Policy Base Routing is a way to bypass the regular mechanism that a router has to route packets. Basically, when a router receives a packet at the incoming interface, it “deencapsulates” the Data Link Layer header and then processes the layer 3 information by looking the destination IP address of the packet in its routing table. The router uses the “CEF and Adjacent table” to process the route.
CEF Data Flow
Policy Base Routing (PBR) basically intercepts the packets after the “Data Link Layer 2 is “deencapsulated” and before CEF is performed. The way I see it is like a police officer standing at the incoming interface of the router; he makes sure to check if there is any kind of filter (policy) in the packet before it is relayed to the CEF engine to be processed. If the packet has some policy hard coded, it will bypass the regular IP routing process of the router. I will explain better with this example below:
In this lab PC-1 and PC-2 have access to the web server “VPC.” Let’s pretend that in normal conditions, these hosts take the “Preferred path” through R3-R2-R4. However, we are going to override that behavior by using “Policy Based Routing.”
I have configured the routers with EIGRP routing protocol:
Let’s ping and trace VPN web server from PC-1:
As you can see PC-1 can reach the VPN web server and the traceroute is showing the path it took (R3-R1-R4)
R3 –> 192.168.100.1
R1 –> 10.10.100.2
R4 –> 172.16.100.3
Let’s configure the PBR on R3 at the incoming interface (F2/0)
- Create an ACL to permit subnet 192.268.100.0 (PC-1) to reach subnet 192.168.200.0 (VPN)
- Define a “route-map” called “PBR” and refer it with the extended ALC 100 created:
- With route-map we are going to tell the router that any packet from subnet 192.168.100.0 arriving at the incoming interface fa2/0 send it through the “Back up” patch” 10.10.200.2
- In order to accomplish step a, we use “set next-hop” command under route-map PBR
- Remember the Route-map logic: If /then <—-> Match/Set
- Under the incoming interface fa2/0 on R3 we configure the command “ip policy route-map PBR“
Now let’s try one more time to ping and trace VPN from PC-1:
Now, the packets are taking the “Backup path” 10.10.200.2. Remember that this policy will be apply as soon as the packet hits R3 and will be override the normal routing logic behavior.
We can verify if the route-map is doing its job:
We can see the policy is matching some packets.
There are many situation in which we want to establish policy based routing, for instance, allowing a specific host to access a web server or to divert packets to a specific direction.