PBR is a powerful tool that allows you to configure a defined policy for IP traffic flows, reducing reliance on routes derived from routing protocols. With PBR, all packets received on an interface are passed through enhanced packet filters or route maps, which dictate the policy that determines where to forward packets.
In this article, we will delve into the world of Policy-Based Routing (PBR) on Cisco Nexus switches.
Policy-Based Routing (PBR) Overview
PBR is a feature that overrides the router’s typical longest prefix match (LPM) destination-based forwarding logic. Where PBR intercepts the packet in the incoming interface before the router performs the FIB table lookup. Then, PBR chooses how to forward the packet using route-map criteria.
PBR allows for conditional forwarding and a more flexible mechanism for routing packets than destination-based routing. You might enable PBR if you want certain packets to be routed in some way other than the LPM shortest path.
PBR Operation and FSM
In the figure below, we have three routers, A, B, and C, that are connected to the local router on Eth1/10, Eth1/11, and Eth1/12, respectively. The packet comes from the Eth1/1 to the local router where the PBR policy is deployed.
If the packet matches condition X in the route map, then the next hop will be router A, but if the packet matches condition Y, the next hop will be router B. However, if the packet matches condition Z, the next hop will be router C.
If the packet doesn’t match any of these conditions (X, Y & Z), then the IP routing table (FIB) is considered, and the packet is forwarded normally using the destination-based LPM way.
The figure below shows the PBR operation’s finite state machine (FSM). It shows when the PBR-based routing happens and when the destination-based routing (LPM) happens.
PBR Applications and Use Cases
Possible applications for policy-based routing:
- Protocol-sensitive routing.
- Source-sensitive routing.
- Distributes traffic among multiple paths based on traffic characteristics.
- Routing based on dedicated links.
Policy-Based Routing Configuration in NX-OS
NX-OS PBR configuration uses a route-map with match and set statements that are then attached to the inbound L3 interface.
The PBR configuration steps:
- Step 1. Enable the PBR feature.
- Step 2. Define a route-map.
- Step 3. Identify the conditional match criteria.
- Step 4. Specify one or more next-hops for packets that match the criteria.
- Step 5. Apply the route-map to the inbound interface.
- Step 6. (optional) Enable PBR statistics.
Useful show commands:
- To display policy statistics:
show route-map <name> pbr-statistics - To show all PBR policies applied on the switch:
show ip policy - To display the route policy manager information:
show run rpm
PBR Guidelines and Limitations
- Before forwarding the packet, PBR verifies the existence of the next-hop IP address.
- Additional next-hop addresses can be configured for failover scenarios or load sharing.
- The packets are not conditionally forwarded if none of the specified next-hop addresses exist in the routing table. (will use LPM forwarding).
- Using a prefix list as a match criterion is not supported.
- PBR supports only unicast traffic. Multicast traffic is not supported.
- Policy-based routing is not supported with inbound traffic on FEX ports.
- An ACL in a PBR route map cannot include a deny statement (ACE).
- In some Nexus models, to apply the PBR on locally generated traffic, use the command
ip local policy route-maproute-map-name.
PBR Configuration LAB Demo
References: Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide
