Configure Policy Based routing (PBR) [step by step]

Configure Policy Based routing (PBR) [step by step]

 

Notes Before starting our lab on PBR:

  • Standard routing protocols only check the destination of the packet (not the source..)
  • Policy-Based routing overrides the existing routing protocol, the reason is that the PBR process intercepts the packet before the routing protocol.

Steps:

1- Configure Access-list for matching src IP, dst IP, or both (or matching specific protocol UDP/TCP by using extended ACL…)

2- Configure the route-map that will:

first Match the ACL ==> then set the action (Next hop ….)

3- Apply the Route-map on the incoming Interface

Let’s jump in and start configuring PBR.

Topology:

 

Step 1: Connectivity and OSPF configuration:

Configure all the Interfaces and the OSPF routing on all Routers:

for our purpose, we will change the OSPF cost to R3 router to 16600 in order to prefer the route to R2

(later on in this Lab, we will use PBR to overide it):

  • R1 configuration:

interface Ethernet0/0

ip address 172.16.88.1 255.255.255.0

ip policy route-map GOTO-R3

half-duplex

!

interface Ethernet0/1

ip address 10.10.1.1 255.255.255.252

ip ospf 100 area 0

half-duplex

!

interface Ethernet0/2

ip address 10.10.2.1 255.255.255.252

ip ospf cost 16600

ip ospf 100 area 0

half-duplex

!

router ospf 100

log-adjacency-changes

network 10.10.0.0 0.0.255.255 area 0

network 172.16.88.0 0.0.0.255 area 0

!

  • R2 configuration:

interface Ethernet0/0

ip address 10.10.1.2 255.255.255.252

ip ospf 100 area 0

half-duplex

!

interface Ethernet0/1

ip address 172.16.90.20 255.255.255.0

ip ospf 100 area 0

half-duplex

!

interface Ethernet0/2

no ip address

shutdown

half-duplex

!

!

router ospf 100

log-adjacency-changes


R3 Configuration
:

interface Ethernet0/0

ip address 10.10.2.2 255.255.255.252

ip ospf 100 area 0

half-duplex

!

interface Ethernet0/1

ip address 172.16.90.30 255.255.255.0

ip ospf 100 area 0

half-duplex

!

router ospf 100

log-adjacency-changes

  • Check the routing table for each router:

R1 OSPF neighbors:

R1#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

10.10.2.2 1 FULL/DR 00:00:30 10.10.2.2 Ethernet0/2

10.10.1.2 1 FULL/DR 00:00:38 10.10.1.2 Ethernet0/1

R1 routing table:

R1#show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

ia – IS-IS inter area, * – candidate default, U – per-user static route

o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 2 subnets

C 172.16.88.0 is directly connected, Ethernet0/0

O 172.16.90.0 [110/20] via 10.10.1.2, 01:08:02, Ethernet0/1

10.0.0.0/30 is subnetted, 2 subnets

C 10.10.1.0 is directly connected, Ethernet0/1

C 10.10.2.0 is directly connected, Ethernet0/2

R2:

R2#show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

ia – IS-IS inter area, * – candidate default, U – per-user static route

o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 2 subnets

O 172.16.88.0 [110/20] via 10.10.1.1, 01:08:27, Ethernet0/0

C 172.16.90.0 is directly connected, Ethernet0/1

10.0.0.0/30 is subnetted, 2 subnets

C 10.10.1.0 is directly connected, Ethernet0/0

O 10.10.2.0 [110/20] via 172.16.90.30, 01:08:27, Ethernet0/1

R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

10.10.2.2 1 FULL/BDR 00:00:39 172.16.90.30 Ethernet0/1

172.16.88.1 1 FULL/BDR 00:00:31 10.10.1.1 Ethernet0/0


R3:

R3#show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP

D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2

ia – IS-IS inter area, * – candidate default, U – per-user static route

o – ODR, P – periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 2 subnets

O 172.16.88.0 [110/20] via 10.10.2.1, 01:10:55, Ethernet0/0

C 172.16.90.0 is directly connected, Ethernet0/1

10.0.0.0/30 is subnetted, 2 subnets

O 10.10.1.0 [110/20] via 172.16.90.20, 01:10:55, Ethernet0/1

[110/20] via 10.10.2.1, 01:10:55, Ethernet0/0

C 10.10.2.0 is directly connected, Ethernet0/0

R3# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

10.10.1.2 1 FULL/DR 00:00:39 172.16.90.20 Ethernet0/1

172.16.88.1 1 FULL/BDR 00:00:32 10.10.2.1 Ethernet0/0

Step 2: Configure ACL to match in the route-map:

We will match all udp traffic in our case:

ip access-list extended Match-UDP

   permit udp any any

But you can be so specific with this:

By matching the source and the destination address…:

this ACL will match the source 1.1.1.1 and destination 2.2.2.2 (example):

(config)# access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

Step 3: Configure Route-map that will match the Access-list and set Action:

We created route-map on router R1 that will permit IP address matched in the ACL Match-UDP previously created.

Then we set up the next hop to 10.10.2.2 which is the router R3:

route-map GOTO-R3 permit 10

match ip address Match-UDP

set ip next-hop 10.10.2.2

 

Step 4: Apply the Route map on the incoming interface which is connected to PC1 :

interface Ethernet0/0

ip address 172.16.88.1 255.255.255.0

ip policy route-map GOTO-R3

Verifications:

  • show ip policy
  • show route-map
  • traceroute
  • debug ip policy

R1#show ip policy
Interface Route map
Ethernet0/0 GOTO-R3


Show route-map:



  • before applying PBR:

we can see that the PBR applied on the incoming interface overridden the routing protocol (OSPF, even we applied cost to manipulate it).

  • After Applying PBR:



This concludes our lab,

Bilel Ameur

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x