Cisco 7600 Series Router Software Configuration Guide Cisco IOS Release 15S
Configuring IPv6 Policy Based Routing
Download this chapter
Configuring IPv6 Policy Based RoutingConfiguring IPv6 Policy Based Routing
Download the complete book
Full Book PDF of Cisco 7600 Series Router Cisco IOS Software Configuration GuideFull Book PDF of Cisco 7600 Series Router Cisco IOS Software Configuration Guide (PDF - 9 MB)
 Feedback

Table Of Contents

Configuring IPv6 Policy Based Routing

Understanding IPv6 Policy Based Routing

Policy Based Routing

Packet Matching

Packet Forwarding Using Set Statements

Restrictions for IPv6 PBR

Configuring IPv6 PBR

Verification

Troubleshooting Tips


Configuring IPv6 Policy Based Routing

This chapter describes how to configure the IPv6 policy-based routing (PBR) in Cisco IOS Software Release 15.2(1)S.

Note For complete syntax and usage information for the commands used in this chapter, see the Cisco 7600 Series Router Command Reference at this URL: http://www.cisco.com/en/US/products/ps6922/prod_command_reference_list.html

This chapter includes the following sections:

Understanding IPv6 Policy Based Routing

Configuring IPv6 PBR

Understanding IPv6 Policy Based Routing

IPv6 PBR provides a flexible mechanism to route packets and define policy for the traffic flows. It extends and complements the existing mechanisms provided by routing protocols. PBR also provides a basic packet-marking capability.

PBR performs the following tasks:

Classifies traffic based on extended access list criteria. It provides access to lists and then establishes the match criteria.

Sets IPv6 precedence bits and enables the network to differentiate classes of service.

Routes packets to specific traffic-engineered paths. You can route the packets to allow a specific quality of service (QoS) through the network.

The Cisco 7600 Series Router implements this feature using the Earl7 forwarding engines capability to classify traffic through an Access Control List (ACL) Ternary Content Addressable Memory (TCAM) lookup. The ACL TCAM lookup classifies traffic based on the combination of a variety of Layer 3 and Layer 4 traffic parameters. Once classified, the ACL TCAM drives results for matching flows. The Feature Manager (FM) component converts the route map policy configured on an interface into a series of values, masks and results (VMRs) and programs these in the ACL TCAM.

Policy Based Routing

All packets received on a PBR-enabled interface are passed through enhanced packet filters known as route maps. Route maps are composed of statements that are marked as permit or deny, and they are interpreted in these ways:

If a packet matches all match statements for a route map that is marked as permit, the router subjects the packet to PBR using the set statements.

If the packet matches any match statements for a route map that is marked as deny, the router does not subject the packet to PBR and forwards it normally.

If the statement is marked as permit and the packets do not match any route map statements, the router sends the packets back through the normal forwarding channels and performs destination-based routing.

Packet Matching

The IPv6 PBR match criterion for a sequence is specified through a combination of IPv6 access-lists and packet length operations. Match statements are evaluated first by the criteria specified in the match ipv6 address command and then by criteria specified in the match length command. Therefore, if both an ACL and a length statement are used, a packet is first subjected to an ACL match. Only packets that pass the ACL match are subjected to the length match. Finally, only packets that pass both the ACL and the length statement are policy routed.

Packet Forwarding Using Set Statements

PBR for IPv6 packet forwarding is controlled using a number of set statements in the PBR route map. Listed below are the forwarding actions in order of decreasing priority, and the manner in which these options are reflected in the result from the VMRs programmed in the ACL TCAM. When more than one kind of packet forwarding action is specified in a sequence, the one with the highest priority is chosen.

