Policy Based Routing Configuration
This chapter contains a sample Policy Based Routing (PBR) configuration.
Overview
Policy Based Routing (PBR) is an advanced packet forwarding feature which is different from conventional destination address based routing. Policy Based Routing (PBR) allows data packets forwarding based on policies defined by network administrators.
In conventional routing, when a packet is received on the router, destination address in the packet is looked upon in the routing table and if the routing entry is found, packet is routed based on routing entry. In policy based routing, routing decision could be made from source address, destination address, transport protocol id, source port, destination port, or a combination of these criteria.
PBR includes a mechanism for selectively applying policies based on an access list or other criteria. Actions taken might include (a) Forwarding a packet to a directly connected ip nexthop (b) Black hole/Drop. If traffic doesn't match the route-map's match criteria, then it will be routed as if no PBR policy exists. PBR config is interface oriented, hence when applied it affects only the traffic ingressing on that interface. It does not apply on traffic egressing on that interface or traffic ingressing on an interface without a pbr route-map.
Topology
IPv4 Configurations for PBR
R1
R1#configure terminal | Enter configure mode. |
R1(config)#feature pbr | Enable PBR support |
R1(config)#hardware-profile filter ingress- ipv4-ext enable | Enable Ingress IPv4 group extended for PBR support |
R1(config)#ip access-list 123 | Create ip access-list named 123 |
R1(config-ip-acl)#10 permit any 101.1.1.0/24 201.1.1.0/24 | Create an access rule to permit IP packets with source 101.1.1.0/24 and destination 201.1.1.0/24 |
R1(config-ip-acl)#commit | Commit the candidate configuration to the running configuration. |
R1(config-ip-acl)#exit | Exit access-list mode |
R1(config)#route-map 123 permit 10 | Configure route-map with name 123 and sequence number 10 |
R1(config-route-map)#match ip address 123 | Match ip address with ACL 123 |
R1(config-route-map)#set ip next-hop 13.1.1.2 | Set next-hop to forward the matching IP packets |
R1(config-route-map)#commit | Commit the candidate configuration to the running configuration. |
R1(config-route-map)#exit | Exit route-map mode |
R1(config)#interface lo | Enter interface mode. |
R1(config-if)#ip address 1.1.1.1/32 | Configure the IP address of the interface. |
R1(config-if)#exit | Exit interface mode. |
R1(config)#interface eth1 | Enter interface mode. |
R1(config-if)#ip address 2.1.1.1/24 | Configure the IP address of the interface. |
R1(config)#interface eth2 | Enter interface mode. |
R1(config-if)#ip address 6.1.1.1/24 | Configure the IP address of the interface. |
R1(config-if)#ip ospf cost 2 | Configuring ospf cost as 2 |
R1(config)#interface eth3 | Enter interface mode. |
R1(config-if)#ip address 13.1.1.1/24 | Configure the IP address of the interface. |
R1(config-if)#ip ospf cost 3 | Configuring ospf cost as 3 |
R1(config)#interface eth4 | Enter interface mode. |
R1(config-if)#ip address 101.1.1.2/24 | Configure the IP address of the interface. |
R1(config-if)#ip policy route-map 123 | Attach PBR on the ingress interface |
R1(config-if)#exit | Exit interface mode. |
R1(config)#router ospf 1 | Set the routing process ID . |
R1(config-router)# ospf router-id 1.1.1.1 | Configure OSPF router-id |
R1(config-router)#network 1.1.1.1/32 area 0.0.0.0 | Configure OSPF network in area 0 |
R1(config-router)# network 2.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R1(config-router)#network 6.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R1(config-router)#network 13.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R1(config-router)#network 101.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R1(config-router)#commit | Commit the candidate configuration to the running configuration. |
R1(config-router)#exit | Exit router mode. |
R2
R2#configure terminal | Enter configure mode. |
R2(config)#interface lo | Enter interface mode. |
R2(config-if)#ip address 2.2.2.2/32 | Configure the IP address of the interface. |
R2(config-if)#exit | Exit interface mode. |
R2(config)#interface eth1 | Enter interface mode. |
R2(config-if)#ip address 2.1.1.2/24 | Configure the IP address of the interface. |
R2(config-if)#exit | Exit interface mode. |
R2(config)#interface eth2 | Enter interface mode. |
R2(config-if)#ip address 10.1.1.1/24 | Configure the IP address of the interface. |
R2(config-if)#exit | Exit interface mode. |
