How to configure Policy Based Routing

Hi Rene / Team ,

I have few question on PBR :
1.How sequence number is working here , will it go via lowest to higher number ?
2. if we are using PBR for some routes and not for all prefix , as per PBR traffic is implict deny in last , so it will impact other traffic ? I mean drop the traffic or allow , will PBR work as globally on router ?
3.Suppose I have multiple route-map on my router in production , how we know that which is active or working PBR ? may be some old PBR which is not currently in prod.
4.Last not Least , how to identify for specific route is using which PBR on router quickly ?

Hello Sean

When applying an IP policy for PBR, it always acts upon incoming traffic. This is because the order of operations for routing in general is:

1. Traffic enters an interface
2. It is routed based on the routing table and/or based on PBR
3. Traffic emerges from the exit interface.

This is the case in the example in the lesson. Only traffic that is incoming on the Gi0/1 is acted upon by the PBR.

Now for an SVI, the principle is the same. Only traffic that is incoming to that SVI will be acted upon with the PBR. There is no need to indicate incoming or outgoing traffic.

I hope this has been helpful!

Laz

Hello Haroon

Sequence numbers for PBR as well as for all route maps go from lowest to highest. You can find out more about route maps in general at the following lesson:

PBR will only act upon the prefixes that match the access list referenced. Any prefixes that don’t match will be routed normally using the routing table. Remember, PBR will only operate on the interface on which it has been applied.

PBR will only be activated on specific interfaces using the ip policy command. You may have many route maps configured on a router, but if they are not applied using this command, they are not active. You can know which ones are active based on these commands on the interfaces.

One way you can do this is to look at your access lists (or prefix lists is that is what you are using for PBR) and see if the prefix you’re looking for is there. Then you can check to see what entities reference this access list. It may be a route map. If so, you can then check to see if that route map is applied as an IP policy on an interface.

I hope this has been helpful!

Laz

I have an issue, how can i set a policy based on Routing with an acl, but let DHCP Work

when i apply the Policy in a Interface, the DHCP does not work and it dont bring IP to users.

Hello Alberto

Hmm, I’m trying to think how policy-based routing can affect your DHCP server. Are you using a DHCP relay agent with the ip helper-address command? If the DHCP server is on the same network segment as the hosts, any policy-based routing configured would not affect DHCP address allocation. Can you give us some more information about your topology including the network segments that your hosts and your DHCP server are connected to? Hopefully, we’ll be able to help you out more with this additional information.

I hope this has been helpful!

Laz

Hello folks,

Can anyone explain in details how set ip next-hop verify availability works?
and
Can anyone explain in details how set ip next-hop recursive works?

which one required to be directly connected?

Hello Mohammad

These are policy-based routing features that can be employed to enhance your PBR configuration.

First, we have the set ip next-hop verify-availability command. This is used to configure policy routing to verify the reachability of the next hop of a route map before the router performs policy routing to that specific next hop.

More about how this command can be used can be seen at this Cisco command reference:

The second command, set ip next-hop recursive, is a supplementary command to the set ip next-hop command itself. It is used to enable policy-based routing to subnets that are not directly connected to the local router. In order for this command to be used correctly, the next-hop IP address must already be assigned separately from the recursive next-hop IP address. You can find out more details about the recursive feature in PBR from the following Cisco documentation:

You can also find info about the command itself in the following command reference link:

The first command verifies next hop reachability using either CDP or object tracking. CDP requires directly connected devices, while object tracking can track non-directly-connected next hops using ICMP. The second command, by definition, deals with non-connected-directly devices.

I hope this has been helpful!

Laz

Hi Rene,

I need a link where I can download the updated cisco IOS for GNS and EVE, please.

Hello Costa

Take a look at this post that talks about Cisco IOS images in GNS3 and other emulators.

I hope this has been helpful!

Laz

Hi Rene,

May I ask? What is the difference between set ip next-hop address x.x.x.x and set ip default next-hop address commands?

Thanks.

Regards
Leon

Hello Leon

Cisco states it this way:

The set ip default next-hop command verifies the existence of the destination IP address in the routing table, and…

• if the destination IP address exists, the command does not policy route the packet, but forwards the packet based on the routing table.
• if the destination IP address does not exist, the command policy routes the packet by sending it to the specified next hop.