Table 65-1 Packet Forwarding Set Statements

Set Statement
Notes

set vrf vrf name

Specifies the VPN Routing and Forwarding (VRF) instance to which the packet should be sent, based on packet attributes. By default the VRF that a packet is forwarded on is the same as the VRF that receives the packet.

set ipv6 next-hop next-hop ipv6 address

Specifies the next hop for the packet. The next hop must be present in the Routing Information Base (RIB); it must be directly connected, and it must be a global IPv6 address. If the next hop is invalid, the set statement is ignored.

set interface next-hop interface

Specifies the next hop interface for the packet. A packet is forwarded out of a specified interface. An entry for the packet destination address must exist in the IPv6 RIB, and the specified output interface must be in the path set. If the interface is invalid, the set statement is ignored.

set ipv6 default next-hop default next-hop ipv6 address

Specifies the connected next hop for the packet if the usual forwarding method fails to produce the default result. It must be a global IPv6 address. This set statement is used only when there is no explicit entry for the packet destination in the IPv6 RIB.

set default interface default next-hop interface

Specifies the default next-hop interface, from which the matching packets are forwarded if the usual forwarding method fails to produce a result. This set statement is used only when there is no explicit entry for the packet destination in the IPv6 RIB.


Restrictions for IPv6 PBR

Following restrictions apply to the IPv6 PBR:

Match length is not supported in the hardware, and the PBR is applied to the software.

Packet marking actions are not supported in the hardware, and packets requiring marking due to PBR are punted to the software.

Set interface is supported in the hardware only for the serial interface. Other interfaces are supported on the software.

Packets containing an IPv6 hop-by-hop header need to be examined by the router and are punted to the software. Such packets are subjected to PBR in the software.

PBR policies using access-lists matching on IPv6 flow label, DSCP value and extension headers such as, routing, mobility, destination headers cannot be fully classified in the hardware, and are punted to the software after partial classification.

It is not possible to completely classify traffic in hardware, when access-lists matching on non compressible addresses are used. In such cases, the PBR is applied to the software.

On Tycho based systems, fragment packets that require matching on layer 4 protocol are punted to the software .

IPv6 PBR on SVI interfaces is applied to the software, and hardware provides only partial classification.

IPv6 PBR when applied to hardware will also be applied on packets destined to a router address.

A set next-hop action where the next-hop is at the other end of a tunnel is not supported in the hardware.

For set interface and set default interface, the interface should be a point-to-point one.

PBR is not applied to multicast traffic and the traffic destined to link local addresses.

When there is no traffic flow, the TCAM entry does not change from punt to policy-route.

Configuring IPv6 PBR

To configure IPv6 PBR, complete the following steps:

 
Command
Purpose

Step 1 

Router# enable

Enables privileged EXEC mode.

Step 2 

Router# configure terminal

Enters global configuration mode.

Step 3 

Router(config)# route-map map-tag [permit | deny] [sequence-number]

Defines the conditions for redistributing routes from one routing protocol into another, or enables policy routing.

Use the route-map command to enter route-map configuration mode.

Step 4 

Router(config-route-map)# match length minimum-length maximum-length

or

Router(config-route-map)# match ipv6 address {prefix-list prefix-list-name | access-list-name}

Specifies the match criteria.

Matches the Level 3 length of the packet.

Matches a specified IPv6 access list.

Note If you do not specify a match command, the route map applies to all packets.

Step 5 

Router(config-route-map)# set ipv6 precedence precedence-value

or

Router(config-route-map)# set ipv6 next-hop global-ipv6-address

or

Router(config-route-map)# set interface type number

or

Router(config-route-map)# set ipv6 default next-hop global-ipv6-address

or

Router(config-route-map)# set default interface type number

or

Router(config-route-map)# set vrf vrf-name

Specifies the actions to take on the packets that match the criteria.

Sets a precedence value in the IPv6 header.

Sets the next hop to which to route the packet (the next hop must be adjacent).

Sets an output interface for the packet.

Sets the next hop to which to route the packet, if there is no explicit route for this destination.

Sets the output interface for the packet, if there is no explicit route for this destination.

