It had been a hot minute since I last put together a blog, and I was thinking about what might be an interesting topic. Well, as is typical, I thought about what I’d recently run across, or worked on, in my “day job” as part of the engineering team that builds and supports the lab environments for all the Learning at Cisco training materials.
On this particular day, I was reviewing the current configurations of the core network routers (layer 3 switches, really) in our data centers. I’m fairly new to this part of the team, and I was interested to discover that we were leveraging Policy Based Routing to manipulate the forwarding behavior for different types of traffic. I’m sure many of you reading this blog are familiar with the fact that there are always several ways to accomplish a task in networking (life, really, but definitely in networking). As such, policy-based routing is a tool in the network engineer’s toolkit that can often be leveraged to handle “odd business requirements.”
And with that, I had a topic to use for this blog and an accompanying video to kick off a short video series called “Technically Speaking… with Hank Preston” on the Cisco U. by Learning and Certifications YouTube channel. Specifically, we are going to look at how to configure policy-based routing to influence forwarding behavior. The why I’ll leave for another post.
Also, for anyone studying for the CCNP Enterprise certification, policy-based routing is on the ENARSI – Implementing Cisco Enterprise Advanced Routing and Services blueprint – “1.6 Configure and verify policy-based routing.” 300-410 ENARSI is a concentration exam that earns you the Cisco Certified Specialist – Enterprise Advanced Infrastructure Implementation certification. So, it’s definitely a great topic for the Cisco Learning blog. Let’s dive right in!
Setting the Stage
Before we look at changing the typical routing and forwarding behavior, let’s start with the basic forwarding behavior. For this exploration, I put the below network together in a Cisco Modeling Labs simulation. (You can find the topology file here.)
This network has two small LANs separated by a basic, single area OSPF network in the middle. The costs in the OSPF network have been configured to make the best path from R1 to R5 through R3. We can see that in a couple ways.
First, let’s look at the interface costs on R1.
R1#show ip ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C Gi0/1.200 1 0 192.168.200.1/24 1 DR 0/0 Gi0/1.100 1 0 192.168.100.1/24 1 DR 0/0 Gi0/4 1 0 10.14.14.1/24 110 DR 1/1 Gi0/3 1 0 10.13.13.1/24 1 DR 1/1 Gi0/2 1 0 10.12.12.1/24 100 DR 1/1
Notice the costs for interface G0/2 and G0/4 (towards R2 and R4) have a cost of 100 and 110 respectively, while the cost of G0/3 (towards R3) is only 1.
And now, we’ll verify the routing table entry for host H3 on R1.
R1#show ip route 172.16.10.11
Routing entry for 172.16.10.0/24
Known via "ospf 1", distance 110, metric 3, type intra area
Last update from 10.13.13.3 on GigabitEthernet0/3, 00:23:02 ago
Routing Descriptor Blocks:
* 10.13.13.3, from 5.5.5.5, 00:23:02 ago, via GigabitEthernet0/3
Route metric is 3, traffic share count is 1
The routing table lists the route as towards R3 out interface G0/3 — exactly as we’d expect.
The final check will be a trace route from host H1.
H1:~$ traceroute -n 172.16.10.11
traceroute to 172.16.10.11 (172.16.10.11), 30 hops max, 46 byte packets
1 192.168.100.1 5.534 ms 5.004 ms 3.038 ms
2 10.13.13.3 5.528 ms 5.531 ms 4.137 ms <- R3's G0/1 interface
3 10.35.35.5 5.533 ms 5.656 ms 6.339 ms
4 172.16.10.11 14.180 ms 9.787 ms 7.908 ms
And no big shocker here, the second hop in the trace is indeed R3.
Let’s shake things up a little bit.
Suppose there was some reason that you wanted to direct traffic received at router R1 from host H1 destined for H3 to pass through R2 . Maybe there was some traffic analysis that happened on that router. Or perhaps that link is more reliable, even if slower. There are any number of reasons this might come up in a network design. The key part is that you don’t want to change ALL forwarding behavior, just some of it. You have a “policy,” so to speak, that identifies some traffic you want to adjust. This is where policy based routing, often referred to as PBR, comes in.
