Contents

Introduction
Lab Basic Setting
Set Ip Next-hop
  Basic Setting
  Verify Availability
  IP SLA Tracking
Set Ip Next-hop Recursive
Set Ip Default Next-hop
Set Interface
Set Default Interface
PBR Configuration Order

Introduction

Policy Based Routing (PBR) seems to be a difficult topic. Actually, it is not! In simple words, PBR is just change the next hop IP address to override the decision of the routing table to control the traffic path. I assume you are already familiar with the topics like Routing Decision and EIGRP.

Lab Basic Setting

In order to test the PBR, we will have the following setup. Assume R1 is the WAN link router of a company, it connects to ISP1 (R2) and ISP2 (R3). All routers are running EIGRP.

pbr

R1 receives the route 10.10.10.10/32 from R2 and R3. That means both ISP1 and ISP2 can be used to reach 10.10.10.10 now.

R1#show ip eigrp topology all-links 
EIGRP-IPv4 Topology Table for AS(1)/ID(192.168.15.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status 

P 10.10.10.10/32, 1 successors, FD is 409600, serno 9
        via 192.168.12.2 (409600/128256), Ethernet1/0
        via 192.168.13.3 (2323456/409600), Serial2/0
P 192.168.34.0/24, 1 successors, FD is 2195456, serno 12
        via 192.168.13.3 (2195456/281600), Serial2/0
P 192.168.12.0/24, 1 successors, FD is 281600, serno 1
        via Connected, Ethernet1/0
P 192.168.13.0/24, 1 successors, FD is 2169856, serno 11
        via Connected, Serial2/0
P 192.168.15.0/24, 1 successors, FD is 281600, serno 13
        via Connected, Ethernet1/1
P 1.1.1.1/32, 1 successors, FD is 409600, serno 14
        via 192.168.15.5 (409600/128256), Ethernet1/1

R1 choose 192.168.12.2 as the next hop of course since the metric is smaller.

R1#show ip route eigrp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/409600] via 192.168.15.5, 00:16:08, Ethernet1/1
      10.0.0.0/32 is subnetted, 1 subnets
D        10.10.10.10 [90/409600] via 192.168.12.2, 00:03:38, Ethernet1/0
D 192.168.34.0/24 [90/2195456] via 192.168.13.3, 00:19:26, Serial2/0

Now, we use distribute list on R3 to avoid 10.10.10.10/32 advertising to R1 to force all traffic to destination 10.10.10.10/32 follow R5 > R1 > R2 path.

R3(config)#ip prefix-list DENY_10 deny 10.10.10.10/32
R3(config)#ip prefix-list DENY_10 permit 0.0.0.0/0 le 32
R3(config)#router eigrp 1
R3(config-router)#distribute-list prefix DENY_10 out

So, only next hop 192.168.12.2 is available for reaching 10.10.10.10/32.

R1#show ip eigrp topology all-links 
EIGRP-IPv4 Topology Table for AS(1)/ID(192.168.15.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status 

P 10.10.10.10/32, 1 successors, FD is 409600, serno 9
        via 192.168.12.2 (409600/128256), Ethernet1/0
P 192.168.31.0/24, 1 successors, FD is 281600, serno 23
        via Connected, Ethernet1/7
P 192.168.12.0/24, 1 successors, FD is 281600, serno 1
        via Connected, Ethernet1/0
P 192.168.15.0/24, 1 successors, FD is 281600, serno 13
        via Connected, Ethernet1/1
P 1.1.1.1/32, 1 successors, FD is 409600, serno 14
        via 192.168.15.5 (409600/128256), Ethernet1/1

Finally, traceroute 10.10.10.10 at R5, packets move along R5 > R1 > R2. If you feel confuse with the above setting, please visit EIGRP to have a revision again.

Set Ip Next-hop

The first method of PBR is set ip next-hop. We can force the traffic form R5 with source address 1.1.1.1 and destination address 10.10.10.10 go through R5 > R1 > R3 > R4, while other traffic still use the original path R5 > R1 > R2. This is so-called policy.

Basic Setting

The configuration of PBR is not a complicated task. First, use extended access list to define the policy traffic on R1.

