How to configure Policy Based Routing

Hi Rene,

How would the router treat the matching packets, if the specified next-hop in the PBR is unreachable? Will the packets be dropped or the routing table will be used?
Thanks,
Amit

Hello Amit

When using the set ip next-hop command, causes the system to use policy routing first and then the routing table. So the answer to your question is yes, the routing table will be used.

Alternatively, if you use the command set ip default next-hop the order of operations is reversed. It will use the routing table first and then the policy route specified.

More info can be found as this Cisco Documentation.

I hope this has been helpful!

Laz

Hi,

I have a question that I have a good guess on but would like to confirm.

I see when you create your access list for the Policy Based routing that you only add the one permit statement to the access-list. Its been knocked into my head that there is always a implicit deny statement at the end of all access-list. So would not best practice be putting a statement at the end that says permit ip any any??

Now my guess is that since you are not applying this access list to say an interface or other entity of that form that its not required. indeed we are just using the access-list as a trigger for when an event happens (the flow of certain network ect…)

So nothing is really being permitted or denied in the physical realm so it does not matter.

I just wanted to confirm my thinking is correct on this as I immediately started looking for the permit all other traffic but then logically saw that it was not really needed in this case.

Just trying to feel out my box and rules on this.

Thanks!

Hello Brian.

You are essentially correct. Access lists when used in conjunction with Policy Based Routing are used for matching specific criteria. If you add permit ip any any at the end, then you would essentially be saying “match everything”.

I hope this has been helpful!

Laz

Thanks for confirming and also thinks for that added bit at the end about would match everything.

I was almost thinking just to conform with best practice it would be good to add the permit everything just to conform with best practices but did not think from that perspective that it would then include that as well. You might have saved me from a possible booboo!

Hi Laz ,

So how we can reliable the next HOP without using IP-SLA ??

and what will happend when we used three (3) next hop like …

set ip next-hop 11.10.10.1 15.10.10.1 20.10.10.1

It procees the Next HOP one by one ?? Need more clarification .Thx

br//zaman

Hello Zaman

First it is important to understand what happens when you configure the set ip next-hop command. This command first verifies the existence of the next hop specified. If the next hop exists in the routing table, then the command policy routes the packet to the next hop. If the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.

Note that the IP addresses used in the command must be those of adjacent routers.

Now it is possible to indicate multiple next hop IP addresses as in the example you specified. Each next hop IP address is examined in the order specified. If the next hop exists in the routing table, it uses that address as the next hop. If it is not, it goes to the next address indicated in the command and so on…

I hope this has been helpful!

Laz

Hi ReneMolenaar,

Here’s a random question Re: Policy Based routing.

Can you implement Policy Based Routing on a router without doing Static Routng and or Dynmaic routing (RIP, OSPF and EIGRP)?

I have three routers and R1, R2 and R3. I would like to use Policy Based Routing to get packets to and from routers. Ideally, I would use static routes to get this done, but since I am new to Policy Based Routing Id like to implement this method to see.

Please advise.

Regards,

Floyd

Hello Floyd

Policy based routing essentially provides a method of tweaking or affecting routing decisions based on additional parameters. One of the prerequisites is that a route must already exist in the routing table in order to affect it. If you don’t create any static routing entries and there is no dynamic routing configured, then there will only be directly connected routes installed in the routing table. You can apply policy based routing to affect those, but you will not be able to introduce new routes to remote destinations.

So if you want to manipulate routes by using policy based routing, a prerequisite is that the route you want to manipulate must exist be in the routing table, either statically assigned or dynamically learned.

i hope this has been helpful!

Laz

Hi Laz,

Thanks for your answering and clearing this up for me. Yes, it makes perfect sense and provides clarity to my doubts in logic. I thought this was the case. However, a second opinion from the experts is always a great way of confirmation. I will go and have a play with this again and see if I can produce the right results in my lab. Very many thanks for the clarification.

Floyd

Hi Laz,

In my lab environment, I am able to use policy-based routing to push routes from internal VLANs to one single IP gateway and it works like a charm. My issue now is: I am trying to implement a DMZ in my lab. From the diagram, you will see that all the the default traffic is sent to the firewall from LAN to Internet (That is working fine as it’s just a default route). Routes from the firewall to the internal LAN is flowing well via firewall routing using (router on a stick method).

Therefore traffic is flowing from LAN to internet - OK
From Firewall to DMZ - OK

When I tried to do a tracert from DMZ to 8.8.4.4 on the DMZ host, the packet was dropped at the gateway. I suspect the reason for this is that the router does not know where to push the traffic as it sees two interfaces i.e. one going to the LAN and another to the FIREWALL.

Here is my question:

Can you use the policy based route to set the default next hop to go to the firewall and something like another next hop to be internal LAN?

Hi Floyd,

How did you configure the default route on your router? With PBR or just a regular static route? I’m guessing you did this with PBR? With a static route, routing is globally (not per interface)

In this scenario, you don’t need PBR. A single static default route that points to the firewall is all you need on the router. Traffic can only go one way, to the firewall and that’s it. The other networks (DMZ and VLANs) are directly connected to your router.

When it receives a packet with an unknown destination, it’ll go to the firewall. When it receives a packet for the DMZ or any of the VLANs, it is directly connected and it can forward the packet.

On your firewall, you’ll need some routes so that it knows how to reach the subnets of your VLANs and the subnet of your DMZ.

You only need PBR if you want to “overrule” some of your routing. For example, let’s say your router is connected to a second firewall and the default route points to the first firewall. All unknown destination traffic is then sent to the first firewall. Let’s say you now want to send traffic from VLAN 4 through the second firewall, that’s when you need PBR, to change the next hop to the second firewall when the source traffic comes from the VLAN 4 subnet.

