PBR – Policy-based Routing configuration example

Policy-Based Routing Configuration

Here we will show different examples on how to configure specific PBR types:

  • Enabling PBR on the Router
  • Fast-Switched PBR
  • Local PBR
  • CEF-Switched PBR

Enabling PBR

This command will define that the router will use PBR and that the PBR will use route-map named TEST.

R1(config)# route-map TEST permit 10

Defines a route map with name TEST. You don’t need to put sequence number 10 after permit. If you do not put it, router will generate it starting from 10 and give every next route map a sequence number increased by 10. It’s just saying in which order sequences with match criteria will be processed. Remember : One interface can have only one route map. In this case TEST. You can have multiple route map entries, each with its own sequence number. Entries are processed in order until the first match.

Next we define match criteria, it’s by IP address using standard or named ACL (The 10 is the number of standard access list and ACL_ROUTE name of named access list defined afterwards). It can be matched by packet length to:

R1(config-route-map)# match ip address 10
R1(config-route-map)# match ip address ACL_ROUTE
R1(config-route-map)# match length min max

Please remember: If you do not specify a match command, the route map applies to all packets.

The next thing to define is what will PBR do with the packets that match the criteria in access list.

Here is the list of actions you can invoke on matched traffic:

Sets precedence value in the IP header. You can specify either the precedence number or name.

  R1(config-route-map)# set ip precedence [number | name]

Sets the `Don’t Fragment’ (DF) bit in the ip header.

  R1(config-route-map)# set ip df

Sets the VPN Routing and Forwarding (VRF) instance.

  R1(config-route-map)# set ip vrf vrf_name

Sets next hop to which to route the packet.

  R1(config-route-map)# set ip next-hop ip-address [... ip-address]

Sets next hop to which to route the packet if the hop is to a router which is not adjacent.

  R1(config-route-map)# set ip next-hop recursive ip-address [... ip-address]

Sets output interface for the packet.

  R1(config-route-map)# set interface interface-type interface-number [... type number]

Sets next hop to which to route the packet if there is no explicit route for this destination.

  R1(config-route-map)# set ip default next-hop ip-address [... ip-address]

Sets output interface for the packet if there is no explicit route for this destination.

  R1(config-route-map)# set default interface interface-type interface-number [... type ...number]

 

Next we need to define the interface where will the PBR wait for packets to enter in the process of policy based routing. By attaching PBR for that route map on selected interface the router knows which packets arriving on what interface will be subject to PBR rule that we created above.

Enable PBR on interface:

R1(config)#interface Fa0/0
R1(config-if)# ip policy route-map TEST

 

Fast-Switched PBR

When you do the command above you will enable PBR but PBR will disable fast switching of all packets arriving on that interface. That would slow things down. If you want that the things work fast as before, you choice is to enable Fast-Switched PBR

Fast-switched PBR has some limitations so it cannot set these things:

  • set ip default next-hop
  • set default interface
  • set interface command is supported only over point-to-point links

Fast switching PBR will be applied only to PRB policies that are set prior to enabling it. It you define some other PBR policies later you will need to enable fast switching PBR again.

R1(config-if)# ip route-cache policy

There is another thing. Packets that are generated by the router itself are not subject to PBR policy. To change this setting and include those packets to PBR policing you will need to enable Local PBR using this command:

R1(config)# ip local policy route-map map-tag
R1(config)#show ip local policy

…will show you which route map is used for local PBR, if any.

 

CEF-Switched PBR

PBR is supported in the Cisco Express Forwarding – CEF. CEF-switched PBR is faster than fast-switched PBR. The ip route-cache policy is command used for fast-switched PBR and you don’t need it for CEF-switched PBR.

 

PBR CONFIG EXAMPLE:
PBR - Policy-based Routing

We want that for example packet that is sourced from host A to server is crossing router R2 on its way, and that packets from host B are going to the same server but across router R3. We are also defining precedence in the packet header with set ip precedence command.

One important thing to mention here is the usage of the match statement. If you use more than one match inside one map sequence number (10 in our example in tab 2) every match must be matched if set statements will be processed.

CONFIG

 R1(config)#access-list 1 permit 192.168.1.10 
 R1(config)#access-list 2 permit 192.168.1.20 
 ! 
 R1(config)#interface Fastethernet 0/0 
 R1(config-if)#ip policy route-map TEST 
 ! 
 R1(config)#route-map TEST permit 10 
 R1(config-route-map)#match ip address 1 
 R1(config-route-map)#set ip next-hop 10.10.10.2 
 ! 
 R1(config)#route-map TEST permit 20 
 R1(config-route-map)#match ip address 2 
 R1(config-route-map)#set ip next-hop 10.10.10.6


Multiple match

R1(config)#access-list 1 permit 192.168.1.10 
 ! 
 R1(config)#interface Fastethernet 0/0 
 R1(config-if)#ip policy route-map TEST 
 ! 
 R1(config)#route-map TEST permit 10 
 R1(config-route-map)#match ip address 1 
 R1(config-route-map)#match lenght 1000 1600
 R1(config-route-map)#set ip next-hop 10.10.10.2
 !

 

 

 

Leave a Reply