Policy based routing can seem complicated. To be fair, if overused, it can make networks very complicated and hard to maintain. However, the technical basics of PBR are pretty straightforward.
First, you need a way to identify the traffic that you want to apply the policy to. Like many “matching” use cases in networking, this is often done with an access-list. So, here’s the access list that I’ll use to match the traffic I’m interested in.
ip access-list extended H1-to-H3 10 permit ip host 192.168.100.11 host 172.16.10.11
This single line extended ACL is all that is needed. I’m matching all IP traffic from H1 to H3, but I could be more specific, to a specific port as well. Maybe just web traffic (tcp/80 & tcp/443) as an example.
Next, a route-map is used to describe the policy that we want to configure. The “policy” is made up of “match” conditions to identify the traffic and “set” conditions to make the “policy based changes” to the traffic that was matched.
Here is the route-map for my policy example.
route-map POLICY-BASED-ROUTING permit 10 description Traffic from H1 -> H3 route through R2 match ip address H1-to-H3 set ip next-hop 10.12.12.2
I’ve used the access-list I created in my “match ip address” command. And, I’ve indicated that when traffic “matches” this policy, I want to “set” the next-hop to be 10.12.12.2.
And notice the first line in the configuration example. It ends with the number “10.” This number identifies the position in the route map that this particular policy entry holds. A route-map can be made up of many policy sets – each with a “match” and “set” statement. In this way, network engineers can have very granular control over how traffic is forwarded in the network. Pretty handy right!
Before I go much farther it is definitely important to note that route-maps are used for more than just policy based routing. The route-map construct is also used as part of quality of service (QoS) configurations, routing protocol filtering, and BGP path manipulations. So if you explore the configuration options available for match and set you will find several other options. Most of these are used for use cases other than policy based routing.
The last step to complete the configuration of my policy is to apply it to the router interface. Since this policy is about controlling traffic from the LAN connected to interface Gig0/1 on R1, that is where I will apply it.
interface Gig0/1.100 ip policy route-map POLICY-BASED-ROUTING
That’s it, we’ve configured policy based routing. Let’s test to see if it’s working.
Testing the Results
We’ll start by rerunning the same trace route command as before and comparing the results.
1:~$ traceroute -n 172.16.10.11
traceroute to 172.16.10.11 (172.16.10.11), 30 hops max, 46 byte packets
1 192.168.100.1 7.306 ms 3.017 ms 3.337 ms
2 10.12.12.2 3.844 ms 4.335 ms 3.688 ms <- R2's G0/1 interface
3 10.25.25.5 7.906 ms 5.125 ms 5.962 ms
4 172.16.10.11 8.951 ms 8.912 ms 7.348 ms
Look at that, traffic is indeed going through R2 now. But let’s verify that it is just for traffic to H3 by trace routing the traffic to H4.
H1:~$ traceroute -n 172.16.10.21
traceroute to 172.16.10.21 (172.16.10.21), 30 hops max, 46 byte packets
1 192.168.100.1 3.681 ms 3.153 ms 2.563 ms
2 10.13.13.3 3.613 ms 3.185 ms 3.747 ms <- R3's G0/1 interface
3 10.35.35.5 5.957 ms 7.555 ms 5.040 ms
4 172.16.10.21 14.915 ms 7.157 ms 7.853 ms
Yep, traffic from H1 to H4 is indeed still following the “standard path” through R3. But what about traffic from H2 -> H3? Will it be redirected through R2?
H2:~$ traceroute -n 172.16.10.11
traceroute to 172.16.10.11 (172.16.10.11), 30 hops max, 46 byte packets
1 192.168.200.1 7.284 ms 2.840 ms 3.173 ms
2 10.13.13.3 3.526 ms 4.514 ms 3.498 ms <- R3's G0/1 interface
3 10.35.35.5 6.375 ms 7.212 ms 4.900 ms
4 172.16.10.11 6.642 ms 6.270 ms 5.884 ms
Nope, only traffic from H1 -> H3 is being redirected.
