Hardware versus software path for default-nexthop action
When a policy containing an entry with PBR is applied to an interface and the active action for that entry action list is 'default-nexthop', packets that match the class criteria and have no explicit route table hit (that is, no destination address longest prefix match, a.k.a 'route-miss'), they are forwarded to the specified active PBR default-nexthop. This is true for packets that follow the hardware and software paths through the switch.
There is a difference between PBR hardware and software path behavior when a route table hit occurs for class-matched packets (when the policy entry is a PBR default-nexthop).
Hardware path match criteria for a PBR policy entry with default-nexthop is extended to include the route table miss along with the class qualifiers, resulting in a policy entry hit for that policy entry. Conversely when there is a route table hit, the result is a policy entry miss in hardware path. When a policy entry miss occurs, policy processing moves on to the next entry in the policy and takes whatever action is specified, if any exist. This can include a different PBR routing action including interface null or no PBR action at all, for example.
In software path, the class match criteria is the only criteria required to achieve a policy entry hit. When that occurs, policy processing will stop. When there is a class match and a route table hit (with PBR action default-nexthop), the packet is forwarded according to that route table entry, not the PBR default-nexthop entry, nor is it influenced by any subsequent policy entries.
This difference in behavior is due to a limitation in the software path matching and routing engine, relative to hardware.
Routing packet | System route miss | System route hit |
---|---|---|
Hardware | Take PBR default-nexthop route. | Policy entry miss, continue policy processing with next entry, if present. No further matches result in system default route being used, if present. |
Software | Take PBR default-nexthop route. | Policy entry hit is overridden by system route hit. System route entry used, policy processing stops. |