Rate this content:
0 of 5 - 0 votes
Thank you for rating this article.

What is Policy-based Routing?

With policy-based routing (which we will call PBR from here on out), you get the option to implement policies that selectively cause packets to take different paths. Additionally, PBR can mark packets so that certain types of traffic get prioritized. One example of PBR is, say that your OSPF routing protocol says that a packet with a destination of 10.1.1.1 should go out interface e0/0, you could create a policy so that packets destined to 10.1.1.1, instead, go out interface e1/0. Or, you could make this happen only when the source of that packet was 192.168.1.1.

How does policy based routing work?

If you look at the Cisco IOS Order of Operations, Policy routing always happens before regular routing. What policy routing does is to inspect the traffic on the interface where the policy is applied and then, based on the policy, make some decision. First, the traffic has to be identified "matched" according to the policy. Second, for each match, there is something "set". What is set could be that the traffic matches must exit out a different interface, or the traffic could be given a higher priority, or it could choose to just drop that traffic.

The "matching" of the traffic is usually done with an ACL (access-control list) that is referenced by a route-map. In the route-map, there is a "match" for the traffic defined in that ACL then a "set" for that traffic where the network administrator defines what he or she wants to happen to that traffic (prioritize it, route it differently, drop it, or other actions). Policies can be based on IP address, port numbers, protocols, or size of packets.

How to apply policy-based routing

Let's look at an example of how we could use PBR. Say that we wanted to find any traffic that is destined for IP device 10.1.1.1 and, instead of sending it wherever the routing protocol says it should go, we are going to send it out interface Fa3/0.

To do this, here are the steps we would take:

Step 1 - define an ACL

Keep in mind that whatever is permitted by this ACL is what will be matched. You don't want to permit everything. Usually, I take advantage of the implicit deny at the bottom of the ACL and just create an ACL that permits what I am going to take action on in the route-map.

So, just create a simple ACL:

Router(config)# access-list 101 permit ip any host 10.1.1.1

This ACL permits only traffic with a destination IP of 10.1.1.1 (the traffic we want to send elsewhere)

Step 2 - create a route-map

To create a route-map, go into route-map configuration mode, like this:

Router(config)# route-map reroute10traffic permit 10

Router(config-route-map)#

Next, set your match policy to match the traffic in ACL 101, like this:

Router(config-route-map)#match ip address 101

This will match all the traffic permitted through ACL 101.

Next, you need to set some action on that traffic. What do you want to happen to that traffic? Let's tell the router to send it out interface Fast Ethernet 3/0, like this:

Router(config-route-map)#set interface Fa3/0

Another option would be to set the next hop in the routing table.  This would have a similar effect, unless there are multiple paths.  Let's say our next hop interface address is 2.2.2.2, then instead of the command above, we would say:

Router(config-route-map)#set ip next-hop 2.2.2.2 

Step 3 - Apply the route-map to the interface

Next, you need to apply this policy/route-map to the interface where the traffic is coming in.

Router(config)# interface Fast Ethernet 3/0

Router(config-if)#ip policy route-map reroute10traffic

According to the official Cisco Policy Routing documentation, "One interface can have a only one route map policy applied.tag; but you can have several route map entries, each with its own sequence number. Entries are evaluated in order of their sequence numbers until the first match occurs. If no match occurs, packets are routed as usual."

Now exit and you are done!

You can view your access lists with a show access-list.  You can view your route-maps with show route-map.  You can view any policies with the show ip policy command.

Another thing you may want to try is the debug ip policy.  This debug will show whenever packets match or do not match the policy.

What do you need to know about match & set?

Route-map statements are made up of match and set commands. The set action only happens when the match command is fulfilled.

Route-map statements can have multiple lines of match and set statements. the "10" in the original route-map statement above is the line number of that route-map statement. The numbers of the route-map statements are very important as they determine the order that the statements are processed and they can also be used to insert and delete individual statements.

We hope this helps you to understand Policy Based Routing.

Comments powered by CComment

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!