interface.
VRF-to-global routing causes packets that enter any VRF interface to be routed through the global routing table. When a packet arrives on a VRF interface, the destination lookup normally is done only in the corresponding VRF table. If a packet arrives on a global interface, the destination lookup is done in the global routing table.
The Multi-VRF Selection Using Policy-Based Routing feature modifies the following set commands to support inherit-VRF, inter-VRF, and VRF-to-global routing. The commands are listed in the order in which the device uses them during the routing of packets.
set global—Routes packets through the global routing table. This command is useful for routing ingress packets belonging to a specific VRF through the global routing table.
set ip global next-hop—Indicates where to forward IPv4 packets that pass a match criterion of a route map for policy routing and for which the Cisco software uses the global routing table.
set ipv6 global next-hop—Indicates where to forward IPv6 packets that pass a match criterion of a route map for policy routing and for which the Cisco software uses the global routing table.
set ip vrf next-hop—Causes the device to look up the IPv4 next hop in the VRF table. If an IPv4 packet arrives on an interface that belongs to a VRF and the packet needs to be routed through a different VRF, you can use the set ip vrf next-hop command.
set ipv6 vrf next-hop—Causes the device to look up the IPv6 next hop in the VRF table. If an IPv6 packet arrives on an interface that belongs to a VRF and the packet needs to be routed through a different VRF, you can use the set ipv6 vrf next-hop command.
set ip default vrf—Provides IPv4 inherit-VRF and inter-VRF routing. With IPv4 inherit-VRF routing, IPv4 packets arriving at a VRF interface are routed by the same outgoing VRF interface. With inter-VRF routing, IPv4 packets arriving at a VRF interface are routed through any other outgoing VRF interface.
set ipv6 default vrf—Provides IPv6 inherit-VRF and inter-VRF routing. With IPv6 inherit-VRF routing, IPv6 packets arriving at a VRF interface are routed by the same outgoing VRF interface. With inter-VRF routing, IPv6 packets arriving at a VRF interface are routed through any other outgoing VRF interface.
set interface—When packets enter a VRF, routes the packets out of the egress interface under the same VRF, according to the set interface policy, provided that the Layer 2 rewrite information is available.
set default interface—Indicates where to output packets that pass a match criterion of a route map for policy routing and have no explicit route to the destination. The interface can belong to any VRF.
set ip next-hop—Routes IPv4 packets through the global routing table in an IPv4-to-IPv4 routing and forwarding environment.
set ipv6 next-hop—Routes IPv6 packets through the global routing table in an IPv6-to-IPv6 routing and forwarding environment.
set vrf—Selects the appropriate VRF after a successful match occurs in the route map. VRS-aware PSV allows only inter-VRF (or VRF-to-VRF) switching.
How to Configure Multi-VRF Selection Using Policy-Based Routing
- Defining the Match Criteria for Multi-VRF Selection Using Policy-Based Routing
- Configuring Multi-VRF Selection in a Route Map
- Configuring Multi-VRF Selection Using Policy-Based Routing and IP VRF Receive on the Interface
- Verifying the Configuration of Multi-VRF Selection Using Policy-Based Routing
Defining the Match Criteria for Multi-VRF Selection Using Policy-Based Routing
Define the match criteria for the Multi-VRF Selection using Policy-Based Routing (PBR) feature so that you can selectively route the packets instead of using their default routing and forwarding.
The match criteria for the Multi-VRF Selection using Policy-Based Routing are defined in an access list. Standard, named, and extended access lists are supported.
You can define the match criteria based on the packet length by configuring the match length route-map configuration command. This configuration option is defined entirely within a route map.
The following sections explain how to configure PBR route selection:
- Configuring Multi-VRF Selection Using Policy-Based Routing with a Standard Access List
- Configuring Multi-VRF Selection Using Policy-Based Routing with a Named Extended Access List
Configuring Multi-VRF Selection Using Policy-Based Routing with a Standard Access List
The tasks in the following sections assume that the virtual routing and forwarding (VRF) instance and associated IP address are already defined.
1.
enable
2.
configure terminal
3.
access-list
access-list-number {deny |
permit} [source
source-wildcard] [log]
DETAILED STEPS
Configuring Multi-VRF Selection Using Policy-Based Routing with a Named Extended Access List
To configure Multi-VRF Selection using Policy-Based Routing (PBR) with a named extended access list, complete the following steps.
The tasks in the following sections assume that the virtual routing and forwarding (VRF) instance and associated IP address are already defined.
1.
enable
2.
configure terminal
3.
ip access-list {standard |
extended} [access-list-name |
access-list-number]
4.
[sequence-number] {permit |
deny}
protocol
source
source-wildcard
destination
destination-wildcard [option
option-value] [precedence
precedence] [tostos] [ttl
operator-vaue] [log] [time-range
time-range-name] [fragments]
DETAILED STEPS
Configuring Multi-VRF Selection in a Route Map
Incoming packets are filtered through the match criteria that are defined in the route map. After a successful match occurs, the set command configuration determines the VRF through which the outbound Virtual Private Network (VPN) packets will be policy routed.
You must define the virtual routing and forwarding (VRF) instance before you configure the route map; otherwise an error message appears on the console.
A receive entry must be added to the VRF selection table with the ip vrf receive command. If a match and set operation occurs in the route map but there is no receive entry in the local VRF table, the packet will be dropped if the packet destination is local.
- set ip vrf vrf-name next-hop global-ipv4-address [...global-ipv4-address]
- set ipv6 vrf vrf-name next-hop global-ipv6-address [...global-ipv6-address]
- set ip next-hop recursive vrf global-ipv4-address [...global-ipv4-address]
- set ip global next-hop global-ipv4-address [...global-ipv4-address]
- set ipv6 global next-hop global-ipv6-address [...global-ipv6-address]
1.
enable
2.
configure terminal
3.
route-map
map-tag [permit |
deny] [sequence-number]
4.
