What is Policy-based Routing?
With policy-based routing (which we will call PBR from here on out), you get the option to implement policies that selectively cause packets to take different paths. Additionally, PBR can mark packets so that certain types of traffic get prioritized. One example of PBR is, say that your OSPF routing protocol says that a packet with a destination of 10.1.1.1 should go out interface e0/0, you could create a policy so that packets destined to 10.1.1.1, instead, go out interface e1/0. Or, you could make this happen only when the source of that packet was 192.168.1.1.
How does policy based routing work?
If you look at the
The "matching" of the traffic is usually done with an ACL (access-control list) that is referenced by a route-map. In the route-map, there is a "match" for the traffic defined in that ACL then a "set" for that traffic where the network administrator defines what he or she wants to happen to that traffic (prioritize it, route it differently, drop it, or other actions). Policies can be based on IP address, port numbers, protocols, or size of packets.
How to apply policy-based routing
Let's look at an example of how we could use PBR. Say that we wanted to find any traffic that is destined for IP device 10.1.1.1 and, instead of sending it wherever the routing protocol says it should go, we are going to send it out interface Fa3/0.
To do this, here are the steps we would take:
Step 1 - define an ACL
Keep in mind that whatever is permitted by this ACL is what will be matched. You don't want to permit everything. Usually, I take advantage of the implicit deny at the bottom of the ACL and just create an ACL that permits what I am going to take action on in the route-map.
So, just create a simple ACL:
Router(config)# access-list 101 permit ip any host 10.1.1.1
This ACL permits only traffic with a destination IP of 10.1.1.1 (the traffic we want to send elsewhere)
Step 2 - create a route-map
To create a route-map, go into route-map configuration mode, like this:
Router(config)# route-map reroute10traffic permit 10
Next, set your match policy to match the traffic in ACL 101, like this:
Router(config-route-map)#match ip address 101
This will match all the traffic permitted through ACL 101.
Next, you need to set some action on that traffic. What do you want to happen to that traffic? Let's tell the router to send it out interface Fast Ethernet 3/0, like this:
Router(config-route-map)#set interface Fa3/0
Another option would be to set the next hop in the routing table. This would have a similar effect, unless there are multiple paths. Let's say our next hop interface address is 18.104.22.168, then instead of the command above, we would say:
Router(config-route-map)#set ip next-hop 22.214.171.124
Step 3 - Apply the route-map to the interface
Next, you need to apply this policy/route-map to the interface where the traffic is coming in.
Router(config)# interface Fast Ethernet 3/0
Router(config-if)#ip policy route-map reroute10traffic
According to the official
Now exit and you are done!
You can view your access lists with a show access-list. You can view your route-maps with show route-map. You can view any policies with the show ip policy command.
Another thing you may want to try is the debug ip policy. This debug will show whenever packets match or do not match the policy.
What do you need to know about match & set?
Route-map statements are made up of match and set commands. The set action only happens when the match command is fulfilled.
Route-map statements can have multiple lines of match and set statements. the "10" in the original route-map statement above is the line number of that route-map statement. The numbers of the route-map statements are very important as they determine the order that the statements are processed and they can also be used to insert and delete individual statements.
We hope this helps you to understand Policy Based Routing.