I STRONGLY RECOMMENDED to read the Official Documents(cisco.com a.k.a. CCO) and RFCs, any other books, sites.
And learn foundation, create lab yourself, configure, and verify any topics.
configure terminal ! ip access-list extended ACL_PBR_172_16_1_0 permit ip 172.16.1.0 0.0.0.255 any ! ip access-list extended ACL_PBR_172_16_2_0 permit ip 172.16.2.0 0.0.0.255 any ! route-map RMAP_PBR_172_16_1_0 permit 10 match ip address ACL_PBR_172_16_1_0 set ip next-hop 10.1.4.4 ! route-map RMAP_PBR_172_16_2_0 permit 10 match ip address ACL_PBR_172_16_2_0 set ip next-hop 10.1.3.3 ! interface GigabitEthernet 0/0 ip policy route-map RMAP_PBR_172_16_1_0 interface GigabitEthernet 0/1 ip policy route-map RMAP_PBR_172_16_2_0 ! end
onfigure terminal ! ip access-list extended ACL_PBR_172_16_1_0 permit ip any 172.16.1.0 0.0.0.255 ! ip access-list extended ACL_PBR_172_16_2_0 permit ip any 172.16.2.0 0.0.0.255 ! route-map RMAP_PBR_172_16_0_0 permit 10 match ip address ACL_PBR_172_16_1_0 set ip next-hop 10.2.4.4 route-map RMAP_PBR_172_16_0_0 permit 20 match ip address ACL_PBR_172_16_2_0 set ip next-hop 10.2.3.3 ! interface GigabitEthernet 0/0 ip policy route-map RMAP_PBR_172_16_0_0 ! end
show access-lists show route-map show ip policy
server-1
, server-2
ping 172.16.0.10
icmp && ip.addr == 172.16.1.0/24 icmp && ip.addr == 172.16.2.0/24 icmp && ip.addr in { 172.16.1.0/24 172.16.2.0/24 }
Wireshark Packet Capture Result
configure terminal ! access-list 101 permit ip 10.1.3.1 0.0.0.0 10.0.0.0 0.255.255.255 ! route-map RMAP_PBR_LOCAL permit 10 match ip address 101 set ip precedence critical ! ip local policy route-map RMAP_PBR_LOCAL ! end
show access-lists show route-map show ip policy show ip local policy
ping 10.2.3.2 source 10.1.3.1 ping 10.2.3.2 source 10.1.5.1 ping 10.2.4.2 ping 10.2.4.2 source 10.1.3.1
For more detail Wireshark Filter Expression Cheat Sheet
icmp && ip.addr == 10.1.3.1
R1(config-route-map)#set ip precedence ? <0-7> Precedence value critical Set critical precedence (5) flash Set flash precedence (3) flash-override Set flash override precedence (4) immediate Set immediate precedence (2) internet Set internetwork control precedence (6) network Set network control precedence (7) priority Set priority precedence (1) routine Set routine precedence (0) <cr>
icmp or udp
show ip route show ip route 10.2.2.11
show ip route show ip route 10.1.1.10
traceroute 10.2.2.11
configure terminal ! ip access-list extended ACL_PBR_10_1_1_0 permit ip 10.1.1.0 0.0.0.255 any ! route-map RMAP_PBR_10_1_1_0 permit 10 match ip address ACL_PBR_10_1_1_0 set ip next-hop 10.12.2.2 ! interface GigabitEthernet 0/0 ip policy route-map RMAP_PBR_10_1_1_0 ! end
configure terminal ! ip access-list extended ACL_PBR_10_2_2_0 permit ip 10.2.2.0 0.0.0.255 any ! route-map RMAP_PBR_10_2_2_0 permit 10 match ip address ACL_PBR_10_2_2_0 set ip next-hop 10.12.2.1 ! interface GigabitEthernet 0/0 ip policy route-map RMAP_PBR_10_2_2_0 ! end
show access-lists show route-map show ip policy show ip route show ip route 10.2.2.11
show access-lists show route-map show ip policy show ip route show ip route 10.1.1.10
icmp or udp
traceroute 10.2.2.11
First, check PBR configured route tranverse verified
Next, shutdown R1, R2 Gi0/2 interface, so next-hop not available, normal routing is enabled.
configure terminal ! interface GigabitEthernet 0/2 shutdown ! end
The config difference between 3ae8e581
and 78f31df0
is default
keyword only.