If we look at the routing table on R1, we’ll see nothing has changed.
R1#show ip route 172.16.10.11
Routing entry for 172.16.10.0/24
Known via "ospf 1", distance 110, metric 3, type intra area
Last update from 10.13.13.3 on GigabitEthernet0/3, 00:23:02 ago
Routing Descriptor Blocks:
* 10.13.13.3, from 5.5.5.5, 00:23:02 ago, via GigabitEthernet0/3
Route metric is 3, traffic share count is 1
There are a few useful commands on the router to check the status of policy based routing.
First up, a basic “show” command worth noting.
R1#show route-map route-map POLICY-BASED-ROUTING, permit, sequence 10 Match clauses: ip address (access-lists): H1-to-H3 Set clauses: ip next-hop 10.12.12.2 Policy routing matches: 12 packets, 756 bytes
This command provides “policy match” statistics. We can see that when I ran this command there were 12 matches so far.
Another command that is useful is the “debug ip policy” command. It provides useful details about the processing of the policy as traffic flows through the router. But as with any “debug” command, be careful using it on a production device as it can put a heavy load on network devices if there is a lot of traffic flowing through.
I will turn on the debugging and then send a single ICMP (ping) packet from H1 -> H3.
R1#debug ip policy Policy routing debugging is on R1# *Apr 26 00:29:58.282: IP: s=192.168.100.11 (GigabitEthernet0/1.100), d=172.16.10.11, len 84, FIB policy match *Apr 26 00:29:58.282: IP: s=192.168.100.11 (GigabitEthernet0/1.100), d=172.16.10.11, len 84, PBR Counted *Apr 26 00:29:58.282: IP: s=192.168.100.11 (GigabitEthernet0/1.100), d=172.16.10.11, g=10.12.12.2, len 84, FIB policy routed
Compare the above output to the debug output when I ping H1 -> H4.
*Apr 26 00:31:00.294: IP: s=192.168.100.11 (GigabitEthernet0/1.100), d=172.16.10.21, len 84, FIB policy rejected(no match) - normal forwarding
In the first example, “FIB policy match” indicates that the PRB policy was triggered. And a following debug line shows that the traffic was “FIB policy routed.” That’s the PBR in action. Compare that to the output from the second ping that is “FIB policy rejected (no match) – normal forwarding.” That output is pretty descriptive.
Closing down
And with that, we’ve come to the end of this post. I hope this short look at policy based routing helped break it down and introduce you to a new technology tool that you can put into your toolkit. Maybe it’ll help you solve a business challenge someday. Or maybe it’ll help you in your preparation for the ENARSI exam or other studies. Either way, thanks for hanging out with me today.
Got a topic you’d like me to breakdown? Let me know in the comments.
Resources
- ENARSI Blueprint
- Cisco Modeling Labs topology file from this example
- Policy based routing configuration guide Cisco IOS XE 17.x
Join the Cisco Learning Network today for free.
Follow Cisco Learning & Certifications
Twitter | Facebook | LinkedIn | Instagram | YouTube
Use #CiscoCert to join the conversation.
Hey Hank, this is a great blog post. I just worked through a policy routing issue with a customer today and this would’ve been a good reference for the discussion! Looking forward to the next one.
Oh man, if only the blog had come out yesterday 🙂
Always great stuff from Hank . Thanks .
You are welcome! Thanks for stopping by and reading.
Excellent tecnic and lab.
Thanks! I love getting “technical”
Great learning from Hank, thank you!
Thank you Hank, bookmarked and information stored. Appreciated!!!
The bookmarks are great. A little secret… sometimes I write a blog post on a topic so I know where to find the info later when I needed it 😉
You are welcome! Thanks for stopping by.
I like this blog format, helps to understand things.
Excellent! I love breaking down complex topics and explaining them in (what I hope are) easy to understand bits.
Great stuff Hank – your content is always really easy to follow, thanks for including the examples and command outputs too! 🙂
Thanks Scott, I’m glad to hear it. I find breaking things down and showing all the steps along the way really help ME understand it better.
Great learning from Hank! Thank you very much.
