PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:routing:pbr:pbr

Cisco: PBR: Policy Based Routing

My Learning topics result may not be accurate because of my misunderstanding!!!!

I STRONGLY RECOMMENDED to read the Official Documents(cisco.com a.k.a. CCO) and RFCs, any other books, sites.

And learn foundation, create lab yourself, configure, and verify any topics.

TODO

  1. configure basic PBR
  2. local policy routing
  3. set ip next-hop
  4. set ip default next-hop
  5. discard packet if not match any PBR rules
  6. PBR and route-map deny statement

Topology PBR lab 2aa57fa8-99bb-4248-bbd4-49c9c805df46

Base Configuration

Common Configuration Snippet

server-0

server-1

server-2

R1

R2

R3

R4

R5

Getting Started c6c0065c-770c-464c-b8ff-a56d9c832966

  • R1
configure terminal
!
ip access-list extended ACL_PBR_172_16_1_0
 permit ip 172.16.1.0 0.0.0.255 any
!
ip access-list extended ACL_PBR_172_16_2_0
 permit ip 172.16.2.0 0.0.0.255 any
!
route-map RMAP_PBR_172_16_1_0 permit 10
 match ip address ACL_PBR_172_16_1_0
 set ip next-hop 10.1.4.4
!
route-map RMAP_PBR_172_16_2_0 permit 10
 match ip address ACL_PBR_172_16_2_0
 set ip next-hop 10.1.3.3
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_172_16_1_0
interface GigabitEthernet 0/1
 ip policy route-map RMAP_PBR_172_16_2_0
!
end
  • R2
onfigure terminal
!
ip access-list extended ACL_PBR_172_16_1_0
 permit ip any 172.16.1.0 0.0.0.255
!
ip access-list extended ACL_PBR_172_16_2_0
 permit ip any 172.16.2.0 0.0.0.255
!
route-map RMAP_PBR_172_16_0_0 permit 10
 match ip address ACL_PBR_172_16_1_0
 set ip next-hop 10.2.4.4
route-map RMAP_PBR_172_16_0_0 permit 20
 match ip address ACL_PBR_172_16_2_0
 set ip next-hop 10.2.3.3
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_172_16_0_0
!
end

Verification

show access-lists
show route-map
show ip policy
  • server-1, server-2
ping 172.16.0.10
  • Wireshark Display Filter
icmp && ip.addr == 172.16.1.0/24
icmp && ip.addr == 172.16.2.0/24
icmp && ip.addr in { 172.16.1.0/24 172.16.2.0/24 }

Wireshark Packet Capture Result

R1 Console Log

R2 Console Log

server-1 Log

local policy routing 546ad2fd-8682-4132-aa03-d43ec8b5b68d

  • R1
configure terminal
!
access-list 101 permit ip 10.1.3.1 0.0.0.0 10.0.0.0 0.255.255.255
!
route-map RMAP_PBR_LOCAL permit 10
 match ip address 101
 set ip precedence critical
!
ip local policy route-map RMAP_PBR_LOCAL
!
end

Verification

show access-lists
show route-map
show ip policy
show ip local policy
  • R1
ping 10.2.3.2 source 10.1.3.1
ping 10.2.3.2 source 10.1.5.1
ping 10.2.4.2
ping 10.2.4.2 source 10.1.3.1

For more detail Wireshark Filter Expression Cheat Sheet

  • Wireshark Display Filter
icmp && ip.addr == 10.1.3.1
R1(config-route-map)#set ip precedence ?
  <0-7>           Precedence value
  critical        Set critical precedence (5)
  flash           Set flash precedence (3)
  flash-override  Set flash override precedence (4)
  immediate       Set immediate precedence (2)
  internet        Set internetwork control precedence (6)
  network         Set network control precedence (7)
  priority        Set priority precedence (1)
  routine         Set routine precedence (0)
  <cr>

Wireshark Packet Capture Result

R1 Console Log

Topology PBR next-hop lab 01f43d2f-28e1-48a9-896b-0fac99da1fbd

Base Configuration

Common Configuration Snippet

server-0

server-1

R1

R2

  • Wireshark Display Filter
icmp or udp
  • R1
show ip route
show ip route 10.2.2.11
  • R2
show ip route
show ip route 10.1.1.10
  • server-0
traceroute 10.2.2.11

set ip next-hop 3ae8e581-ff36-4e23-9fd1-afbda31e0bdd

  • R1
configure terminal
!
ip access-list extended ACL_PBR_10_1_1_0
 permit ip 10.1.1.0 0.0.0.255 any
!
route-map RMAP_PBR_10_1_1_0 permit 10
 match ip address ACL_PBR_10_1_1_0
 set ip next-hop 10.12.2.2
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_1_1_0
!
end
  • R2
configure terminal
!
ip access-list extended ACL_PBR_10_2_2_0
 permit ip 10.2.2.0 0.0.0.255 any
!
route-map RMAP_PBR_10_2_2_0 permit 10
 match ip address ACL_PBR_10_2_2_0
 set ip next-hop 10.12.2.1
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_2_2_0
!
end

Verification

  • R1
show access-lists
show route-map
show ip policy
show ip route
show ip route 10.2.2.11
  • R2
show access-lists
show route-map
show ip policy
show ip route
show ip route 10.1.1.10
  • Wireshark Display Filter
icmp or udp
  • server-0
traceroute 10.2.2.11

First, check PBR configured route tranverse verified

Next, shutdown R1, R2 Gi0/2 interface, so next-hop not available, normal routing is enabled.

