1. configure basic PBR
2. local policy routing
3. set ip next-hop
4. set ip default next-hop
5. discard packet if not match any PBR rules
6. PBR and route-map deny statement

1. CML-P 2.0 Lab: routing-concepts.pbr.5rt.3node.2aa57fa8.yaml · master · CCIE Enterprise Infrastructure v1.0 / labs · GitLab
2. Topology diagram: topologies.vsdx · master · CCIE Enterprise Infrastructure v1.0 / My Documents · GitLab

Common Configuration Snippet

server-0

hostname server-0
ifconfig eth0 172.16.0.10 netmask 255.255.255.0 broadcast 172.16.0.255
route add default gw 172.16.0.2 eth0

server-1

hostname server-1
ifconfig eth0 172.16.1.11 netmask 255.255.255.0 broadcast 172.16.1.255
route add default gw 172.16.1.1 eth0

server-2

hostname server-2
ifconfig eth0 172.16.2.12 netmask 255.255.255.0 broadcast 172.16.2.255
route add default gw 172.16.2.1 eth0

R1

configure terminal
!
interface GigabitEthernet 0/0
 ip address 172.16.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 172.16.2.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/2
 ip address 10.1.3.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/3
 ip address 10.1.4.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/4
 ip address 10.1.5.1 255.255.255.0
 no shutdown
!
router ospf 1
 network 172.16.1.1 0.0.0.0 area 0
 network 172.16.2.1 0.0.0.0 area 0
 network 10.1.3.1 0.0.0.0 area 0
 network 10.1.4.1 0.0.0.0 area 0
 network 10.1.5.1 0.0.0.0 area 0
exit
!
end

R2

configure terminal
!
interface GigabitEthernet 0/0
 ip address 172.16.0.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/2
 ip address 10.2.3.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/3
 ip address 10.2.4.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/4
 ip address 10.2.5.2 255.255.255.0
 no shutdown
!
router ospf 1
 network 172.16.0.2 0.0.0.0 area 0
 network 10.2.3.2 0.0.0.0 area 0
 network 10.2.4.2 0.0.0.0 area 0
 network 10.2.5.2 0.0.0.0 area 0
exit
!
end

R3

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.2.3.3 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 10.1.3.3 255.255.255.0
 no shutdown
!
router ospf 1
 network 10.2.3.3 0.0.0.0 area 0
 network 10.1.3.3 0.0.0.0 area 0
exit
!
end

R4

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.2.4.4 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 10.1.4.4 255.255.255.0
 no shutdown
!
router ospf 1
 network 10.2.4.4 0.0.0.0 area 0
 network 10.1.4.4 0.0.0.0 area 0
exit
!
end

R5

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.2.5.5 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 10.1.5.5 255.255.255.0
 no shutdown
!
router ospf 1
 network 10.2.5.5 0.0.0.0 area 0
 network 10.1.5.5 0.0.0.0 area 0
exit
!
end

• R1

configure terminal
!
ip access-list extended ACL_PBR_172_16_1_0
 permit ip 172.16.1.0 0.0.0.255 any
!
ip access-list extended ACL_PBR_172_16_2_0
 permit ip 172.16.2.0 0.0.0.255 any
!
route-map RMAP_PBR_172_16_1_0 permit 10
 match ip address ACL_PBR_172_16_1_0
 set ip next-hop 10.1.4.4
!
route-map RMAP_PBR_172_16_2_0 permit 10
 match ip address ACL_PBR_172_16_2_0
 set ip next-hop 10.1.3.3
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_172_16_1_0
interface GigabitEthernet 0/1
 ip policy route-map RMAP_PBR_172_16_2_0
!
end

• R2

onfigure terminal
!
ip access-list extended ACL_PBR_172_16_1_0
 permit ip any 172.16.1.0 0.0.0.255
!
ip access-list extended ACL_PBR_172_16_2_0
 permit ip any 172.16.2.0 0.0.0.255
!
route-map RMAP_PBR_172_16_0_0 permit 10
 match ip address ACL_PBR_172_16_1_0
 set ip next-hop 10.2.4.4
route-map RMAP_PBR_172_16_0_0 permit 20
 match ip address ACL_PBR_172_16_2_0
 set ip next-hop 10.2.3.3
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_172_16_0_0
!
end

show access-lists
show route-map
show ip policy

• server-1, server-2

ping 172.16.0.10

• Wireshark Display Filter

icmp && ip.addr == 172.16.1.0/24
icmp && ip.addr == 172.16.2.0/24
icmp && ip.addr in { 172.16.1.0/24 172.16.2.0/24 }