The set ip next-hop command verifies the existence of the next hop specified, and…

• if the next hop exists in the routing table, then the command policy routes the packet to the next hop.
• if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.

This comes from the following documentation on the subject which explains it in further detail and with examples:

I hope this has been helpful!

Laz

Hi
What is the difference if i used
set ip next-hop 11.10.10.1 15.10.10.1 20.10.10.1

Or if i use Verify-availability feature with 3 statements 1,2,3 to be as backup nexthop if first one unreachable and sure with track and ip sla???

Another Q
Does PBR support ECMP or load sharing? If yes please share example.

@ReneMolenaar @lagapidis

Hello Ali

The set ip next-hop 11.10.10.1 15.10.10.1 20.10.10.1 command verifies the existence of the next hop using the routing table. If the next hop IP address is in the routing table, it uses that address. If it is not, then it will attempt to use the next address in the list of the command that you provide. If none of them are in the routing table, then it simply uses the normal routing table to forward the packet.

The set ip next-hop verify-availability command also attempts to verify the existence of the next hop, but uses a different mechanism to do so. If no arguments are used in the command, then CDP is used to determine the availability of that next hop. However, if you use the track keyword, you can use ICMP echo requests or HTTP GET requests to verify if the next hop IP is reachable.

These two commands perform a similar function, but they do so in a different manner.

It depends upon the platform. For example, the NX-OS Release 9.2(3) supports this feature while the 3950 does not.

I hope this has been helpful!

Laz

I think there is a typo under the conclusion:

• Use the ip policy local command globally for traffic that is originated by the router.

Shouldn’t it be ip local policy?

Hello Samir

Yes, you are correct. I’ll let Rene know to make the correction. Thanks for pointing that out!

Laz

Hello Dear,

Please is PBR can be configured by IOS XR, if yes could you advise or share some resources, if no is there any alternative solutions in XR ?

Regards.

Hello ahmedamrici

PBR is available in IOS XR. YOu can find out more about it at this Cisco documentation:

Alternatively, you can use what is known as ACL based forwarding. More about tha can be found here:

Let us know how you get along with these configuration examples.

I hope this has been helpful!

Laz

Hello, everyone!

How often is this Policy Based Routing used in the real world? Because I was told that PBR is typically considered a duct tape solution and a last resort deal

Thank you in advance for your help.

Kind regards,
David

Hello David

You’re correct when you refer to PBR as a “duct tape” solution. It’s not typically the first tool network engineers reach for when specialized routing needs to be applied, as it can add complexity to a network configuration and make troubleshooting more difficult. It is also less flexible and not as adaptive to changing traffic patterns as the use of dynamic routing protocols is.

That being said, PBR is not uncommon in the real world. It is used in specific scenarios where traditional routing methods based on destination IP address are not sufficient. For instance, PBR can be used to control traffic flow based on other factors like source IP address, packet size, or protocol type. It’s also useful when you need to implement routing policies that can’t be achieved with standard routing protocols.

So while it’s true that PBR is generally a last resort, there are certainly situations where it’s the best tool for the job. It’s not something you’ll use every day, but it’s a good skill to have in your repertoire as a network engineer.

I hope this has been helpful!

Laz

Hello,
i have ASR1001x acting as PPPOE Server now my limitation dot works and i am connected to sub-interface.520 kindly could you check why? this is my config

Building configuration...

Current configuration : 18068 bytes
!
! Last configuration change at 01:17:14 UTC Sat Oct 14 2023 by admin
!
version 16.3
service timestamps debug datetime msec
service timestamps log datetime msec
service unsupported-transceiver
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 20000000
!
hostname BNG1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ssh local
aaa authentication ppp default local
aaa authentication ppp PPP local group radius
aaa authorization network PPP local group radius
aaa accounting send stop-record always
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network PPP start-stop group radius
!
aaa attribute list GALAXY
 attribute type ip-unnumbered "loopback0" service ppp protocol lcp
 attribute type dns-servers "192.168.3.1" service ppp protocol lcp
 attribute type addr-pool "5-Business-Pool" service ppp protocol lcp
!
!
!
!
aaa server radius dynamic-author
 client 192.168.4.1
 server-key 12345
 auth-type any
!
aaa session-id common
!
transport-map type persistent ssh ssh
 time-out 30
 authentication-retries 4
 rsa keypair-name sshkeys
!
ip address-pool local
!
!
!
!
!
!
!
!
!
ip domain name galaxynet.iq
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group vpn
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 2
 no l2tp tunnel authentication
!
!
!
!
!
!
!
!
!
!
!
ivr prompt buffers 2
license udi pid ASR1001-X sn JAE20520BPF
license accept end user agreement
license boot level adventerprise
!
spanning-tree extend system-id
diagnostic bootup level minimal
!
!
username admin privilege 15 secret 5 $1$su2X$qe1hskZVzP/CZuFCew7ts1
!
redundancy
 mode none
!
!
!
!
!
!
!

