Policy-based routing (PBR) provides network administrators with agility and flexibility to better manage traffic. With carefully architected policies, you can optimize how segments of your network process data, as well as how bandwidth is managed for business-critical applications.
What we cover in this article:
• What policy-based routing is, beginning with a basic introduction to routing
• How policy-based routing works
• How you can use policy-based routing
• Some examples of policy-based routing
Build your networking knowledge and take our Understanding Networking Fundamental course today.
What is routing?
Routing is the process of discovering destination networks, advertising them, determining the best path for traffic, and maintaining that information.
Routing is not the process of moving data through a router. That’s referred to as switching within the router, which should not be confused with a switch.
In today’s definition, a switch is a hardware- or software-based device that forwards traffic. This is typically based on Layer 2 addressing — but could also be performed within a multi-layer framework.
Routing, on the other hand, typically occurs on Layer 3.
There are different routing protocols available, depending on the Layer 3 protocol. A protocol that has addressing at Layer 3 is called a routed protocol. It’s important to understand that the routing protocols do not pass user traffic, they pass information about destination networks.
Regardless of the type of protocol, they all do the same thing: advertise networks, build some type of local table, select the best path, try to contribute to the routing table — also known as the routing information base (RIB) — and then have to maintain that information to ensure it is still current.
You can implement policy within these protocols, but this is not policy-based routing (PBR). Policy within the dynamic protocols listed will filter or manipulate the way you use the information.
With static routing, whoever configured the static controls the routing protocol. That decides the path that’s taken to a given destination network or host. PBR is different in that it gives you more control — in addition to the destination — for the process of forwarding traffic.
What is PBR?
PBR is the process of using a route map to specify an attribute other than the destination and then define the path out of the router based on those conditions.
With PBR, a network administrator can select policies according to specific parameters, such as:
• The IP address of the source or the destination
• The port of the source or destination
• The kind of traffic
• Network protocols
• The sizes of data packets
• An access list
Once parameters like these are established, the data packets get routed accordingly. This empowers you to increase the agility of the network.
Because you can define your routing strategy using the attributes of applications, you can execute specific traffic-management policies that control how packets get forwarded.
In this way, you can optimize how bandwidth gets used by your most important applications.
How does PBR Work?
PBR is considered to be an exception to the routing information base (RIB) and is looked at before examining the RIB. This allows for more routing options.
For example, within the route map used for PBR, you can match on an access control list (ACL) that then matches on source, destination, protocol type, and/or port numbers.
You can also match on:
• Quality of service (QoS) marking, such as Internet Protocol (IP) precedence or differentiated services code point (DSCP)
• The size of the packets, effectively enabling you to send data where you want it to go based on how big or small its packets are
Once you have a positive match, you can then set the next hop device’s address and/or egress interface. You can also set QoS values at the same time, which enable you to ensure an application gets the resources it needs to function as well as you need it to.
The route map can have multiple statements, which are typically sequenced in increments of 10. This gives you the control to match on multiple sets of match conditions.
The route map can also have “deny” statements. (The default, if not specified, is “permit.”) These can also be used to act as a filter. When the route map matches on an ACL, if it matches a deny, it drops out of that statement of the route map and continues to the next statement in the map. The deny or drop is defined by the route map, not the ACL that is referenced by the route map.
If there are no positive matches within the route map or you hit a route map statement that has no permit statement, then it is designated as “policy rejected.” If you have a policy rejected condition, then the traffic is forwarded normally based on the RIB.
When you do a show ip route or show ipv6 route command, you will not see that PBR is in use. You can do a show ip policy or show ipv6 policy. This will show you that there is a policy defined for PBR, but not where it’s allied. To see it applied to an interface, use the show ip interface. Of course, if you have access rights, you could just look at the configuration.
How can you use PBR?
Normal routing is only concerned about destination-based forwarding, while PBR gives you more control.
You can use PBR to:
• Direct traffic downlinks that are reserved for specific types of traffic or levels of priority.
• Direct traffic based on the source, not the destination, to steer specific customer traffic down links that match their service level agreement.
