What is Policy-based Routing?

With policy-based routing (which we will call PBR from here on out), you get the option to implement policies that selectively cause packets to take different paths. Additionally, PBR can mark packets so that certain types of traffic get prioritized. One example of PBR is, say that your OSPF routing protocol says that a packet with a destination of 10.1.1.1 should go out interface e0/0, you could create a policy so that packets destined to 10.1.1.1, instead, go out interface e1/0. Or, you could make this happen ONLY when the source of that packet was 192.168.1.1.

How does policy based routing work?

If you look at the Cisco IOS Order of Operations, Policy routing always happens BEFORE regular routing. What policy routing does is to inspect the traffic on the interface where the policy is applied and then, based on the policy, make some decision. First, the traffic has to be identified "matched" according to the policy. Second, for each match, there is something "set". What is set could be that the traffic matches must exit out a different interface, or the traffic could be given a higher priority, or it could choose to just drop that traffic. The "matching" of the traffic is usually done with an ACL (access-control list) that is referenced by a route-map. In the route-map, there is a "match" for the traffic defined in that ACL then a "set" for that traffic where the network administrator defines what he or she wants to happen to that traffic (prioritize it, route it differently, drop it, or other actions). Policies can be based on IP address, port numbers, protocols, or size of packets.

How to apply policy-based routing

Let's look at an example of how we could use PBR. Say that we wanted to find any traffic that is destined for IP device 10.1.1.1 and, instead of sending it wherever the routing protocol says it should go, we are going to send it out interface Fa3/0. To do this, here are the steps we would take:

Step 1 - define an ACL

Keep in mind that whatever is permitted by this ACL is what will be matched. You don't want to permit everything. Usually, I take advantage of the implicit deny at the bottom of the ACL and just create an ACL that permits what I am going to take action on in the route-map. So, just create a simple ACL: Router(config)# access-list 101 permit ip any host 10.1.1.1

This ACL permits only traffic with a destination IP of 10.1.1.1 (the traffic we want to send elsewhere)

Step 2 - create a route-map

To create a route-map, go into route-map configuration mode, like this: Router(config)# route-map reroute10traffic permit 10 Router(config-route-map)# Next, set your match policy to match the traffic in ACL 101, like this: Router(config-route-map)#match ip address 101 This will match all the traffic permitted through ACL 101. Next, you need to set some action on that traffic. What do you want to happen to that traffic? Let's tell the router to send it out interface Fast Ethernet 3/0, like this: Router(config-route-map)#set interface Fa3/0

Step 3 - Apply the route-map to the interface

Next, you need to apply this policy/route-map to the interface where the traffic is coming in. Router(config)# interface Fast Ethernet 3/0 Router(config-if)#ip policy route-map reroute10traffic According to the official Cisco Policy Routing documentation, "One interface can have a only one route map policy applied.tag; but you can have several route map entries, each with its own sequence number. Entries are evaluated in order of their sequence numbers until the first match occurs. If no match occurs, packets are routed as usual." Now exit and you are done! You can view your route-maps with show route-map.