Creating a PBR policy

PBR enables you to manipulate a packet's path based on attributes of the packet. Traffic with the same destination can be routed over different paths, so that different types of traffic, such as VOIP or traffic with special security requirements, can be better managed.

NOTE:

Policy Based Routing (PBR) is available on switches running v2 or higher modules.

The supported actions for PBR are:

  • Setting the next hop for routing the packet ([ipv4 | ipv6] next-hop [ip-addr] ).

  • Setting the next hop for routing the packet if there is no explicit route for this destination ([ipv4 | ipv6] ip default-next-hop [ip-addr] ).

  • Setting the outbound tunnel interface for the packet (interface tunnel [tunnel-ID] ). See the IPv6 Configuration Guide for your switch.

  • Setting interface null, which specifies that the packets are dropped if no other actions have occurred.

Operating notes for PBR

  • Multiple actions can be configured for a class, up to 8 actions per class.

  • If you configure an action of interface null, no more actions for that class may be configured.

  • Only one of the 8 possible actions can be active at one time.

  • The precedence of actions is indicated by the order in which they are added to the policy.

  • Actions can only be added to a class, and they are added to the end of the action list for the class.

  • To remove actions from a class, the entire class must be removed from the policy.

  • When an action becomes inactive, for example, if the configured address becomes unreachable (for next-hop and default-next-hop) or the interface goes down (for a tunnel), the policy is configured with the next action for that class, if possible. If that action is not active, the next action is tried, and so on, until an interface null or the end of the list of configured actions is encountered. If the end of the list is reached, the policy action for that class behaves as if no PBR policy is applied.

  • The maximum combined number of unique IP next-hops and default-next-hops supported is 16.

TCP and UDP traffic routing

The following example shows TCP and UDP traffic routed on different network paths. First, the traffic classes are created, then the PBR policy is created, and lastly the PBR policy is applied to an interface.

switch(config)# class ipv4 TCP
switch(config-class)# match tcp 10.0.8.1/24 15.29.16.104/24 eq 80
switch(config-class)# match tcp 10.0.8.1/24 15.29.16.104/24 eq 22
switch(config-class)# match tcp 10.0.8.1/24 15.29.16.104/24 eq 23
switch(config-class)# exit
switch(config)# class ipv4 UDP
switch(config-class)# match udp 10.0.8.1/24 15.29.16.104/24 eq 80
switch(config-class)# match udp 10.0.8.1/24 15.29.16.104/24 eq 22
switch(config-class)# match upd 10.0.8.1/24 15.29.16.104/24 eq 23
switch(config-class)# exit
switch(config)# class ipv6 TCP
switch(config-class)# match tcp 2001::1/64 3001::1/64 eq 80
switch(config-class)# match tcp 2001::1/64 3001::1/64 eq 22
switch(config-class)# match tcp 2001::1/64 3001::1/64 eq 23
switch(config-class)# exit
switch(config)# class ipv6 UDP
switch(config-class)# match udp 2001::1/64 3001::1/64 eq 80
switch(config-class)# match udp 2001::1/64 3001::1/64 eq 22
switch(config-class)# match udp 2001::1/64 3001::1/64 eq 23
switch(config-class)# exit
switch(config)# policy pbr TCP_UDP
switch(policy-pbr)# class ipv4 TCP
switch(policy-pbr-class)# action ip next-hop 20.0.0.1
switch(policy-pbr-class)# action interface null
switch(policy-pbr-class)# exit
switch(policy-pbr)# class ipv4 UDP
switch(policy-pbr-class)# action ip default-next-hop 30.0.0.1
switch(policy-pbr-class)# action interface tunnel 3
switch(policy-pbr-class)# exit
switch(policy-pbr)# class ipv6 TCP
switch(policy-pbr-class)# action ip next-hop 20.0.0.1
switch(policy-pbr-class)# exit
switch(policy-pbr)# class ipv6 UDP
switch(policy-pbr-class)# action ip next-hop 30.0.0.1
switch(policy-pbr-class)# exit
switch(policy-pbr)# exit
switch(config)# vlan 10
switch(vlan-10)# service-policy TCP_UDP in

To enable debug logging for PBR, enter the debug ip pbr command. A message is logged when a PBR policy is applied, when the action in a class becomes inactive, and when an action in a class becomes active. See the Management and Configuration Guide for your switch.

NOTE:

Policy Based Routing (PBR) is available on switches running v2 or higher modules.