Sets the VRF instance selection within a route map for a policy based routing VRF selection.

Step 6 

Router(config-route-map)# exit

Returns the router to global configuration mode.

Step 7 

Router(config)# interface type number

Specifies an interface type and number, and places the router in interface configuration mode.

Step 8 

Router(config-if)# ipv6 policy route-map route-map-name

Identifies a route map for the IPv6 PBR on an interface.

Verification

The following commands help verifying the PBR configuration.

The show ipv6 policy command displays PBR configuration: 

Router# show ipv6 policy

Interface                 Routemap

GigabitEthernet0/0/0      src-1

The show route-map command displays specific route-map information, such as a count of policy matches: 

Router# show route-map

route-map bill, permit, sequence 10

  Match clauses:

  Set clauses:

  Policy routing matches:0 packets, 0 bytes

The show tcam interface command displays the supported hardware and software:

Hardware: 

Router# show tcam interface gigabitEthernet 8/9 acl in ipv6 module 8

ICMP Neighbor Discovery Packet Types: 

na - neighbor advertisement ra - router advertisement

ns - neighbor solicit rs - router solicit 

r - redirect 

IPV6 Address Types:

full - IPv6 Full eui - IPv6 EUI 

eipv4 - IPv6 embeded IPv4 

-------------------------------------------------------

policy-route ipv6 host 1000::2(full) host 4000::2(full)

permit ipv6 any(eipv4) any

permit ipv6 any(eui) any

permit ipv6 any(full) any

Software: 

Router# show tcam interface gigabitEthernet 4/2 acl in ipv6 module 4

ICMP Neighbor Discovery Packet Types: 

na - neighbor advertisement  ra - router advertisement

ns - neighbor solicit        rs - router solicit 

r  - redirect 

IPV6 Address Types:

full - IPv6 Full             eui - IPv6 EUI 

eipv4 - IPv6 embeded IPv4 

-------------------------------------------------------

   permit       ipv6 any(eui) 0:FE80::/10(eui)

   permit       ipv6 any(full) 0:FE80::/10(eui)

   permit       ipv6 any(eui) FF00::/8(full)

   permit       ipv6 any(full) FF00::/8(full)

   permit       ipv6 any(eui) FE80::/10(full)

   permit       ipv6 any(full) FE80::/10(full)

   punt         ipv6 any(eui) any

   punt         ipv6 any(full) any

   permit       ipv6 any(eipv4) any

   permit       ipv6 any(eui) any

   permit       ipv6 any(full) any

The show fm ipv6 pbr all command displays the IPv6 PBR VMRs for a specified interface: 

Router# show fm ipv6 pbr all

-----------------------------------------------------------------------------

FM_FEATURE_IPv6_PBR      i/f: Gi3/3      rmap: empty1

=============================================================================

----------------------------------------------------

    Seq. No: 65536       Seq. Result : FM_RESULT_PERMIT

----------------------------------------------------

DPort  - Destination Port  SPort  - Source Port       Pro    - Protocol

PT     - Packet Type       DPT    - Dst. Packet Type  SPT    - Src. Packet Type

X      - XTAG              TOS    - TOS Value         Res    - VMR Result

RFM    - R-Recirc. Flag    MRTNPC - M-Multicast Flag  R      - Reflexive flag

       - F-Fragment flag          - T-Tcp Control     N      - Non-cachable

       - M-More Fragments         - P-Mask Priority(H-High, L-Low)

Adj.   - Adj. Index        C      - Capture Flag      T      - M(Mask)/V(Value)