class-map match-all GAMES
 match access-group name GAMES
!


policy-map 5-Business
 class GAMES
  police cir 6000000 bc 50000
   conform-action transmit
   exceed-action drop
 class class-default
  police cir 2000000
   conform-action transmit
   exceed-action drop



policy-map UPLOAD
 class class-default
  police rate 50000000 bps conform-action transmit  exceed-action drop
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bba-group pppoe PPP
 virtual-template 1
 sessions per-mac limit 10
 sessions per-vlan limit 1000
 sessions per-mac throttle 3 20 30
 sessions auto cleanup
!
!
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface Port-channel1
 no ip address
!
interface Port-channel1.400
 description WAN
 encapsulation dot1Q 400
 ip address 192.168.250.2 255.255.255.252
 ip nat outside
!
interface Port-channel1.500
 description CACHE
 encapsulation dot1Q 500
 ip address 192.168.7.200 255.255.255.0
 ip nat inside
!
interface Port-channel1.520
 description TEST-PPP2
 encapsulation dot1Q 520
 ip nat inside
 pppoe enable group PPP
!
interface Port-channel1.600
 description TEST-PPP
 encapsulation dot1Q 600
 ip address 10.6.60.1 255.255.255.0
 ip nat inside
 pppoe enable group PPP
!
interface TenGigabitEthernet0/0/0
 mtu 9216
 no ip address
 channel-group 1 mode active
!
interface TenGigabitEthernet0/0/1
 no ip address
 channel-group 1 mode active
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/4
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/5
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip nat inside
 ip tcp adjust-mss 1400
 no peer default ip address
 ppp mtu adaptive
 ppp authentication chap PPP
 ppp authorization PPP
 ppp accounting PPP
 ppp ipcp dns 192.168.3.1 8.8.8.8
 ppp ipcp address required
 ppp ipcp address unique
 ppp ipcp address accept
 ip virtual-reassembly
!
ip local pool 1-Economy-POOL 172.16.0.1 172.16.31.254
ip local pool 2-Standard-Pool 172.17.0.1 172.17.31.254
ip local pool 3-Active-Pool 172.18.0.1 172.18.31.254
ip local pool 4-Turbo-Pool 172.19.0.1 172.19.31.254
ip local pool 5-Business-Pool 172.20.0.1 172.20.31.254
ip local pool 6-Expired 10.200.0.1 10.200.254.254
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat translation timeout 180
ip nat translation tcp-timeout 180
ip nat translation udp-timeout 150
ip nat translation dns-timeout 30
ip nat translation max-entries 10000000
ip nat pool PUBLIC-NAT 185.242.134.32 185.242.134.47 prefix-length 28
ip nat inside source route-map PUBLIC pool PUBLIC-NAT overload
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 192.168.250.1
!