Wireshark Packet Capture Result

1. routing-concepts.pbr.5rt.3node.2aa57fa8.c6c0065c.r1-ge0-2_r3-ge0-1.icmp.pcapng
2. routing-concepts.pbr.5rt.3node.2aa57fa8.c6c0065c.r1-ge0-3_r4-ge0-1.icmp.pcapng
3. routing-concepts.pbr.5rt.3node.2aa57fa8.c6c0065c.r1-ge0-4_r5-ge0-1.icmp.pcapng

R1 Console Log

R2 Console Log

server-1 Log

1. Cisco: QoS Basics
2. Cisco: Catalyst QoS
3. QoS - IP Precedence（IPプレシデンス）とは
4. QoS - DSCP（Differentiated Services Code Point）とは

• R1

configure terminal
!
access-list 101 permit ip 10.1.3.1 0.0.0.0 10.0.0.0 0.255.255.255
!
route-map RMAP_PBR_LOCAL permit 10
 match ip address 101
 set ip precedence critical
!
ip local policy route-map RMAP_PBR_LOCAL
!
end

show access-lists
show route-map
show ip policy
show ip local policy

• R1

ping 10.2.3.2 source 10.1.3.1
ping 10.2.3.2 source 10.1.5.1
ping 10.2.4.2
ping 10.2.4.2 source 10.1.3.1

For more detail Wireshark Filter Expression Cheat Sheet

• Wireshark Display Filter

icmp && ip.addr == 10.1.3.1

R1(config-route-map)#set ip precedence ?
  <0-7>           Precedence value
  critical        Set critical precedence (5)
  flash           Set flash precedence (3)
  flash-override  Set flash override precedence (4)
  immediate       Set immediate precedence (2)
  internet        Set internetwork control precedence (6)
  network         Set network control precedence (7)
  priority        Set priority precedence (1)
  routine         Set routine precedence (0)
  <cr>

Wireshark Packet Capture Result

R1 Console Log

1. CML-P 2.0 Lab: routing-concepts.pbr.2rt.2node.01f43d2f.yaml · master · CCIE Enterprise Infrastructure v1.0 / labs · GitLab
2. Topology diagram: topologies.vsdx · master · CCIE Enterprise Infrastructure v1.0 / My Documents · GitLab

Common Configuration Snippet

server-0

hostname server-0
ifconfig eth0 10.1.1.10 netmask 255.255.255.0 broadcast 10.1.1.255
route add default gw 10.1.1.1 eth0

server-1

hostname server-1
ifconfig eth0 10.2.2.11 netmask 255.255.255.0 broadcast 10.2.2.255
route add default gw 10.2.2.2 eth0

R1

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 10.12.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/2
 ip address 10.12.2.1 255.255.255.0
 no shutdown
!
router ospf 1
 router-id 1.1.1.1
 network 10.1.1.1 0.0.0.0 area 0
 network 10.12.1.1 0.0.0.0 area 0
exit
!
end

R2

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.2.2.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 10.12.1.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/2
 ip address 10.12.2.2 255.255.255.0
 no shutdown
!
router ospf 1
 router-id 2.2.2.2
 network 10.2.2.2 0.0.0.0 area 0
 network 10.12.1.2 0.0.0.0 area 0
exit
!
end

• Wireshark Display Filter

icmp or udp

• R1

show ip route
show ip route 10.2.2.11

• R2

show ip route
show ip route 10.1.1.10

• server-0

traceroute 10.2.2.11

1. Policy-Based Routing Using the set ip default next-hop and set ip next-hop Commands Configuration Example - Cisco
2. Policy Based Routing ネットワークチェンジニアとして

