Software path and system default route

ArubaOS-CX default behavior (for packets with destination networks that lack entries in the system route table with a reachable next-hop address), sends packets to the system CPU for special handling, if any are specified (for example, sending an ICMP unreachable reply message).

A side effect of this CPU routing is that it has higher priority than an applied PBR next-hop action. Even though a policy is applied with an entry that matches the traffic and specifies a PBR next-hop action which is reachable, the traffic will still be routed to the system CPU (due to the absence of a reachable next-hop in the system route table), and not through the desired PBR hardware path. With traffic routing to the system CPU, it will be properly routed by PBR software path, but it will also be rate limited by the control plane policing feature and loss will occur.

CAUTION:

The workaround for this issue is to create a default next-hop route in the system with a reachable next-hop router/host. This will result in a route hit, or reachable next-hop detected for the traffic with no further need to route traffic to the CPU. The PBR hardware path next-hop action will then occur, as desired.