R1(config)#ip access-list extended PBR_TRAFFIC
R1(config-ext-nacl)#permit ip host 1.1.1.1 host 10.10.10.10

Then, use route map to set the next hop IP.

R1(config)#route-map PBR
R1(config-route-map)#match ip address PBR_TRAFFIC
R1(config-route-map)#set ip next-hop 192.168.13.3

Finally, put the route map to e1/1, that is the traffic inbound interface.

R1(config)#int ethernet 1/1
R1(config-if)#ip policy route-map PBR

Now, traffic from 1.1.1.1 to 10.10.10.10 is going through R5 > R1 > R3 > R4.

R5#traceroute 10.10.10.10 source 1.1.1.1
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.15.1 48 msec 24 msec 20 msec
  2 192.168.13.3 40 msec 40 msec 32 msec
  3 192.168.34.4 52 msec 40 msec 40 msec

The other traffic is using R5 > R1 > R2. (If source is not provided when traceroute, router will use the IP address of the outbound interface as source address, that is 192.168.15.5 on e1/0.)

R5#traceroute 10.10.10.10               
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.15.1 12 msec 20 msec 20 msec
  2 192.168.12.2 28 msec 32 msec 32 msec

Please be reminded that the next hop IP address must exist in directly connected network, otherwise, the PBR will not be activated.

For example, shutdown the s2/0 on R3.

R3(config)#int serial 2/0
R3(config-if)#shutdown

The connected network 192.168.13.0/24 on R1 disappeared so that the set ip next hop will not be activated.

R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/409600] via 192.168.15.5, 00:46:36, Ethernet1/1
      10.0.0.0/32 is subnetted, 1 subnets
D        10.10.10.10 [90/409600] via 192.168.12.2, 00:05:40, Ethernet1/0
      192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.12.0/24 is directly connected, Ethernet1/0
L        192.168.12.1/32 is directly connected, Ethernet1/0
      192.168.15.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.15.0/24 is directly connected, Ethernet1/1
L        192.168.15.1/32 is directly connected, Ethernet1/1

Traffic will use the orginial path.

R5#traceroute 10.10.10.10 source 1.1.1.1
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.15.1 20 msec 20 msec 20 msec
  2 192.168.12.2 28 msec 28 msec 20 msec

Moreover, if two or more IP address is used in set ip next hop, router will check the existence of connected network for the first IP address. The first IP will be used if passed, otherwise check the second IP address and so on.

Verify Availability

In some situation, although the interface is UP and exists in the connected network, data is not able to transmit for some reasons. If we want to ensure the opposite side is UP and available to transmit, we may use set ip next-hop verify-availability. When this is command is applied, R1 will monitor the CDP packets that coming from R3. PBR will not be activated if CDP packets are not received.

route-map PBR permit 10
 match ip address PBR_TRAFFIC
 set ip next-hop 192.168.13.3
 set ip next-hop verify-availability

IP SLA Tracking

Assume there is a switch conneting between R1 and R3, even CDP is not able to monitor the opposite side. If R3 is DOWN but PBR is still activated, packet will be lost. We can use IP SLA Tracking for this situation.

Set up a SLA first. You may check this article for reference. There will be some variants for different IOS version.

R1(config)#ip sla 1
R1(config-ip-sla)#icmp-echo 192.168.13.3
R1(config-ip-sla-echo)#frequency 5
R1(config-ip-sla-echo)#timeout 5000
R1(config-ip-sla-echo)#threshold 100
R1(config-ip-sla-echo)#exit     
R1(config)#ip sla schedule 1 life forever start-time now

Then, apply sla 1 for track 1, and add the track in the route map.

R1(config)#track 1 ip sla 1 reachability
R1(config)#route-map PBR permit 10
R1(config-route-map)#match ip address PBR_TRAFFIC
R1(config-route-map)#set ip next-hop verify-availability 192.168.13.3 1 track 1

Use show route-map to verify. The tracking is [up] now means the status of SLA 1 is good, that is 192.168.13.3 can be ping.