FM     - Flow Mask         NULL   - Null FM           SAO    - Source Only FM

DAO    - Dest. Only FM     SADA   - Sour.& Dest. Only VSADA  - Vlan SADA Only

ISADA  - Intf. SADA        FF     - Full Flow         VFF    - Vlan Full Flow

IFF    - Intf. FF          F-VFF  - Either FF or VFF  IFF-FF - Either IFF or FF

A-VSD  - Atleast VSADA     A-FF   - Atleast FF        A-VFF  - Atleast VFF

A-SON  - Atleast SAO       A-DON  - Atleast DAO       A-SD   - Atleast SADA

SHORT  - Shortest          ISADA-L- ISADA Least       FF-L   - FF Least

IFF-L  - IFF Least         A-SFF  - Any short than FF A-EFF  - Any except FF

A-EVFF - Any except VFF    SA-L   - Source Least      DA-L   - Dest. Least

SADA-L - SADA Least        FF-LESS- FF Less           N-FF   - Not FF

N-IFF  - Not IFF           A-LVFF - Any less than VFF FULL   - Full Pkt Type

EUI    - EUI 64 Pkt Type   EMBD   - Embedded Pkt Type ELNK   - EUI Link Overlap

ESIT   - EUI Site Overlap  LINK   - Link Pkt Type     SITE   - Site Pkt Type

ERR    - Flowmask Error

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

|Indx|T|    Dest IPv6 Addr                      |     Source IPv6 Addr                   | 
DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.|  FM  |

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

 1    V                                   FF00::                                       :: 
FULL  EUI ----   0 --- - ----L- ---- SHORT

      M                                   FF00::                                       :: 
EMBD  EUI        0   0

      TM_PERMIT_RESULT

 2    V                                   FF00::                                       :: 
FULL FULL ----   0 --- - ----L- ---- SHORT

      M                                   FF00::                                       :: 
EMBD EMBD        0   0

      TM_PERMIT_RESULT

 3    V                                 0:FE80::                                       ::  
EUI  EUI ----   0 --- - ----L- ---- SHORT

      M                                 0:FFC0::                                       ::  
EUI  EUI        0   0

      TM_PERMIT_RESULT

 4    V                                   FE80::                                       :: 
FULL  EUI ----   0 --- - ----L- ---- SHORT

      M                                   FFC0::                                       :: 
EMBD  EUI        0   0

      TM_PERMIT_RESULT

 5    V                                 0:FE80::                                       ::  
EUI FULL ----   0 --- - ----L- ---- SHORT

      M                                 0:FFC0::                                       ::  
EUI EMBD        0   0

      TM_PERMIT_RESULT

 6    V                                   FE80::                                       :: 
FULL FULL ----   0 --- - ----L- ---- SHORT

      M                                   FFC0::                                       :: 
EMBD EMBD        0   0

      TM_PERMIT_RESULT

 7    V                                       ::                                       :: 
---- ---- ----   0 --- - ----L- ---- SHORT

      M                                       ::                                       :: 
---- ----        0   0

      TM_L3_DENY_RESULT

----------------------------------------------------

    Seq. No: 10          Seq. Result : FM_RESULT_ADJREDIRECT

----------------------------------------------------

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

|Indx|T|    Dest IPv6 Addr                      |     Source IPv6 Addr                   | 
DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.|  FM  |

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

 1    V                                       ::                                       :: 
----  EUI ----   0 --- - ----L- 0 SHORT

      M                                       ::                                       :: 
----  EUI        0   0

      TM_PERMIT_RESULT

 2    V                                       ::                                       :: 
---- FULL ----   0 --- - ----L- 0 SHORT

      M                                       ::                                       :: 
---- EMBD        0   0

      TM_PERMIT_RESULT

 3    V                                       ::                                       :: 
---- ---- ----   0 --- - ----L- 0 SHORT

      M                                       ::                                       :: 
---- ----        0   0

      TM_L3_DENY_RESULT

----------------------------------------------------

    Seq. No: 65537       Seq. Result : FM_RESULT_PERMIT

----------------------------------------------------

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

|Indx|T|    Dest IPv6 Addr                      |     Source IPv6 Addr                   | 
DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.|  FM  |

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

 1    V                                       ::                                       :: 
----  EUI ----   0 --- - ----L- ---- SHORT

      M                                       ::                                       :: 
----  EUI        0   0

      TM_PERMIT_RESULT

 2    V                                       ::                                       :: 
---- FULL ----   0 --- - ----L- ---- SHORT

      M                                       ::                                       :: 
---- EMBD        0   0

      TM_PERMIT_RESULT

 3    V                                       ::                                       :: 
---- ---- ----   0 --- - ----L- ---- SHORT

      M                                       ::                                       :: 
---- ----        0   0

      TM_L3_DENY_RESULT

Index : 0

        Feature_id : 4C adj : 5733EB50 vlan : 1027 dmac : 0000.1742.3558

        smac : 0018.7415.1980 encap : 1 mtu : 1518 TTL : 1

        Rdt Indx : 0 recirc : 0 Non-Cachable : 0 Priority : 1

The show fm ipv6 pbr interface command displays the IPv6 PBR VMRs on a specified interface: 

Router# show fm ipv6 pbr interface gigabitEthernet 3/3

-----------------------------------------------------------------------------

FM_FEATURE_IPv6_PBR      i/f: Gi3/3      rmap: empty1

=============================================================================

----------------------------------------------------

    Seq. No: 65536       Seq. Result : FM_RESULT_PERMIT

----------------------------------------------------

DPort  - Destination Port  SPort  - Source Port       Pro    - Protocol

PT     - Packet Type       DPT    - Dst. Packet Type  SPT    - Src. Packet Type

X      - XTAG              TOS    - TOS Value         Res    - VMR Result

RFM    - R-Recirc. Flag    MRTNPC - M-Multicast Flag  R      - Reflexive flag

       - F-Fragment flag          - T-Tcp Control     N      - Non-cachable

       - M-More Fragments         - P-Mask Priority(H-High, L-Low)

Adj.   - Adj. Index        C      - Capture Flag      T      - M(Mask)/V(Value)

FM     - Flow Mask         NULL   - Null FM           SAO    - Source Only FM

DAO    - Dest. Only FM     SADA   - Sour.& Dest. Only VSADA  - Vlan SADA Only

ISADA  - Intf. SADA        FF     - Full Flow         VFF    - Vlan Full Flow

IFF    - Intf. FF          F-VFF  - Either FF or VFF  IFF-FF - Either IFF or FF

A-VSD  - Atleast VSADA     A-FF   - Atleast FF        A-VFF  - Atleast VFF

A-SON  - Atleast SAO       A-DON  - Atleast DAO       A-SD   - Atleast SADA

SHORT  - Shortest          ISADA-L- ISADA Least       FF-L   - FF Least

IFF-L  - IFF Least         A-SFF  - Any short than FF A-EFF  - Any except FF

A-EVFF - Any except VFF    SA-L   - Source Least      DA-L   - Dest. Least

SADA-L - SADA Least        FF-LESS- FF Less           N-FF   - Not FF

N-IFF  - Not IFF           A-LVFF - Any less than VFF FULL   - Full Pkt Type

EUI    - EUI 64 Pkt Type   EMBD   - Embedded Pkt Type ELNK   - EUI Link Overlap

ESIT   - EUI Site Overlap  LINK   - Link Pkt Type     SITE   - Site Pkt Type

ERR    - Flowmask Error

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

|Indx|T|    Dest IPv6 Addr                      |     Source IPv6 Addr                   | 
DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.|  FM  |

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

 1    V                                   FF00::                                       :: 
FULL  EUI ----   0 --- - ----L- ---- SHORT

      M                                   FF00::                                       :: 
EMBD  EUI        0   0

      TM_PERMIT_RESULT

 2    V                                   FF00::                                       :: 
FULL FULL ----   0 --- - ----L- ---- SHORT

      M                                   FF00::                                       :: 
EMBD EMBD        0   0

      TM_PERMIT_RESULT

 3    V                                 0:FE80::                                       ::  
EUI  EUI ----   0 --- - ----L- ---- SHORT