Hope this helps!

Rene

Rene,

A while since I posted hoop alles is heel fijn.

On PBR using match against an ACL (standard or extended) via route map is it possible to match against actual routing updates as opposed to the source address(es)?

IE: I want three subnets linked to ospf (routing updates) to take a different route via a router receiving routes x 3 each from 2 x upstream routers and then about to pass those routes downstream over two equal cost paths, splitting to 2 x routers again.

So instead of splitting all routes equal cost over 2 paths as is the default I PBR route 3 routes over 1 path and 3 via the other - If this could be done how would it be done in OSPF many thanks will

Hello William,

I’m doing good, hope you as well! Do you have a small picture that explains what you are looking for? That might be a bit easier to understand your question

With PBR, you can match on a lot of things…source and/or destination addresses is one option. You would only need to use PBR if you want to make an exception for certain traffic types…like sending VoIP traffic over link X instead of the default (link Y). If you just want to send your traffic in one particular direction, you can probably achieve it with regular routing.

Rene

Rene,

I have a question reg to PBR,
can we apply multiple PBR policies on same Interface.

Hello Durga

Yes it is possible to configure multiple routing policies under a single route-map for a single interface. You just have to create multiple route map statements with statement numbers and match multiple access lists and set the next hop IP to a different value for each.

For example:

Create three access lists that match specific criteria:

access-list 188 permit ip host 172.25.5.1 any
access-list 188 deny ip any any

access-list 189 permit ip host 172.25.5.2 any
access-list 189 deny ip any any
 
access-list 190 permit ip host 172.25.5.3 any
access-list 190 deny ip any any

Then, create a route map (named TEST-RM for this example) with three statements, one for each case:

route-map TEST-RM permit 10
match ip address 188 
set ip next-hop 172.30.100.33
  
route-map TEST-RM permit 20
match ip address 189 
set ip next-hop 172.29.100.33
  
route-map TEST-RM permit 30
match ip address 190 
set ip next-hop 172.28.100.1

Finally, enable the policies on the interface:

interface GigabitEthernet3/0/0
 ip policy route-map TEST-RM in

I hope this has been helpful!

Laz

Hello team,

I have a question, what if i want to set as-path prepend to only one prefix(192.168.1.0/24) associated to a “prefix-list-XXX” that has two prefixes (192.168.1.0/24,192.168.2.0/24), and the route-map has this “prefix-list-XXX”

Everything is set up like this:

Router1#
router bgp 65000
neighbor y.y.y.y route-map "prefix-list-XXX" out

The prefix-list “prefix-list-XXX” has two prefixes
192.168.1.0/24
192.168.2.0/24

So, how can i announce 192.168.1.0/24 with prepend, and the other 192.168.2.0/24 without prepend using the same route-map and prefix-list-XXX. if its not possible how can i accomplish this behavor.

Thanks in advanced.

Hello Rene,

I have a question regarding PBR in your How To Master the CCNP Route book. On page 165, the topology you used is the same topology I will be referring to. I re-created that topology exactly in GNS3, and it worked as expected. I then re-created it a second time, but configured PBR on R4 and the goal was to force all traffic down to R3, and then from R3 up to R1 across the serial link.

After I finished creating this topology I did a trace route from R4 to a loopback address I added onto R1. The trace route did go to the configured next-hop router R3 like I wanted, however, the packet was sent back to R4, then to R2, and then R1. My first thought was that I needed to configure PBR on R3 as well, but without using the “local” keyword in the "ip policy route-map " command since the packet(s) is originating from R4 and not R3. This didn’t change anything though, and the trace route behaved the same way by bouncing the packet back to R4, and then following the path to R2 and then R1.

So, the next thing I did was change the EIGRP metric on R3 to make the route from R3 to R1 more desirable. This did work, and the trace route was able to travers from R4 to R3 and then to R1, like I wanted it to.

My question is, was this the ideal way (best practice) to achieve my goal of forcing the traffic against what the routing table would have done? Or, after configuring PBR on R4 and R3, should the trace route have still traversed across the path that I wanted (R4 to R3 to R1) without changing the bandwidth and delay for EIGRP on R3? Perhaps I didn’t configure it correctly on R3? Any input is greatly appreciated!

Policy Based Routing only works for the device it is configured on, right? So, if the source router (in a trace route) operates correctly by using PBR, how should I expect the next-hop router to treat the packets it receives?

Screen Shot 2018-10-11 at 12.43.26 AM.png763×481 25.7 KB

Hello Brandon

I believe that you hit the nail right on the head when you said:

So any policy you set on R4 will be true for R4 and R4 alone. If you want to adjust the routing behaviour of other parts of the network, such as is the case in the above example, specifically how R3 routes the packet that comes to it, then you will have to either adjust the EIGRP metric as you did, or create a new route map on R3 that deals with that traffic and sends it via the desired path. What you actually end up doing is that which is the most scalable and appropriate for you network. If you want all traffic with a destination of 1.0.0.0/24 that reaches R3 to go via the serial link, then adjusting the EIGRP metric will do the trick. If you want to further segregate which traffic will be routed via the serial link and which will not, based on other parameters such as source IP, destination IP and others, then route maps are the way to go, as they are more detailed and can provide a higher granularity and control of the routing process.

Now without having the actual configs nor the lab in front of me, my question is why did the trace go to R3, return to R4 and then be sent via R2? Shouldn’t the route map have sent it back to R3 thus creating a routing loop? Again, I don’t have the route maps in front of me, so it’s just something you might take a look at.

I hope this has been helpful!

Laz

Hi Rene,

is PBR source based routing or destination based and how, Please explain?