R2(config)#router ospf 1 | Set the routing process ID . |
R2(config-router)# ospf router-id 2.2.2.2 | Configure OSPF router-id |
R2(config-router)#network 2.2.2.2/32 area 0.0.0.0 | Configure OSPF network in area 0 |
R2(config-router)# network 2.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R2(config-router)#network 10.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R2(config-router)#commit | Commit the candidate configuration to the running configuration. |
R2(config-router)#exit | Exit router mode. |
R3
R3#configure terminal | Enter configure mode. |
R3(config)#interface lo | Enter interface mode. |
R3(config-if)#ip address 3.3.3.3/32 | Configure the IP address of the interface. |
R3(config-if)#exit | Exit interface mode. |
R3(config)#interface eth1 | Enter interface mode. |
R3(config-if)#ip address 6.1.1.2/24 | Configure the IP address of the interface. |
R3(config-if)#exit | Exit interface mode. |
R3(config)#interface eth2 | Enter interface mode. |
R3(config-if)#ip address 12.1.1.1/24 | Configure the IP address of the interface. |
R3(config-if)#exit | Exit interface mode. |
R3(config)#router ospf 1 | Set the routing process ID . |
R3(config-router)# ospf router-id 3.3.3.3 | Configure OSPF router-id |
R3(config-router)#network 3.3.3.3/32 area 0.0.0.0 | Configure OSPF network in area 0 |
R3(config-router)# network 6.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R3(config-router)#network 12.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R3(config-router)#commit | Commit the candidate configuration to the running configuration. |
R3(config-router)#exit | Exit router mode. |
R4
R4#configure terminal | Enter configure mode. |
R4(config)#interface lo | Enter interface mode. |
R4(config-if)#ip address 4.4.4.4/32 | Configure the IP address of the interface. |
R4(config-if)#exit | Exit interface mode. |
R4(config)#interface eth1 | Enter interface mode. |
R4(config-if)#ip address 13.1.1.2/24 | Configure the IP address of the interface. |
R4(config-if)#exit | Exit interface mode. |
R4(config)#interface eth2 | Enter interface mode. |
R4(config-if)#ip address 15.1.1.1/24 | Configure the IP address of the interface. |
R4(config-if)#exit | Exit interface mode. |
R4(config)#router ospf 1 | Set the routing process ID . |
R4(config-router)# ospf router-id 4.4.4.4 | Configure OSPF router-id |
R4(config-router)#network 4.4.4.4/32 area 0.0.0.0 | Configure OSPF network in area 0 |
R4(config-router)# network 13.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R4(config-router)#network 15.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R4(config-router)#commit | Commit the candidate configuration to the running configuration. |
R4(config-router)#exit | Exit router mode. |
R5
R5#configure terminal | Enter configure mode. |
R5(config)#interface lo | Enter interface mode. |
R5(config-if)#ip address 5.5.5.5/32 | Configure the IP address of the interface. |
R5(config-if)#exit | Exit interface mode. |
R5(config)#interface eth1 | Enter interface mode. |
R5(config-if)#ip address 10.1.1.2/24 | Configure the IP address of the interface. |
R4(config-if)#exit | Exit interface mode. |
R5(config)#interface eth2 | Enter interface mode. |
R5(config-if)#ip address 12.1.1.1/24 | Configure the IP address of the interface. |
R5(config-if)#exit | Exit interface mode. |
R5(config)#interface eth3 | Enter interface mode. |
R5(config-if)#ip address 15.1.1.2/24 | Configure the IP address of the interface. |
R5(config-if)#exit | Exit interface mode. |
R5(config)#interface eth4 | Enter interface mode. |
R5(config-if)#ip address 202.1.1.2/24 | Configure the IP address of the interface. |
R5(config-if)#exit | Exit interface mode. |
R5(config)#router ospf 1 | Set the routing process ID . |
R5(config-router)# ospf router-id 5.5.5.5 | Configure OSPF router-id |
R5(config-router)#network 5.5.5.5/32 area 0.0.0.0 | Configure OSPF network in area 0 |
R5(config-router)# network 10.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R5(config-router)# network 12.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R5(config-router)#network 15.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R5(config-router)#network 202.1.1.0/24 area 0.0.0.0 | Configure OSPF network in area 0 |
R5(config-router)#commit | Commit the candidate configuration to the running configuration. |
R5(config-router)#exit | Exit router mode. |
Validation
R1
R1#show run aclmgr
ip access-list 123
10 permit any 101.1.1.0/24 201.1.1.0/24
R1#show run interface eth4
!
interface eth4
ip address 101.1.1.2/24
ip policy route-map 123
!
