Policy Based Routing or PBR is a feature for network administrator to manipulate packet routing and forwarding to follow a defined policy set. In short, if packets arrived on a router matches a characteristic defined in the policy, then it will be given custom actions and ignoring the routing and forwarding logic. Such actions to be implemented are routing to a different next-hop address, forwarding using a different interface, or giving any special flags or precedence. PBR supported by most vendors including Cisco. This post will provide guidance to understand the way to configure Policy Based Routing on Cisco router.
How to Configure Policy Based Routing on Cisco Router
Policy Based Routing is very useful because it can manipulate the traffic flow based on the source properties defined in an access-list.
This scenario will show the way to use PBR to decide which ISP that a network user should utilize based on its IP address. There are two VLANs in the local network and two ISP routers as the gateway to the internet, with the network topology as pictured below:
PC1 is member of VLAN100 and PC2 is member of VLAN200. Both VLAN100 and VLAN200 gateway are configured on R1 interface f0/0 with subinterface number f0/0.100 and f0/0.200 for each VLAN respectively. The IP address of ISP-A router interface facing to R1 is 172.16.1.1, and ISP-B router interface facing to R1 is 172.16.2.1.
R1 configuration snippet is as shown below:
! interface FastEthernet0/0 no ip address speed auto duplex auto ! interface FastEthernet0/0.100 encapsulation dot1Q 100 ip address 192.168.100.1 255.255.255.0 ! interface FastEthernet0/0.200 encapsulation dot1Q 200 ip address 192.168.200.1 255.255.255.0 ! interface FastEthernet0/1 ip address 172.16.1.2 255.255.255.252 speed auto duplex auto ! interface FastEthernet0/2 ip address 172.16.2.2 255.255.255.252 speed auto duplex auto ! ! ip route 0.0.0.0 0.0.0.0 172.16.1.1 !
The current configuration on R1 uses 172.16.1.1 or ISP-A as the default gateway to the internet. There is a requirement to make users in VLAN100 to use ISP-B as the gateway, while users on the other VLAN should still use the existing default gateway.
PBR implementation is required on R1 to achieve this purpose, and the configuration is as follows:
1. Creating access-list
Access-list (ACL) is created in order to help identify the source IP address where PBR will be applied to. The ACL can be a standard, extended, or named access-list. Specify the particular IP address or subnet as the source address in the ACL. In this scenario, the subnet for VLAN100 is 192.168.100.0/24, therefore the access list is created using “192.168.100.0 0.0.0.255” as the source and “any” as the destination.
R1(config)#access-list 100 permit ip 192.168.100.0 0.0.0.255 any
On the above example, ACL with ID number 100 is created. Note that if PBR is intended to a specific destination IP or subnet then it should also be specified in the ACL. It should also be noted that one ACL ID can contain more than one access-list.
2. Creating route-map
Route-map works in an “if-then” logic. Simply put, if a packet matches an ACL then router will set a custom action for this packet, ignoring the routing and forwarding logic. In this scenario, we want packets coming from subnet in VLAN100 to the internet to be forwarded via ISP-B. Therefore the route-map configuration equivalent to the statement above is as follows:
R1(config)#route-map Vlan100_to_ISP_B R1(config-route-map)#match ip address 100 R1(config-route-map)#set ip next-hop 172.16.2.1
On the above example, a route-map tagged with name Vlan100_to_ISP_B is created. The name could be anything but best to keep it simple as it will be referred in the next configuration. Notice that the configuration makes a reference to ACL ID 100 that has been created on step 1 before. Also notice that the configuration is setting the next-hop address to ISP-B router interface. This way, the default route via 172.16.1.1 or ISP-A will not be used for packets coming from the subnet of VLAN100.
The commonly used parameters for “match” and “set” command in route-map can be seen on this Cisco documentation, but of course there may be more parameters depending on the router model and IOS version.
3. Applying route-map to the interface
Now the final step is to implement policy on the router interface where packet will go through. In this scenario, the packet from VLAN100 subnet will go through subinterface f0/0.100. Therefore, PBR will be implemented there. The command to implement PBR is as follows:
R1(config)#int f0/0.100 R1(config-subif)#ip policy route-map Vlan100_to_ISP_B
Notice that PBR configuration is referring to a route-map tag Vlan100_to_ISP_B that we created previously on step 2.
Verification PBR implementation result
Before applying PBR, both PC1 (member of VLAN100) and PC2 (member of VLAN200) are using the same gateway address to the internet as can be seen on the second hop from trace results below. As seen on the trace route result below, the second hop for both PC is 172.16.1.1, In other words, both VLAN are using ISP-A as the internet gateway.
Trace route from PC1
PC1> trace mustbegeek.com mustbegeek.com resolved to 65.254.248.86 trace to mustbegeek.com, 8 hops max, press Ctrl+C to stop 1 192.168.100.1 8.001 ms 7.999 ms 8.000 ms 2 172.16.1.1 28.000 ms 32.002 ms 36.001 ms 3 12.12.12.2 52.003 ms 57.004 ms 58.001 ms 4 65.254.248.86 64.998 ms 65.002 ms 64.999 ms
Trace route from PC2
PC2> trace mustbegeek.com mustbegeek.com resolved to 65.254.248.86 trace to mustbegeek.com, 8 hops max, press Ctrl+C to stop 1 192.168.200.1 15.623 ms 15.627 ms 15.622 ms 2 172.16.1.1 46.879 ms 46.879 ms 31.253 ms 3 12.12.12.2 78.556 ms 78.114 ms 77.991 ms 4 65.254.248.86 80.001 ms 79.996 ms 80.112 ms
After applying PBR, notice that the route starting from second hop for PC1 and PC2 is different even though both are going to the same destination. PC1 (member of VLAN100) is now using 172.16.2.1 (ISP-B) as the internet gateway while PC2 is still using 172.16.1.1 (ISP-A) as the internet gateway. This is as result of the PBR that was configured earlier.
Trace route from PC1 after PBR applied
PC1> trace mustbegeek.com mustbegeek.com resolved to 65.254.248.86 trace to mustbegeek.com, 8 hops max, press Ctrl+C to stop 1 192.168.100.1 23.122 ms 16.155 ms 15.625 ms 2 172.16.2.1 46.880 ms 31.249 ms 31.250 ms 3 13.13.13.3 62.503 ms 63.125 ms 62.998 ms 4 65.254.248.86 77.133 ms 77.554 ms 77.282 ms
Trace route from PC2 after PBR applied
PC2> trace mustbegeek.com mustbegeek.com resolved to 65.254.248.86 trace to mustbegeek.com, 8 hops max, press Ctrl+C to stop 1 192.168.200.1 15.625 ms 15.625 ms 15.626 ms 2 172.16.1.1 58.119 ms 46.878 ms 27.999 ms 3 12.12.12.2 62.690 ms 46.878 ms 27.999 ms 4 65.254.248.86 60.250 ms 60.111 ms 61.396 ms
And that’s how you configure Policy Based Routing on Cisco Router.