ip access-list standard GAMES
 permit 20.40.0.0 0.7.255.255
 permit 20.192.0.0 0.63.255.255
 permit 20.203.0.0 0.0.127.255
 permit 43.128.224.0 0.0.31.255
 permit 43.132.12.0 0.0.3.255
 permit 43.132.128.0 0.0.63.255
 permit 43.133.0.0 0.0.31.255
 permit 43.134.128.0 0.0.63.255
 permit 43.159.84.0 0.0.0.255
 permit 43.159.102.0 0.0.0.255
 permit 43.159.103.0 0.0.0.255
 permit 49.51.142.0 0.0.1.255
 permit 49.51.154.0 0.0.1.255
 permit 49.51.180.0 0.0.3.255
 permit 101.32.104.0 0.0.7.255
 permit 101.32.160.0 0.0.15.255
 permit 101.33.48.0 0.0.3.255
 permit 101.33.100.0 0.0.3.255
 permit 104.40.0.0 0.7.255.255
 permit 104.208.0.0 0.7.255.255
 permit 119.8.0.0 0.0.7.255
 permit 119.8.80.0 0.0.15.255
 permit 119.8.144.0 0.0.15.255
 permit 119.8.228.0 0.0.3.255
 permit 119.28.152.0 0.0.1.255
 permit 119.28.156.0 0.0.1.255
 permit 119.28.164.0 0.0.0.255
 permit 119.28.165.0 0.0.0.255
 permit 119.28.228.0 0.0.1.255
 permit 119.28.232.0 0.0.1.255
 permit 129.226.2.0 0.0.1.255
 permit 150.109.0.0 0.0.3.255
 permit 150.109.24.0 0.0.3.255
 permit 150.109.90.0 0.0.0.255
 permit 159.138.208.0 0.0.7.255
 permit 162.62.52.0 0.0.3.255
 permit 162.62.59.0 0.0.0.255
 permit 162.62.65.0 0.0.0.255
 permit 162.62.66.0 0.0.0.255
 permit 162.62.69.0 0.0.0.255
 permit 162.62.80.0 0.0.3.255
 permit 170.106.102.0 0.0.0.255
 permit 170.106.121.0 0.0.0.255
 permit 170.106.144.0 0.0.15.255
 permit 15.185.0.0 0.0.255.255
 permit 16.24.0.0 0.0.255.255
 
ip access-list extended DNS
 permit udp any any eq domain
 permit tcp any any eq domain
ip access-list extended ICMP
 permit icmp any any
ip access-list extended NET-CACHE
 permit tcp any eq www 185.230.105.0 0.0.0.255
ip access-list extended NO-NET-CACHE
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 172.16.0.0 0.15.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
 permit ip 185.151.107.240 0.0.0.7 any
 permit ip host 109.224.8.75 any
 permit ip host 192.168.4.1 any
ip access-list extended NO-USER-CACHE
 permit ip any 10.0.0.0 0.255.255.255
 permit ip any 172.16.0.0 0.15.255.255
 permit ip any 192.168.0.0 0.0.255.255
 permit ip any 185.151.107.240 0.0.0.7
 permit ip any host 109.224.8.75
 permit ip any host 192.168.4.1
ip access-list extended PUBLIC
 permit ip 172.16.0.0 0.0.31.255 any
 permit ip 172.17.0.0 0.0.31.255 any
 permit ip 172.18.0.0 0.0.31.255 any
 permit ip 172.19.0.0 0.0.31.255 any
 permit ip 172.20.0.0 0.0.31.255 any
ip access-list extended USER-CACHE
 permit udp any any range 54 442
 permit udp any any range 444 449
 permit udp any any range 501 3477
 permit udp any any range 3482 4499
 permit udp any any range 4501 8800
 permit udp any any range 8803 9999
 permit udp any any range 10005 19301
 permit udp any any range 19308 39999
 permit udp any any gt 40005
 permit udp any any gt 1024
 permit udp any any eq 80
 permit tcp 185.234.103.0 0.0.0.255 any eq www
!
!
!
route-map PUBLIC permit 10
 match ip address PUBLIC
!
route-map NET-CACHE permit 11
 match ip address NO-NET-CACHE
!
route-map NET-CACHE permit 12
 match ip address NET-CACHE
 set ip next-hop 192.168.7.1
!
route-map CACHE permit 11
 match ip address NO-USER-CACHE
!
route-map CACHE permit 12
 match ip address USER-CACHE
 set ip next-hop 192.168.7.1
!
!
!
radius-server attribute list GALAXY
!
radius-server attribute 31 mac format ietf
radius-server attribute 31 send nas-port-detail mac-only
radius-server timeout 10
radius-server vsa send cisco-nas-port
!
radius server NAS
 address ipv4 192.168.4.1 auth-port 1812 acct-port 1813
 key 12345
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 transport input ssh
line vty 5 15
 privilege level 15
 transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end