R1#
R1#show route-map 123
route-map 123, permit, sequence 10
Match clauses:
ip address: 123
Set clauses:
ip next-hop 13.1.1.2
R1#
R1#show ip policy
Interface Route-map Status VRF-Name
eth4 123 Active default
R1#
R1#clear route-map 123 pbr-statistics
R1#show route-map 123 pbr-statistics
Route-map 123, family IP
IP PBR Count: 1
VRF-name: default
Sequence 10, permit
Policy routing matches: 38764427 packets
Current action in HW: Route
IPv6 Configurations for PBR
R1
R1#configure terminal | Enter configure mode. |
R1(config)#feature pbr | Enable PBR support |
R1(config)#hardware-profile filter ingress- ipv6 enable | Enable Ingress IPv6 group for PBR support |
R1(config)# ipv6 access-list 123 | Create ipv6 access-list named 123 |
R1(config-ipv6-acl)#10 permit any 101::/64 202::/64 | Create an access rule to permit IPv6 packets with source 101::/64 and destination 202::/64 |
R1(config-ipv6-acl)#commit | Commit the candidate configuration to the running configuration. |
R1(config-ipv6-acl)#exit | Exit access-list mode |
R1(config)#route-map 123 permit 10 | Configure route-map with name 123 and sequence number 10 |
R1(config-route-map)# match ipv6 address 123 | Match ip address with ACL 123 |
R1(config-route-map)#set ipv6 next-hop 6111::2 | Set next-hop to forward the matching IP packets |
R1(config-route-map)#commit | Commit the candidate configuration to the running configuration. |
R1(config-route-map)#exit | Exit route-map mode |
R1(config)#interface lo | Enter interface mode. |
R1(config-if)#ip address 1.1.1.1/32 | Configure the IPv6 address of the interface. |
R1(config-if)#exit | Exit interface mode. |
R1(config)#router ipv6 ospf 100 | Creating OSPFv3 routing instance |
R1(config-router)#exit | Exit router mode. |
R1(config)#interface eth1 | Enter interface mode. |
R1(config-if)#ipv6 address 2111::1/64 | Configure the IPv6 address of the interface. |
R1(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R1(config-if)#exit | Exit interface mode. |
R1(config)#interface eth2 | Enter interface mode. |
R1(config-if)#ipv6 address 6111::1/64 | Configure the IPv6 address of the interface. |
R1(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R1(config-if)# ipv6 ospf cost 2 | Configuring ospf cost as 2 |
R1(config-if)#exit | Exit interface mode. |
R1(config)#interface eth3 | Enter interface mode. |
R1(config-if)#ipv6 address 1311::1/64 | Configure the IPv6 address of the interface. |
R1(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R1(config-if)# ipv6 ospf cost 3 | Configuring ospf cost as 3 |
R1(config-if)#exit | Exit interface mode. |
R1(config)#interface eth4 | Enter interface mode. |
R1(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R1(config-if)#ipv6 address 101::2/64 | Configure the IPv6 address of the interface. |
R1(config-if)#ipv6 policy route-map 123 | Attach PBR on the ingress interface |
R1(config-if)#commit | Commit the candidate configuration to the running configuration. |
R1(config-if)#exit | Exit interface mode. |
R2
R2#configure terminal | Enter configure mode. |
R2(config)#interface lo | Enter interface mode. |
R2(config-if)#ip address 2.2.2.2/32 | Configure the IPv6 address of the interface. |
R2(config-if)#exit | Exit interface mode. |
R2(config)#router ipv6 ospf 100 | Creating OSPFv3 routing instance |
R2(config-router)#exit | Exit router mode. |
R2(config)#interface eth1 | Enter interface mode. |
R2(config-if)#ipv6 address 2111::2/64 | Configure the IPv6 address of the interface. |
R2(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R2(config-if)#exit | Exit interface mode. |
R2(config)#interface eth2 | Enter interface mode. |
R2(config-if)#ipv6 address 1011::1/64 | Configure the IPv6 address of the interface. |
R2(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R2(config-if)#commit | Commit the candidate configuration to the running configuration. |
R2(config-if)#exit | Exit interface mode. |
R3
R3#configure terminal | Enter configure mode. |