R1#show route-map
route-map PBR, permit, sequence 10
  Match clauses:
    ip address (access-lists): PBR_TRAFFIC 
  Set clauses:
     ip next-hop verify-availability 192.168.13.3 1 track 1  [up]
  Policy routing matches: 129 packets, 7740 bytes

So, PBR is activated.

R5#traceroute 10.10.10.10 source 1.1.1.1
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.15.1 52 msec 40 msec 20 msec
  2 192.168.13.3 40 msec 20 msec 20 msec
  3 192.168.34.4 32 msec 32 msec 28 msec

If we shutdown s2/0 on R3, the tracking is down now.

R1#show route-map
route-map PBR, permit, sequence 10
  Match clauses:
    ip address (access-lists): PBR_TRAFFIC 
  Set clauses:
     ip next-hop verify-availability 192.168.13.3 1 track 1  [down]
  Policy routing matches: 159 packets, 9540 bytes

PBR will not be activated.

R5#traceroute 10.10.10.10 source 1.1.1.1
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.15.1 20 msec 20 msec 12 msec
  2 192.168.12.2 20 msec 20 msec 20 msec

Set Ip Next-hop Recursive

As we said before, set ip next-hop must be existed in connected network in order to activated the PBR. If a non-directly connected network interface is used as a next hop, we can use set ip next-hop recursive. For example, set the next hop to 192.168.34.4.

R1(config)#route-map PBR
R1(config-route-map)#match ip address PBR_TRAFFIC
R1(config-route-map)#set ip next-hop recursive 192.168.34.4

Set Ip Default Next-hop

The third command of PBR is set ip default next-hop. It is really quite confuse for the word "default". Actually, what it want to do is using the PBR as a backup path. Router only use the PBR while the destination is not exist in the route table.

R1(config)#route-map PBR
R1(config-route-map)#match ip address PBR_TRAFFIC
R1(config-route-map)#set ip default next-hop 192.168.13.3

10.10.10.10/32 exist in the route table of R1.

R1#show ip route 10.10.10.10
Routing entry for 10.10.10.10/32
  Known via "eigrp 1", distance 90, metric 409600, type internal
  Redistributing via eigrp 1
  Last update from 192.168.12.2 on Ethernet1/0, 1d15h ago
  Routing Descriptor Blocks:
  * 192.168.12.2, from 192.168.12.2, 1d15h ago, via Ethernet1/0
      Route metric is 409600, traffic share count is 1
      Total delay is 6000 microseconds, minimum bandwidth is 10000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1

Even the traffic that match the policy arrives, R1 will use the original path R5 > R1 > R2.

R5#traceroute 10.10.10.10 source 1.1.1.1
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.15.1 20 msec 20 msec 20 msec
  2 192.168.12.2 20 msec 20 msec 20 msec

If e1/0 of R2 is shutdown to remove the route.

R2(config)#int ethernet 1/0
R2(config-if)#shutdown 

10.10.10.10/32 disappear on R1.

R1#show ip route 10.10.10.10
% Network not in table

PBR activated.

R5#traceroute 10.10.10.10 source 1.1.1.1
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.15.1 20 msec 12 msec 8 msec
  2 192.168.13.3 64 msec 40 msec 28 msec
  3 192.168.34.4 72 msec 48 msec 52 msec

Set Interface

The forth command set interface is simple. It points the next hop to an outbound interface (a point to point interface). For example, R1 uses interface serial 2/0 as the next hop instead of ip address 192.168.13.3.

R1(config)#route-map PBR
R1(config-route-map)#match ip address PBR_TRAFFIC
R1(config-route-map)#set interface serial 2/0

Set Default Interface

The last command set default interface is similar to set ip default next-hop, the PBR will only be activated while the destination is not found in the route table.

R1(config)#route-map PBR
R1(config-route-map)#match ip address PBR_TRAFFIC
R1(config-route-map)#set default interface serial 2/0

PBR Configuration Order

If the above PBR commands are configured in a route map together, router will use the following order to handle.

  1. set ip next hop
  2. set ip next hop recursive
  3. set ip default next hop
  4. set interface
  5. set default interface

For example, set ip next hop, set ip default next hop and set interface are existed in the same route map, only set ip next hop is processed.