  • R1, R2
configure terminal
!
interface GigabitEthernet 0/2
 shutdown
!
end

R1 Console Log

R2 Console Log

server-0 Console Log

Wireshark Packet Capture Result

set ip default next-hop 78f31df0-bb9c-47fc-9c2f-ef845e199974

The config difference between 3ae8e581 and 78f31df0 is default keyword only. But behavior is opposite. set ip next-hop (3ae8e581) does PBR by default because connected route availabe for next-hop in operational state. But set ip default next-hop (78f31df0) does normal forwarding by default because OSPF learned route installed in operational state.

  • R1
configure terminal
!
ip access-list extended ACL_PBR_10_1_1_0
 permit ip 10.1.1.0 0.0.0.255 any
!
route-map RMAP_PBR_10_1_1_0 permit 10
 match ip address ACL_PBR_10_1_1_0
 set ip default next-hop 10.12.2.2
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_1_1_0
!
end
  • R2
configure terminal
!
ip access-list extended ACL_PBR_10_2_2_0
 permit ip 10.2.2.0 0.0.0.255 any
!
route-map RMAP_PBR_10_2_2_0 permit 10
 match ip address ACL_PBR_10_2_2_0
 set ip default next-hop 10.12.2.1
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_2_2_0
!
end

Verification

  • R1, R2
debug ip policy
  • R1
show access-lists
show route-map
show ip policy
show ip route
show ip route 10.2.2.11
  • R1
show access-lists
show route-map
show ip policy
show ip route
show ip route 10.1.1.10
  • Wireshark Display Filter
icmp or udp
  • server-0
traceroute 10.2.2.11

First, PBR rejected because explicit route exists, result in normal forwarding.

Next, shutdown R1, R2 Gi0/1 interface, so OSPF neighbor down destination route removed, PBR executed.

  • R1, R2
configure terminal
!
interface GigabitEthernet 0/1
 shutdown
!
end

R1 Console Log

R2 Console Log

server-0 Console Log

Wireshark Packet Capture Result

verification done, disable debug.

  • R1, R2
undebug all
no debug all

Discard packet if not match any PBR rules a478ff05-e9fe-4cb3-8eba-fbcd9426a88d

  1. Base Topology: 2aa57fa8-99bb-4248-bbd4-49c9c805df46

  • R2
configure terminal
!
ip access-list extended ACL_PBR_172_16_0_0
 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
!
route-map RMAP_PBR_172_16_0_0 permit 10
 match ip address ACL_PBR_172_16_0_0
 set ip next-hop 10.2.3.3
route-map RMAP_PBR_172_16_0_0 permit 20
 set interface Null 0
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_172_16_0_0
!
end

Verification

Topology PBR and route-map deny statement 07c97bb9-d4a8-475d-936a-45fe4da19bad

Base Configuration

Common Configuration Snippet

server-0

server-1

server-2

R1

R2

PBR and route-map deny statement c552f8b1-c394-4e0a-89b5-5ff76710f9dc

  • R1
configure terminal
!
ip access-list extended ACL_PBR_10_1_1_0
 permit ip 10.1.1.0 0.0.0.255 host 10.2.2.11
!
route-map RMAP_PBR_10_1_1_0 deny 10
 match ip address ACL_PBR_10_1_1_0
route-map RMAP_PBR_10_1_1_0 permit 10
 set ip next-hop 10.12.2.2
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_1_1_0
!
end
  • R2
configure terminal
!
ip access-list extended ACL_PBR_10_2_2_0
 permit ip host 10.2.2.11 10.1.1.0 0.0.0.255
!
route-map RMAP_PBR_10_2_2_0 deny 10
 match ip address ACL_PBR_10_2_2_0
route-map RMAP_PBR_10_2_2_0 permit 20
 set ip next-hop 10.12.2.1
!
interface GigabitEthernet 0/0
 ip policy route-map RMAP_PBR_10_2_2_0
!
end

Verification

  • R1
debug ip policy
show access-lists
show route-map
show ip policy
show ip route
show ip route 10.2.2.11
  • R2
debug ip policy
show access-lists
show route-map
show ip policy
show ip route
show ip route 10.1.1.10
  • Wireshark Display Filter
icmp or udp
  • server-0
ping 10.2.2.11
ping 10.2.2.12
traceroute 10.2.2.11
traceroute 10.2.2.12

verification done, disable debug.

  • R1, R2
undebug all
! or
no debug all

R1 Console Log

R2 Console Log

server-0 Console Log

Wireshark Packet Capture Result

References

tech/network/cisco/routing/pbr/pbr.txt · Last modified: 2020/08/06 22:39 by wnoguchi