How to use the Cisco IOS Policy-Based

Routing Features
by David Davis, vExpert, VCP, CCIE 9369 - January 8, 2009
Printer Friendly Version

The use of a dynamic routing protocol on a company's WAN and LAN is standard
practice today. Whether you use OSPF or EIGRP to automatically determine the path that
your traffic takes, at some point, for some reason, you may want to direct that traffic for
yourself. In this article, we will learn what Policy-based routing is, how it can help you,
and what a basic configuration looks like.

A Single Pane of Glass to Monitor Everything Cisco

If you are a Cisco geek we have just the monitoring tool for you. Using over 670 built-in
templates, OpManager lets you start monitoring anything Cisco plus your entire network
in 30 minutes flat.

The software makes use of the latest Cisco technologies; CDP, IP SLA, Netflow, CbQoS
and NBAR to name a few, to monitor and manage the performance of your Cisco
network.

Your Cisco network will want this! Try a 30-day free trial today

What is Policy-based Routing?

With policy-based routing (which we will call PBR from here on out), you get the option
to implement policies that selectively cause packets to take different paths. Additionally,
PBR can mark packets so that certain types of traffic get prioritized. One example of PBR
is, say that your OSPF routing protocol says that a packet with a destination of 10.1.1.1
should go out interface e0/0, you could create a policy so that packets destined to
10.1.1.1, instead, go out interface e1/0. Or, you could make this happen ONLY when the
source of that packet was 192.168.1.1.

How does policy based routing work?

If you look at the Cisco IOS Order of Operations, Policy routing always happens
BEFORE regular routing. What policy routing does is to inspect the traffic on the
interface where the policy is applied and then, based on the policy, make some decision.
First, the traffic has to be identified "matched" according to the policy. Second, for each
match, there is something "set". What is set could be that the traffic matches must exit out
a different interface, or the traffic could be given a higher priority, or it could choose to
just drop that traffic.

The "matching" of the traffic is usually done with an ACL (access-control list) that is
referenced by a route-map. In the route-map, there is a "match" for the traffic defined in
that ACL then a "set" for that traffic where the network administrator defines what he or
she wants to happen to that traffic (prioritize it, route it differently, drop it, or other
actions). Policies can be based on IP address, port numbers, protocols, or size of packets.

How to apply policy-based routing

Let's look at an example of how we could use PBR. Say that we wanted to find any traffic
that is destined for IP device 10.1.1.1 and, instead of sending it wherever the routing
protocol says it should go, we are going to send it out interface Fa3/0.

To do this, here are the steps we would take:

Step 1 - define an ACL

Keep in mind that whatever is permitted by this ACL is what will be matched. You don't
want to permit everything. Usually, I take advantage of the implicit deny at the bottom of
the ACL and just create an ACL that permits what I am going to take action on in the
route-map.

So, just create a simple ACL:

Router(config)# access-list 101 permit ip any host 10.1.1.1

Also see A Case Study of Outback Steakhouse

This ACL permits only traffic with a destination IP of 10.1.1.1 (the traffic we want to
send elsewhere)

Step 2 - create a route-map

To create a route-map, go into route-map configuration mode, like this:
Router(config)# route-map reroute10traffic permit 10

Router(config-route-map)#

Next, set your match policy to match the traffic in ACL 101, like this:

Router(config-route-map)#match ip address 101

This will match all the traffic permitted through ACL 101.

Next, you need to set some action on that traffic. What do you want to happen to that
traffic? Let's tell the router to send it out interface Fast Ethernet 3/0, like this:

Router(config-route-map)#set interface Fa3/0

Step 3 - Apply the route-map to the interface

Next, you need to apply this policy/route-map to the interface where the traffic is coming
in.

Router(config)# interface Fast Ethernet 3/0

Router(config-if)#ip policy route-map reroute10traffic

According to the official Cisco Policy Routing documentation, "One interface can have a
only one route map policy applied.tag; but you can have several route map entries, each
with its own sequence number. Entries are evaluated in order of their sequence numbers
until the first match occurs. If no match occurs, packets are routed as usual."

Now exit and you are done!

You can view your route-maps with show route-map.

What do you need to know about match & set?

Route-map statements are made up of match and set commands. The set action only
happens when the match command is fulfilled.

Route-map statements can have multiple lines of match and set statements. the "10" in the
original route-map statement above is the line number of that route-map statement. The
numbers of the route-map statements are very important as they determine the order that
the statements are processed and they can also be used to insert and delete individual
statements.
There are really a TON of things that you can MATCH and SET. For the full list, please
see the official Cisco Policy Routing documentation.

Do you have questions about IP Network Subnetting, Troubleshooting, or Cisco Routers?

If so, please visit our Cisco Router discussion forums.

To learn more about Cisco networking, consider the Train Signal CCNA Video Training
package!

Also see A Case Study of Outback Steakhouse