Do one of the following :
6.
end
DETAILED STEPS
Configuring Multi-VRF Selection Using Policy-Based Routing and IP VRF Receive on the Interface
The route map is attached to the incoming interface with the ip policy route-map interface configuration command.
The source IP address must be added to the virtual routing and forwarding (VRF) selection table. VRF selection is a one-way (unidirectional) feature. It is applied to the incoming interface. If a match and set operation occurs in the route map but there is no receive entry in the local VRF table, the packet is dropped if the packet destination is local.
1.
enable
2.
configure terminal
3.
interface
type
number [name-tag]
4.
ip policy route-map
map-tag
5.
ip vrf receive
vrf-name
6.
end
DETAILED STEPS
Verifying the Configuration of Multi-VRF Selection Using Policy-Based Routing
To verify the configuration of the Multi-VRF Selection Using Policy-Based Routing (PBR) feature, perform the following steps. You can enter the commands in any order.
1.
show ip access-list [access-list-number |
access-list-name]
2.
show route-map [map-name]
3.
show ip policy
DETAILED STEPS
Configuration Examples for Multi-VRF Selection Using Policy-Based Routing
- Example: Defining the Match Criteria for Multi-VRF Selection Using Policy-Based Routing
- Example: Configuring Multi-VRF Selection in a Route Map
Example: Defining the Match Criteria for Multi-VRF Selection Using Policy-Based Routing
In the following example, three standard access lists are created to define match criteria for three different subnetworks. Any packets received on FastEthernet interface 0/1/0 will be policy routed through the PBR-VRF-Selection route map to the virtual routing and forwarding (VRF) that is matched in the same route-map sequence. If the source IP address of the packet is part of the 10.1.0.0/24 subnet, VRF1 will be used for routing and forwarding.
access-list 40 permit source 10.1.0.0 0.0.255.255 access-list 50 permit source 10.2.0.0 0.0.255.255 access-list 60 permit source 10.3.0.0 0.0.255.255 route-map PBR-VRF-Selection permit 10 match ip address 40 set vrf VRF1 ! route-map PBR-VRF-Selection permit 20 match ip address 50 set vrf VRF2 ! route-map PBR-VRF-Selection permit 30 match ip address 60 set vrf VRF3 ! interface FastEthernet 0/1/0 ip address 192.168.1.6 255.255.255.252 ip vrf forwarding VRF4 ip policy route-map PBR-VRF-Selection ip vrf receive VRF1 ip vrf receive VRF2 ip vrf receive VRF3
Example: Configuring Multi-VRF Selection in a Route Map
The following example shows a set ip vrf next-hop command that applies policy-based routing to the virtual routing and forwarding (VRF) interface named myvrf and specifies that the IP address of the next hop is 10.0.0.2:
Device(config)# route-map map1 permit Device(config)# set vrf myvrf Device(config-route-map)# set ip vrf myvrf next-hop 10.0.0.2 Device(config-route-map)# match ip address 101 Device(config-route-map)# end
The following example shows a set ip global command that specifies that the device should use the next hop address 10.0.0.1 in the global routing table:
Device(config-route-map)# set ip global next-hop 10.0.0.1
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
MPLS and MPLS applications commands |
|
IP access list commands |
Cisco IOS Security Command Reference |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Multi-VRF Selection Using Policy-Based Routing
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Multi-VRF Selection Using Policy-Based Routing (PBR) |
12.2(33)SRB1 12.2(33)SXH1 12.4(24)T Cisco IOS XE Release 2.2 |
The Multi-VRF Selection Using Policy-Based Routing (PBR) feature allows a specified interface on a provider edge (PE) router to route packets to Virtual Private Networks (VPNs) based on packet length or match criteria defined in an IP access list. This feature and the MPLS VPN VRF Selection Based on Source IP Address feature can be configured together on the same interface In Cisco IOS Release 12.2(33)SRB1, this feature was introduced. In Cisco IOS Release 12.2(33)SXH1, support was added. In Cisco IOS Release 12.4(24)T, this feature was integrated. In Cisco IOS XE Release 2.2, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers. The following commands were modified: set ip global next-hop and set ip vrf next-hop. |
IPv6 VRF-Aware PBR Next-hop Enhancement |
15.2(2)S Cisco IOS XE Release 3.6S |
In Cisco IOS Release 15.2(2)S, this feature was introduced. In Cisco IOS XE Release 3.6S, this feature was implemented on the Cisco ASR 1000 Series Aggregation Services Routers. The following commands were introduced: set ipv6 default next-hop, set ipv6 next-hop (PBR) |
Glossary
CE device—customer edge device. A device that is part of a customer network and that interfaces to a provider edge (PE) device.
Inherit-VRF routing—Packets arriving at a VRF interface are routed by the same outgoing VRF interface.
Inter-VRF routing—Packets arriving at a VRF interface are routed via any other outgoing VRF interface.
IP—Internet Protocol. Network layer protocol in the TCP/IP stack offering a connectionless internetwork service. IP provides features for addressing, type-of-service specification, fragmentation and reassembly, and security. Defined in RFC 791.
PBR—policy-based routing. PBR allows a user to manually configure how received packets should be routed.
PE device—provider edge device. A device that is part of a service provider’s network and that is connected to a CE device. It exchanges routing information with CE devices by using static routing or a routing protocol such as BGP, RIPv1, or RIPv2.
VPN—Virtual Private Network. A collection of sites sharing a common routing table. A VPN provides a secure way for customers to share bandwidth over an ISP backbone network.
VRF—A VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table.
VRF-lite—A feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs.