Overview & Thematic Scope
Policy-Based Routing (PBR) provides granular control over packet forwarding based on ACLs, packet length, or source/destination addresses. However, hardware-dependent PBR implementation varies significantly across ASIC families, affecting throughput, scale, and troubleshooting methodologies. This FAQ addresses pre-sales capacity planning and post-sales error resolution for enterprise and service provider hardware supporting PBR.
Frequently Asked Questions
- Q1: Which hardware platforms support full-rate PBR forwarding without CPU punt?
- Full-rate line-speed PBR requires ASIC-based TCAM (Ternary Content-Addressable Memory) support. Cisco Catalyst 9500/9600 (UADP 2.0+), Juniper MX Series (TriO), and Arista 7280R (FlexRoute) implement PBR entirely in hardware. Lower-end switches (e.g., Cisco 2960X, Juniper EX2300) punt PBR packets to CPU, causing throughput collapse below 1 Gbps. Always verify forwarding plane PBR capabilities in the vendor’s datasheet under ‘Hardware PBR’ or ‘Policy-Based Forwarding ASIC support’.
- Q2: What is the maximum number of PBR entries supported per ASIC?
- TCAM allocation determines PBR scale. Cisco Nexus 9300-GX supports up to 8,192 PBR entries globally; Arista 7050SX provides 1,024 IPv4 PBR routes. Exceeding TCAM capacity triggers software fallback or ‘PBR table full’ errors. Use ‘show platform tcam utilization’ (Cisco) or ‘show pbr summary hardware’ (Arista) to monitor consumption. For large-scale deployments, allocate dedicated PBR TCAM banks via ‘hardware access-list tcam region pbr’ (Cisco IOS-XE).
- Q3: How do I resolve ‘PBR not supported on VLAN interface’ errors on modular chassis?
- Modular chassis (Cisco 9400, Juniper MX240) require line card compatibility for VLAN-based PBR. Error stems from older line cards lacking distributed PBR ASICs (e.g., Cisco WS-X4748 vs WS-X4748-RF). Resolution: enable ‘platform pbr vlan override’ under global config, then move PBR policy to physical port-level application. Alternatively, upgrade to line cards with ‘PBR Lite’ or ‘Full PBR’ hardware markers. Verify using ‘show interface capabilities | include PBR’.
- Q4: Which PBR next-hop options cause hardware recursion errors?
- Hardware recursion errors occur with indirect next-hops (e.g., loopback addresses, GRE tunnels, DHCP-learned gateways). Most ASICs require directly connected next-hop IPs within the same subnet. Cisco QuantumFlow processors accept 2-layer recursion; Broadcom Jericho2 refuses any recursion. Fix: implement next-hop verification using ‘set ip next-hop verify-availability’ (Cisco) or convert to recursive static route + route-map. Avoid ‘set ip default next-hop’ on ingress line cards lacking default-network support.
- Q5: Why does PBR fail for fragmented IP packets on my hardware?
- Many ASICs (Broadcom Trident2, Marvell Prestera DX) lack L4 header inspection for fragments after the initial fragment. PBR matching on TCP/UDP ports fails for non-first fragments, causing default route fallback. Solution: enable ‘ip pbr fragment chain’ (Juniper) or use ACL matching on fragment offset (Cisco: ‘access-list 100 permit ip any any fragments’). Hardware limitations persist on platforms without reassembly engines. For production, avoid PBR on fragment-prone applications (VoIP RTP, NFS) or implement MTU clamping.
- Q6: How do I troubleshoot PBR performance degradation beyond 40% link utilization?
- Degradation indicates TCAM bank exhaustion or microcode aging. First, run ‘show platform hardware qfp active feature pbr statistics’ (Cisco ASR1k) to identify policy lookups per second. Second, capture ‘show pbr hardware counters drops’ (Nexus) — non-zero drop counts signal ACL compilation failures. Third, upgrade to firmware with PJR (Parallel Jump Resolution) support (Broadcom SDK 6.5.17+). Workaround: convert high-traffic PBR rules to MPLS VPN or VRF-lite, offloading classification to separate forwarding instances.
- Q7: Which transceiver or optics issues trigger PBR bypass?
- Unsupported third-party optics cause PBR fallback to CPU on hardened platforms (Cisco NCS-5500, Nokia 7750). The ASIC enters ‘safe mode’ upon SFP diagnostics failure, disabling hardware PBR. Use ‘show controller optics’ to verify DOM support; missing temperature/voltage readings trigger bypass. Resolution: enable ‘service unsupported-transceiver’ (Cisco) only on lab units; for production, procure vendor-coded optics with PBR verification ID. Arista EOS supports ‘pbr bypass-disable’ CLI to force hardware path even on marginal optics.
- Q8: How to verify PBR hardware ACL usage before deployment (pre-sales validation)?
- Pre-sales validation requires vendor-specific ASIC simulation tools. Cisco provides ‘PBR Hardware Calculator’ within DNAC Assurance; Juniper offers ‘pbr-pfe-simulator’ for MX/PTX series. Request from vendor: (1) TCAM width in bits (min 160-bit for IPv6 PBR), (2) Simultaneous PBR + QoS scale, (3) ‘show pbr hardware resource’ sample output. Third-party validation: run Spirent TestCenter with 1,000 PBR flows; measure PPS before CPU punt. Low-power options (
Post-Troubleshooting & Support Escalation
When hardware PBR issues persist after firmware upgrades, collect ‘show tech-support pbr’, ‘show platform tcam errors’, and ‘show logging | include PBR_FAIL’. Open vendor TAC cases with explicit ASIC family and microcode version. For critical deployments, maintain a PBR hardware compatibility matrix covering TCAM reallocation procedures and next-hop recursion limits per platform series.
Leave a comment