• R1

configure terminal
!
ip access-list extended ACL_PBR_10_1_1_0
 permit ip 10.1.1.0 0.0.0.255 any
!
route-map RMAP_PBR_10_1_1_0 permit 10
 match ip address ACL_PBR_10_1_1_0
 set ip next-hop 10.12.2.2
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_1_1_0
!
end

• R2

configure terminal
!
ip access-list extended ACL_PBR_10_2_2_0
 permit ip 10.2.2.0 0.0.0.255 any
!
route-map RMAP_PBR_10_2_2_0 permit 10
 match ip address ACL_PBR_10_2_2_0
 set ip next-hop 10.12.2.1
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_2_2_0
!
end

• R1

show access-lists
show route-map
show ip policy
show ip route
show ip route 10.2.2.11

• R2

show access-lists
show route-map
show ip policy
show ip route
show ip route 10.1.1.10

• Wireshark Display Filter

icmp or udp

• server-0

traceroute 10.2.2.11

First, check PBR configured route tranverse verified

Next, shutdown R1, R2 Gi0/2 interface, so next-hop not available, normal routing is enabled.

• R1, R2

configure terminal
!
interface GigabitEthernet 0/2
 shutdown
!
end

R1 Console Log

R2 Console Log

server-0 Console Log

Wireshark Packet Capture Result

1. Policy-Based Routing Using the set ip default next-hop and set ip next-hop Commands Configuration Example - Cisco
2. Policy Based Routing ネットワークチェンジニアとして

The config difference between 3ae8e581 and 78f31df0 is default keyword only.
But behavior is opposite.
set ip next-hop (3ae8e581) does PBR by default because connected route availabe for next-hop in operational state.
But set ip default next-hop (78f31df0) does normal forwarding by default because OSPF learned route installed in operational state.

• R1

configure terminal
!
ip access-list extended ACL_PBR_10_1_1_0
 permit ip 10.1.1.0 0.0.0.255 any
!
route-map RMAP_PBR_10_1_1_0 permit 10
 match ip address ACL_PBR_10_1_1_0
 set ip default next-hop 10.12.2.2
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_1_1_0
!
end

• R2

configure terminal
!
ip access-list extended ACL_PBR_10_2_2_0
 permit ip 10.2.2.0 0.0.0.255 any
!
route-map RMAP_PBR_10_2_2_0 permit 10
 match ip address ACL_PBR_10_2_2_0
 set ip default next-hop 10.12.2.1
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_2_2_0
!
end

• R1, R2

debug ip policy

• R1

show access-lists
show route-map
show ip policy
show ip route
show ip route 10.2.2.11

• R1

show access-lists
show route-map
show ip policy
show ip route
show ip route 10.1.1.10

• Wireshark Display Filter

icmp or udp

• server-0

traceroute 10.2.2.11

First, PBR rejected because explicit route exists, result in normal forwarding.

Next, shutdown R1, R2 Gi0/1 interface, so OSPF neighbor down destination route removed, PBR executed.

• R1, R2

configure terminal
!
interface GigabitEthernet 0/1
 shutdown
!
end

R1 Console Log

R2 Console Log

server-0 Console Log

Wireshark Packet Capture Result

verification done, disable debug.

• R1, R2

undebug all
no debug all

1. Base Topology: 2aa57fa8-99bb-4248-bbd4-49c9c805df46
2. CML-P 2.0 Lab: routing-concepts.pbr.5rt.3node.2aa57fa8.yaml · master · CCIE Enterprise Infrastructure v1.0 / labs · GitLab
3. Topology diagram: topologies.vsdx · master · CCIE Enterprise Infrastructure v1.0 / My Documents · GitLab

• R2

configure terminal
!
ip access-list extended ACL_PBR_172_16_0_0
 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
!
route-map RMAP_PBR_172_16_0_0 permit 10
 match ip address ACL_PBR_172_16_0_0
 set ip next-hop 10.2.3.3
route-map RMAP_PBR_172_16_0_0 permit 20
 set interface Null 0
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_172_16_0_0
!
end

• R2

debug ip policy
show access-lists
show route-map
show ip policy
show ip route

• Wireshark Display Filter

(icmp or udp) and not dhcp

• server-0

ping 172.16.1.11
ping 172.16.2.12

verification done, disable debug.

