Policy Based Routing
PBR is a powerful feature available in modern routers that allows network administrators to exert granular control over the routing decisions made within their network. Unlike traditional routing, which relies solely on destination IP addresses to determine the path packets take, PBR enables routing decisions based on policies defined by network administrators.
Policy-Based Routing operates on the principle of defining policies that match specific criteria within packets, such as source IP addresses, application types, or QoS markings. When a packet matches a defined policy, it is directed to follow a custom routing path, bypassing the regular routing table.
PBR can be employed in various scenarios, including:
Load balancing traffic across multiple ISP connections.
Implementing security measures by directing traffic through a firewall.
Redirecting traffic to optimize network performance.
PBR Configuration
To configure a PBR, we need to define the policies. Route Maps are used to define the policy-based routing criteria. You can create a route-map with the route-map command followed by a name. Let’s call it “PBR-Map” in this example:
Router(config)# route-map PBR-Map permit 10
PBR-Map
: This is the name of the route-map. You can choose any name you prefer.permit 10
: This is a sequence number that determines the order of evaluation. Lower sequence numbers are evaluated first.
Now in our created route-map we define the match criteria. Specify the matching criteria for the policy using the match command within the route-map. This criteria defines what kind of traffic the policy will match.
Note
Only match ip address ACL_NAME
command could be used for a PBR in the route-map.
Router(config-route-map)# match ip address allowed_sources
ip address allowed_sources
: This specifies that the route-map should match packets that match an access control list (ACL) named “allowed_sources.”
The next step, is defining an action. To specify the action to be taken when the criteria are met, use the set command within the route-map.
Note
Only set ip next-hop A.B.C.D
command could be used for a PBR in the route-map.
Router(config-route-map)# set ip next-hop 192.168.1.1
ip next-hop 192.168.1.1
: This sets the next-hop IP address for the matched packets.
Note
If not specified, the next-hop is looked up from the default VRF. To change this behaviour, the user can use the ip next-hop vrf
command.
Finally, you should apply the route-map to the relevant interface, subinterface, or VLAN where you want to implement PBR:
- ip policy route-map PBR-Map
PBR-Map
: Specifies the name of the route-map that contains the policy criteria and actions to be applied to the traffic.
Note
Policies are applied to ingress traffic, so route-map should be set on internal interface(s).
Note
Packets that are generated by the device are not policy-routed.
Example
In this example, we’ll configure PBR to route HTTP traffic through a specific gateway while all other traffic uses the regular routing table.
Assumptions:
The router has two interfaces:
ge0
for the internal network andge1
for the external network.The gateway for HTTP traffic is 192.168.1.254, and all other traffic follows the default routing( 192.168.1.1).
We define an ACL that permits TCP traffic with a source IP address of any internal client and a destination port 80 (HTTP):
Router(config)# ip access-list http_traffic
Router(config-nacl)# permit tcp any any eq http
A route-map is created with sequence number 10. It matches traffic using ACL http_traffic and sets the next-hop IP address to 192.168.1.254:
Router(config)# route-map redirect_http permit 10
Router(config-route-map)# match ip address http_traffic
Router(config-route-map)# set ip next-hop 192.168.1.254
The route-map is applied to the internal interface (ge0). This means that HTTP traffic will follow the route-map and be forwarded to 192.168.1.254, while all other traffic will use the default route:
Router(config)# interface ge0
Router(config-if)# ip policy route-map redirect_http
Router(config)# ip route 0.0.0.0/0 192.168.1.1