      M                                 0:FFC0::                                       ::  
EUI  EUI        0   0

      TM_PERMIT_RESULT

 4    V                                   FE80::                                       :: 
FULL  EUI ----   0 --- - ----L- ---- SHORT

      M                                   FFC0::                                       :: 
EMBD  EUI        0   0

      TM_PERMIT_RESULT

 5    V                                 0:FE80::                                       ::  
EUI FULL ----   0 --- - ----L- ---- SHORT

      M                                 0:FFC0::                                       ::  
EUI EMBD        0   0

      TM_PERMIT_RESULT

 6    V                                   FE80::                                       :: 
FULL FULL ----   0 --- - ----L- ---- SHORT

      M                                   FFC0::                                       :: 
EMBD EMBD        0   0

      TM_PERMIT_RESULT

 7    V                                       ::                                       :: 
---- ---- ----   0 --- - ----L- ---- SHORT

      M                                       ::                                       :: 
---- ----        0   0

      TM_L3_DENY_RESULT

----------------------------------------------------

    Seq. No: 10          Seq. Result : FM_RESULT_ADJREDIRECT

----------------------------------------------------

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

|Indx|T|    Dest IPv6 Addr                      |     Source IPv6 Addr                   | 
DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.|  FM  |

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

 1    V                                       ::                                       :: 
----  EUI ----   0 --- - ----L- 0 SHORT

      M                                       ::                                       :: 
----  EUI        0   0

      TM_PERMIT_RESULT

 2    V                                       ::                                       :: 
---- FULL ----   0 --- - ----L- 0 SHORT

      M                                       ::                                       :: 
---- EMBD        0   0

      TM_PERMIT_RESULT

 3    V                                       ::                                       :: 
---- ---- ----   0 --- - ----L- 0 SHORT

      M                                       ::                                       :: 
---- ----        0   0

      TM_L3_DENY_RESULT

----------------------------------------------------

    Seq. No: 65537       Seq. Result : FM_RESULT_PERMIT

----------------------------------------------------

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

|Indx|T|    Dest IPv6 Addr                      |     Source IPv6 Addr                   | 
DPT| SPT| PT |Pro|RFM|X|MRTNPC|Adj.|  FM  |

+----+-+----------------------------------------+----------------------------------------+
----+----+----+---+---+-+------+----+------+

 1    V                                       ::                                       :: 
----  EUI ----   0 --- - ----L- ---- SHORT

      M                                       ::                                       :: 
----  EUI        0   0

      TM_PERMIT_RESULT

 2    V                                       ::                                       :: 
---- FULL ----   0 --- - ----L- ---- SHORT

      M                                       ::                                       :: 
---- EMBD        0   0

      TM_PERMIT_RESULT

 3    V                                       ::                                       :: 
---- ---- ----   0 --- - ----L- ---- SHORT

      M                                       ::                                       :: 
---- ----        0   0

      TM_L3_DENY_RESULT

Index : 0

        Feature_id : 4C adj : 5733EB50 vlan : 1027 dmac : 0000.1742.3558

        smac : 0018.7415.1980 encap : 1 mtu : 1518 TTL : 1

        Rdt Indx : 0 recirc : 0 Non-Cachable : 0 Priority : 1

Troubleshooting Tips

Table 65-2 lists the troubleshooting issues while configuring IPv6 PBR:

Table 65-2 Troubleshooting IPv6

Problem
Solution

When you suspect an un-specified problem.

Use the debug fm ipv6 [all | events | pbr | vmrs] command

all - Displays all IPv6 debugging information.

events - Displays debugging information about FM IPv6 events.

pbr - Displays debugging information about FM IPv6 policy based routing.

vmrs - Displays debugging information about FM IPv6 VMRs.

Use the debug ipv6 policy command to display the IPv6 policy routing packet activity.


Issues