But behavior is opposite.
set ip next-hop
(3ae8e581
) does PBR by default because connected route availabe for next-hop in operational state.
But set ip default next-hop
(78f31df0
) does normal forwarding by default because OSPF learned route installed in operational state.
configure terminal ! ip access-list extended ACL_PBR_10_1_1_0 permit ip 10.1.1.0 0.0.0.255 any ! route-map RMAP_PBR_10_1_1_0 permit 10 match ip address ACL_PBR_10_1_1_0 set ip default next-hop 10.12.2.2 ! interface GigabitEthernet 0/0 ip policy route-map RMAP_PBR_10_1_1_0 ! end
configure terminal ! ip access-list extended ACL_PBR_10_2_2_0 permit ip 10.2.2.0 0.0.0.255 any ! route-map RMAP_PBR_10_2_2_0 permit 10 match ip address ACL_PBR_10_2_2_0 set ip default next-hop 10.12.2.1 ! interface GigabitEthernet 0/0 ip policy route-map RMAP_PBR_10_2_2_0 ! end
debug ip policy
show access-lists show route-map show ip policy show ip route show ip route 10.2.2.11
show access-lists show route-map show ip policy show ip route show ip route 10.1.1.10
icmp or udp
traceroute 10.2.2.11
First, PBR rejected because explicit route exists, result in normal forwarding.
Next, shutdown R1, R2 Gi0/1 interface, so OSPF neighbor down destination route removed, PBR executed.
configure terminal ! interface GigabitEthernet 0/1 shutdown ! end
Wireshark Packet Capture Result
verification done, disable debug.
undebug all no debug all
2aa57fa8-99bb-4248-bbd4-49c9c805df46
configure terminal ! ip access-list extended ACL_PBR_172_16_0_0 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255 ! route-map RMAP_PBR_172_16_0_0 permit 10 match ip address ACL_PBR_172_16_0_0 set ip next-hop 10.2.3.3 route-map RMAP_PBR_172_16_0_0 permit 20 set interface Null 0 ! interface GigabitEthernet 0/0 ip policy route-map RMAP_PBR_172_16_0_0 ! end
debug ip policy show access-lists show route-map show ip policy show ip route
(icmp or udp) and not dhcp
ping 172.16.1.11 ping 172.16.2.12
verification done, disable debug.
undebug all ! or no debug all
01f43d2f-28e1-48a9-896b-0fac99da1fbd
configure terminal ! ip access-list extended ACL_PBR_10_1_1_0 permit ip 10.1.1.0 0.0.0.255 host 10.2.2.11 ! route-map RMAP_PBR_10_1_1_0 deny 10 match ip address ACL_PBR_10_1_1_0 route-map RMAP_PBR_10_1_1_0 permit 10 set ip next-hop 10.12.2.2 ! interface GigabitEthernet 0/0 ip policy route-map RMAP_PBR_10_1_1_0 ! end
configure terminal ! ip access-list extended ACL_PBR_10_2_2_0 permit ip host 10.2.2.11 10.1.1.0 0.0.0.255 ! route-map RMAP_PBR_10_2_2_0 deny 10 match ip address ACL_PBR_10_2_2_0 route-map RMAP_PBR_10_2_2_0 permit 20 set ip next-hop 10.12.2.1 ! interface GigabitEthernet 0/0 ip policy route-map RMAP_PBR_10_2_2_0 ! end
debug ip policy show access-lists show route-map show ip policy show ip route show ip route 10.2.2.11
debug ip policy show access-lists show route-map show ip policy show ip route show ip route 10.1.1.10
icmp or udp
ping 10.2.2.11 ping 10.2.2.12 traceroute 10.2.2.11 traceroute 10.2.2.12
verification done, disable debug.
undebug all ! or no debug all