Great teaching you as well! Stop back next month for more.
Thank you so much for sharing! You live and learn.
You are welcome! I live, learn and HAVE FUN!
Excellent blog about routing. Great information. Thank you
Thanks Cristian!
Great blog, have run into this a few times where we have to route based on soruce networks/addresses and this is a great tutorial on how to implement
Yep, source based routing decisions is one of the most common places I’ve seen this. It’s actually the use case that I ran into that inspired this post 🙂
Great blog, have run into this a few times where we have to route based on soruce networks/addresses and this is a great tutorial on how to implement
Excellent information, thanks for sharing Hank
You’re welcome Eduardo!
Really good explanation
Excellent! Glad you found it helpful.
Merci pour le partage je prépare ma Certification CCNA ,il y a certaines choses que j’aimerais savoir ?
Thanks for sharing..
You are welcome!
Great blog
Thanks!
thanks, this is a great blog post
You are welcome! Thanks for stopping by to read.
Great explanation of PBR and appreciate you posting the CML topology file. Will definitely come in handy for my studies.
Absolutely! I always like to share what I can to make it easier for folks to test and try on their own. Best of luck with the studies.
Love the concept of the Technically Speaking video series and am excited to see how it evolves.
Me too! Working on the topic plan for June.
Hank, you always have some of the best to share, and we really appreciate you so much.
Thanks Randy! I appreciate everyone stopping by to read and watch.
Great job, I really enjoy this format.
Excellent! Stay tuned for the next episode in June.
ery good material presented by de Hank. Thanks .
Thanks Fábio!
Very good post!!
Glad you enjoyed it!
exelent
Totally! Glad you liked it.
This is a great post, well done!
Thanks so much!
Thank you Hank, really very useful you explication 🙂
You are welcome Bett! Glad you found it easy to understand.
Hi Hank,
Thanks for the introduction to Policy Based Routing (PBR). Looking forward to practicing this technique in a CML2 model. I’ll be looking for part 2 of this blog post that will describe the “why” of PBR to better my understanding of its applicability.
CML is a great tool for practicing PBR. That’s what I used to put the demo together :-).
I’m not sure when I’ll be back to PBR in a topic… Technically Speaking will cover a variety of topics. But checkout the ENARSI resources on PBR for more great information.
Great content!
Thanks!
Good explanation, breaks PBR down well.
Great Blog. Thanks for sharing -look forward to the next blog so I can continue to learn something new!
Oh good debugging infos, thanks.
Nice place to start for PBR.
Does not leave a HSRP network, however. The new layout of Core/Distribution and Access tiers would be an easier place to start for current syllabus studiers!
Hi,
thank you for sharing this useful scenario. For troubleshooting like this it’s needed to have a good knowledge of CCIP or CCNP ENARSI ENterprise.
Great blog, explanations are simple and clear. Thank you
I think the video is blank. Thank you for the lecture.
Very clear explanation of what is a PBR and how it works. Nice reading
Hi Hank, thank you for your erffort!
Thank you so much for this!
Great Content
Great Post
Great post. Folks don’t forget about that return traffic. 😉
Hello Hank,
I found your blog post and video to be a great introduction to PBR as well as a great refresher for someone who hasn’t visited the topic in awhile.
I look forward to your future posts, and I made sure to subscribe to the Cisco U channel just in case I miss an email
Thanks for the content and information!
Thanks, You did a fantastic job simplifying a complex topic.
Good amount of depth. Looking forward to the follow-up blog on ideal scenarios for implementing PBR.
Great learning from Hank, thank you!
Great blog, explanations are simple and clear. Thank you!
Brilliant guide and walkthrough on PBR and OSPF. Always an interesting one and learning the usecases where PBR can be used and what kind of things you should use it for.
Very well laid-out and explained; this will be a great resource for future reference. Thanks, Hank!
Worth consideration are port security and link aggregation for redundancy on the route
Great blog post and video.
On this topic, what approach is best to try to estimate how much affect using policy-based routing is going to have on the CPU during traffic spikes?
Thanks for the informative blog!
Thanks for this concise description about PBR.
Nice work