• R1, R2

undebug all
! or
no debug all

R2 Console Log

server-0 Console Log

Wireshark Packet Capture Result

1. CML-P 2.0 Lab: routing-concepts.pbr.2rt.3node.07c97bb9.yaml · master · CCIE Enterprise Infrastructure v1.0 / labs · GitLab
2. Topology diagram: topologies.vsdx · master · CCIE Enterprise Infrastructure v1.0 / My Documents · GitLab
3. Base Topology:
   1. 01f43d2f-28e1-48a9-896b-0fac99da1fbd
   2. routing-concepts.pbr.2rt.2node.01f43d2f.yaml · master · CCIE Enterprise Infrastructure v1.0 / labs · GitLab

Common Configuration Snippet

server-0

hostname server-0
ifconfig eth0 10.1.1.10 netmask 255.255.255.0 broadcast 10.1.1.255
route add default gw 10.1.1.1 eth0

server-1

hostname server-1
ifconfig eth0 10.2.2.11 netmask 255.255.255.0 broadcast 10.2.2.255
route add default gw 10.2.2.2 eth0

server-2

hostname server-2
ifconfig eth0 10.2.2.12 netmask 255.255.255.0 broadcast 10.2.2.255
route add default gw 10.2.2.2 eth0

R1

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 10.12.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet 0/2
 ip address 10.12.2.1 255.255.255.0
 no shutdown
!
router ospf 1
 router-id 1.1.1.1
 network 10.1.1.1 0.0.0.0 area 0
 network 10.12.1.1 0.0.0.0 area 0
exit
!
end

R2

configure terminal
!
interface GigabitEthernet 0/0
 ip address 10.2.2.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/1
 ip address 10.12.1.2 255.255.255.0
 no shutdown
interface GigabitEthernet 0/2
 ip address 10.12.2.2 255.255.255.0
 no shutdown
!
router ospf 1
 router-id 2.2.2.2
 network 10.2.2.2 0.0.0.0 area 0
 network 10.12.1.2 0.0.0.0 area 0
exit
!
end

• R1

configure terminal
!
ip access-list extended ACL_PBR_10_1_1_0
 permit ip 10.1.1.0 0.0.0.255 host 10.2.2.11
!
route-map RMAP_PBR_10_1_1_0 deny 10
 match ip address ACL_PBR_10_1_1_0
route-map RMAP_PBR_10_1_1_0 permit 10
 set ip next-hop 10.12.2.2
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_1_1_0
!
end

• R2

configure terminal
!
ip access-list extended ACL_PBR_10_2_2_0
 permit ip host 10.2.2.11 10.1.1.0 0.0.0.255
!
route-map RMAP_PBR_10_2_2_0 deny 10
 match ip address ACL_PBR_10_2_2_0
route-map RMAP_PBR_10_2_2_0 permit 20
 set ip next-hop 10.12.2.1
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_2_2_0
!
end

• R1

debug ip policy
show access-lists
show route-map
show ip policy
show ip route
show ip route 10.2.2.11

• R2

debug ip policy
show access-lists
show route-map
show ip policy
show ip route
show ip route 10.1.1.10

• Wireshark Display Filter

icmp or udp

• server-0

ping 10.2.2.11
ping 10.2.2.12
traceroute 10.2.2.11
traceroute 10.2.2.12

verification done, disable debug.

• R1, R2

undebug all
! or
no debug all

R1 Console Log

R2 Console Log

server-0 Console Log

Wireshark Packet Capture Result

1. PBR（Policy-Based Routing）の設定
2. PBR（Policy-Based Routing）の設定例
3. Policy-Based Routing Using the set ip default next-hop and set ip next-hop Commands Configuration Example - Cisco
4. Policy Based Routing ネットワークチェンジニアとして
5. QoS - IP Precedence（IPプレシデンス）とは
6. QoS - DSCP（Differentiated Services Code Point）とは
7. Cisco: route-map
8. Networking with Linux
9. Wireshark Filter Expression Cheat Sheet
10. Cisco: QoS Basics
11. Cisco: Catalyst QoS