• Direct traffic into specific, multi-protocol label switching traffic engineering (MPLS TE) tunnels, specifically when you use it in conjunction with MPLS TE.
• Choose how much bandwidth to provide specific applications.
• Create fallback links for your most important traffic, so if the primary link has an outage, you can maintain continuity.
• Choose which traffic gets deep packet inspection, such as for certain, business-critical apps.
• Stratify traffic, giving priority to some instead of others, particularly to satisfy the requirements of an SLA.
• Single out the traffic of certain applications for wide area network (WAN) optimization.
Examples of how to use PBR
Here are a few examples of what PBR configuration may look like in practice. Each example provides a general view of what PBR accomplishes in that specific context, but you can use these configurations to custom-design how your network handles traffic to benefit a variety of business processes.
For instance, using the first example configuration, which focuses on providing equal access, you can use it to ensure bandwidth usage is balanced between two business-critical applications by ensuring they have equal access to service providers.
You can use this configuration to provide equal access to two separate service providers. The packets that come through the interface called “boostedethernet 3/1” and originating from source 188.8.131.52 get sent to a router at 184.108.40.206 in the event this router doesn’t already have an explicit route that stipulates where the packet should go.
Packets that come from the other source, labeled 220.127.116.11, get sent to a different router, at 18.104.22.168, if, like in the first configuration, there’s no pre-determined destination for the packet. Other packets without a specific route get discarded.
Switch (config)# access-list 1 permit ip 22.214.171.124
Access-list 1 permit ip 126.96.36.199
interface boostedethernet 3/1
ip poicy route-map equal-access
route-map equal-access permit 10
match ip address 1
set ip default next-hop 188.8.131.52
route-map equal-access permit 20
match ip address 2
set ip default next-hop 184.108.40.206
route-map equal-access permit 30
set default interface null0
Define the next hop
In this example, you use PBR to define the next hop data packets take as they pass through different segments of your network. A “hop” refers to when a packet of data passes from one segment of your network to another, going from one router to another.
Using PBR to define what the next hop will be can accomplish a few different goals when it comes to the efficiency or safety of your network.
For example, if you have made sure that one router has, without a doubt, the configuration, safety precautions, and tools it needs to provide the most secure hop possible, you may want to send traffic to this router from another.
If, for instance, you’re sure its firmware has been updated, its firewall is enabled and uses the latest threat intel, and has a unique name and hard-to-guess password, routing data directly to it may be a good way to maintain the safety of your transmission—at least for that hop.
Here’s what a configuration to define the next hop could look like. In this example, traffic is going from source 220.127.116.11 to the next hop at 18.104.22.168, and packets coming from source 22.214.171.124 are hopping to 126.96.36.199.
access-list 1 permit ip 188.8.131.52
access list 2 permit ip 184.108.40.206
interface boostedethernet 3/1
ip policy route-map Massachusetts
route-map Massachusetts permit 10
match ip address 1
set ip next-hop 220.127.116.11
route-map Massachusetts permit 20
match ip address 2
set ip next-hop 18.104.22.168
Limitations of PBR
One issue with PBR is that it is like a static route in that it is locally significant. If you need to have policy applied on multiple routers in a path between devices, PBR would have to be configured hop by hop.
PBR is an interesting tool for controlling the traffic flow based on something other than normal, destination-based routing, but some find it cumbersome and difficult to scale.
Policy-based routing adds flexibility and control that other routing techniques do not, however. It gives you a level of control that a routing protocol by itself can’t accomplish. With flexibility, there is typically a cost, and in this case, it’s scalability and manageability.
It’s a great tool, but not one to be used for all cases. When you have a need to forward based on something other than destination, then PBR is your answer.
Popular Networking Courses
Exclusive - Build a foundation of networking knowledge in a real-world, multi-vendor environment.
Gain the foundational knowledge necessary to help support Cisco routers and prepares you for the CCNA-Implementing and Administering Cisco Solutions v1.0 and CCT Routing & Switching certification.
Exclusive - Exclusive - Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.