R3(config)#router ipv6 ospf 100 | Creating OSPFv3 routing instance |
R3(config-router)#exit | Exit router mode. |
R3(config)#interface lo | Enter interface mode. |
R3(config-if)#ip address 3.3.3.3/32 | Configure the IPv6 address of the interface. |
R3(config-if)#exit | Exit interface mode. |
R3(config)#interface eth1 | Enter interface mode. |
R3(config-if)#ipv6 address 6111::2/64 | Configure the IPv6 address of the interface. |
R3(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R2(config-router)#exit | Exit router mode. |
R3(config)#interface eth2 | Enter interface mode. |
R3(config-if)#ipv6 address 1211::1/64 | Configure the IPv6 address of the interface. |
R3(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R2(config-if)#commit | Commit the candidate configuration to the running configuration. |
R3(config-if)#exit | Exit interface mode. |
R4
R4#configure terminal | Enter configure mode. |
R4(config)#router ipv6 ospf 100 | Creating OSPFv3 routing instance |
R4(config-router)#exit | Exit router mode. |
R4(config)#interface lo | Enter interface mode. |
R4(config-if)#ip address 4.4.4.4/32 | Configure the IPv6 address of the interface. |
R4(config-if)#exit | Exit interface mode. |
R4(config)#interface eth1 | Enter interface mode. |
R4(config-if)#ipv6 address 1311::2/64 | Configure the IPv6 address of the interface. |
R4(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R4(config-if)#exit | Exit interface mode. |
R4(config)#interface eth2 | Enter interface mode. |
R4(config-if)#ipv6 address 1511::1/64 | Configure the IPv6 address of the interface. |
R4(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R4(config-if)#commit | Commit the candidate configuration to the running configuration. |
R4(config-if)#exit | Exit interface mode. |
R5
R5#configure terminal | Enter configure mode. |
R5(config)#router ipv6 ospf 100 | Creating OSPFv3 routing instance |
R5(config-router)#exit | Exit router mode. |
R5(config)#interface lo | Enter interface mode. |
R5(config-if)#ip address 5.5.5.5/32 | Configure the IPv6 address of the interface. |
R5(config-if)#exit | Exit interface mode. |
R5(config)#interface eth1 | Enter interface mode. |
R5(config-if)#ipv6 address 1011::2/64 | Configure the IPv6 address of the interface. |
R5(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R5(config-if)#exit | Exit interface mode. |
R5(config)#interface eth2 | Enter interface mode. |
R5(config-if)#ipv6 address 1211::2/64 | Configure the IPv6 address of the interface. |
R5(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R5(config-if)#exit | Exit interface mode. |
R5(config)#interface eth3 | Enter interface mode. |
R5(config-if)#ipv6 address 1511::2/64 | Configure the IPv6 address of the interface. |
R5(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R5(config-if)#exit | Exit interface mode. |
R5(config)#interface eth4 | Enter interface mode. |
R5(config-if)#ipv6 address 202::2/64 | Configure the IPv6 address of the interface. |
R5(config-if)#ipv6 router ospf area 0.0.0.0 tag 100 | Enable OSPFv3 routing on an interface, and assign the Area ID 0. |
R5(config-if)#commit | Commit the candidate configuration to the running configuration. |
R5(config-if)#exit | Exit interface mode. |
Validation
R1
R1#show run aclmgr
ipv6 access-list 123
10 permit any 101::/64 202::/64
268435453 permit icmpv6 any any
R1#show run interface eth4
!
interface eth4
ip address 101.1.1.2/24
ipv6 address 101::2/64
ipv6 policy route-map 123
ipv6 router ospf area 0.0.0.0 tag 100
!
R1#show route-map 123
route-map 123, permit, sequence 10
Match clauses:
ipv6 address: 123
Set clauses:
ipv6 next-hop 6111::2
R1#show ipv6 policy
Interface Route-map Status VRF-Name
eth4 123 Active default
R1#
R1#clear route-map 123 pbr-statistics
R1#sho route-map 123 pbr-statistics
Route-map 123, family IPv6
IPv6 PBR Count: 1
VRF-name: default
Sequence 10, permit
Policy routing matches: 1077577 packets
Current action in HW: Route