PBR Overview
PBR Overview
- Over-rides routing table
- Avoids destination based routing
- Matches traffic based on criteria and alters paths
- Uses route-maps applied on interface
- Can only effect inbound traffic
- PBR packets can be fast-switched or CEF switched from IOS version 12.0
- Previously only process-switched through CPU
- CEF switched:
- Enabled for PBR as soon as CEF enabled globally on node
- No extra configuration needed
- Fast-switched:
- Needs to be enabled per-interface
- Command:
- (config-if)#ip route-cache policy
PBR Configuration
PBR Configuration
- Configured via a route-map applied to the interface
- Permit means to policy route
- Deny means to use normal forwarding
- Route-map can match traffic based on:
- IP address/protocol
- Defined as either:
- Standard ACL
- Extended ACL
- Prefix list
- Packet length
- Route-map action defined by the SET options including:
- Set the next-hop IP address
- If next-hop exists in RIB, traffic is policy routed to next-hop IP
- If next-hop doesn’t exist, standard routing is used
- Extra options
- Verify availability of next hop using CDP
- Indicate that next-hop is a recursive lookup
- If multiple ‘set’ commands, then completed in order in route-map
- not actioned in order of typed in route-map
- Command:
- (config-route-map)#set ip next-hop [verify-availability | recursive] <ip addr>
- Set the outgoing interface
- Sends out the first interface in list that is in the UP/UP state
- Only recommended on point-to-point interfaces not multi-access
- Command:
- (config-route-map)#set interface <IF>
- Use the default next-hop IP address
- Verifies the existence of destination in RIB first
- If exists in RIB, doesn’t policy route and forwards as normal
- Counters for policy still increased
- Default route doesn’t count as match
- If no match in RIB is found, match is policy routed to the set next-hop IP
- Can optionally verify availability of next hop using CDP
- Command:
- (config-route-map)#set ip default next-hop [verify-availability] <ip addr>
- Set the default interface
- Same logic as default next-hop
- Only recommended on point-to-point interfaces not multi-access
- Command:
- (config-route-map)#set default interface <IF>
- Set the Don’t Fragment bit
- Only supported on IPv4
- Command:
- (config-route-map)#set ip df <0 | 1>
- Set the IP Precedence
- Set the ToS
Process
- Define the route-map:
- (config)#route-map <name> [permit | deny] <##>
- Match the traffic:
- (config-route-map)#match ip address <ACL> [prefix-list <prefix-list-name>]
- (config-route-map)#match packet length <length>
- Define the policy action:
- Next-Hop
- (config-route-map)#set ip next-hop <ip address 1> [ip address ....]
- (config-route-map)#set ip default next-hop <ip address>
- Interface
- (config-route-map)#set interface <IF 1> <IF ...>
- (config-route-map)#set default interface <IF 1> [IF ...]
- (config-route-map)#set ip df <0-1>
- (config-route-map)#set ip precedence <0-7>
- (config-route-map)#set ip tos <name | 0-15>
- Apply the route-map to an interface to match inbound traffic:
- (config-if)#ip policy route-map <route-map name>
[_/su_spoiler]
PBR Reliable Policy Routing
Reliable PBR
- Same principle and process as normal PBR
- Adds the functionality of IP SLA and tracking
- Can be applied to next-hop ip address
- Can determine where to insert into next-hop list
- See IP SLA for more information
- Command:
- (config-route-map)#set ip next-hop verify-availability <ip address> <next-hop list position> track <track #>
PBR Local Policy Routing
Local Policy Routing
- Same principle and process as normal PBR
- Applies only to locally originated traffic
- Policy is applied globally
- Setting the default next-hop is not supported
- Command:
- (config)#ip local policy route-map <route-map-name>
PBR Troubleshooting Commands
PBR Troubleshooting Commands
- #show ip policy – Displays which policies are applied to which interfaces
- #show route-map <name> – Displays the PBR map with hit-counters
- #debug ip policy – Enables debugging on policy routing (resource heavy)
