ARTICLES

Configure Policy Based routing (PBR) [step by step]

Notes Before starting our lab on PBR:

  • Standard routing protocols only check the destination of the packet (not the source..)
  • Policy-Based routing overrides the existing routing protocol, the reason is that the PBR process intercepts the packet before the routing protocol.

Steps:

1- Configure Access-list for matching src IP, dst IP, or both (or matching specific protocol UDP/TCP by using extended ACL…)

2- Configure the route-map that will:

first Match the ACL ==> then set the action (Next hop ….)

3- Apply the Route-map on the incoming Interface

Let’s jump in and start configuring PBR.

Topology:

Step 1: Connectivity and OSPF configuration:

Configure all the Interfaces and the OSPF routing on all Routers:

R1:

for our purpose, we will change the OSPF cost to R3 router to 16600 in order to prefer the route to R2:


interface Ethernet0/0
 ip address 172.16.88.1 255.255.255.0
 ip policy route-map GOTO-R3
 half-duplex
!
interface Ethernet0/1
 ip address 10.10.1.1 255.255.255.252
 ip ospf 100 area 0
 half-duplex
!
interface Ethernet0/2
 ip address 10.10.2.1 255.255.255.252
 ip ospf cost 16600
 ip ospf 100 area 0
 half-duplex
!
router ospf 100
 log-adjacency-changes
 network 10.10.0.0 0.0.255.255 area 0
 network 172.16.88.0 0.0.0.255 area 0
!

R2:

interface Ethernet0/0
 ip address 10.10.1.2 255.255.255.252
 ip ospf 100 area 0
 half-duplex
!
interface Ethernet0/1
 ip address 172.16.90.20 255.255.255.0
 ip ospf 100 area 0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
!
router ospf 100
 log-adjacency-changes

R3:


interface Ethernet0/0
 ip address 10.10.2.2 255.255.255.252
 ip ospf 100 area 0
 half-duplex
!
interface Ethernet0/1
 ip address 172.16.90.30 255.255.255.0
 ip ospf 100 area 0
 half-duplex
!
router ospf 100
 log-adjacency-changes

Check the routing table for each router:

R1:


R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.2.2         1   FULL/DR         00:00:30    10.10.2.2       Ethernet0/2
10.10.1.2         1   FULL/DR         00:00:38    10.10.1.2       Ethernet0/1
R1#

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.88.0 is directly connected, Ethernet0/0
O       172.16.90.0 [110/20] via 10.10.1.2, 01:08:02, Ethernet0/1
     10.0.0.0/30 is subnetted, 2 subnets
C       10.10.1.0 is directly connected, Ethernet0/1
C       10.10.2.0 is directly connected, Ethernet0/2
R1#

R2:

R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
O       172.16.88.0 [110/20] via 10.10.1.1, 01:08:27, Ethernet0/0
C       172.16.90.0 is directly connected, Ethernet0/1
     10.0.0.0/30 is subnetted, 2 subnets
C       10.10.1.0 is directly connected, Ethernet0/0
O       10.10.2.0 [110/20] via 172.16.90.30, 01:08:27, Ethernet0/1
R2#show ip os
R2#show ip ospf nei
R2#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.2.2         1   FULL/BDR        00:00:39    172.16.90.30    Ethernet0/1
172.16.88.1       1   FULL/BDR        00:00:31    10.10.1.1       Ethernet0/0

R3:


R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 2 subnets
O       172.16.88.0 [110/20] via 10.10.2.1, 01:10:55, Ethernet0/0
C       172.16.90.0 is directly connected, Ethernet0/1
     10.0.0.0/30 is subnetted, 2 subnets
O       10.10.1.0 [110/20] via 172.16.90.20, 01:10:55, Ethernet0/1
                  [110/20] via 10.10.2.1, 01:10:55, Ethernet0/0
C       10.10.2.0 is directly connected, Ethernet0/0
R3# show ip os
R3# show ip ospf nei
R3# show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.1.2         1   FULL/DR         00:00:39    172.16.90.20    Ethernet0/1
172.16.88.1       1   FULL/BDR        00:00:32    10.10.2.1       Ethernet0/0
R3#
Step 2: Configure ACL to match in the route-map:

We will match all udp traffic in our case:

ip access-list extended Match-UDP
 permit udp any any
no cdp log mismatch duplex

But you can be so specific with this:

By matching the source and the destination address…:

this ACL will match the source 1.1.1.1 and destination 2.2.2.2

(config)# access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
Step 3: Configure Route-map that will match the Access-list and set Action:

We created route-map on router R1 that will permit IP address matched in the ACL Match-UDP previously created.

Then we set up the next hop to 10.10.2.2 which is the router R3:

route-map GOTO-R3 permit 10
 match ip address Match-UDP
 set ip next-hop 10.10.2.2
Step 4: Apply the Route map on the incoming interface which is connected to PC1 :
interface Ethernet0/0
 ip address 172.16.88.1 255.255.255.0
 ip policy route-map GOTO-R3
 half-duplex

Verifications:

  • show ip policy
  • show route-map
  • traceroute 
  • debug ip policy

Related Articles

Back to top button
error: Content is protected !!