Policy Based Routing

Scenario:

After getting rid of the ring that ruled them all things have changed in Middle Earth. The hobbits have become network engineers and are interconnecting every creature in their fantasy world. OSPF is the routing protocol of choice but the hobbits have some problems since all traffic is sent down the same path. Do you think you can help them out by teaching them Policy Based Routing?

Goal:

  • All IP addresses have been preconfigured for you.
  • OSPF has been preconfigured for you for full connectivity.
  • Do not make any changes to OSPF.
  • Make changes on router Bilbo so traffic from 1.1.1.0 towards router Meriadoc is sent down the serial link.
  • Make changes on router Bilbo so traffic from 192.168.12.1 towards 33.33.33.33 is sent down the serial link.
  • Make changes on router Bilbo so packets that are greater than 200 bytes are sent down the serial link.
  • Make changes on router Bilbo so traffic from 192.168.12.2 towards 3.3.3.3 is sent down the serial link.

It took me 1000s of hours reading books and doing labs, making mistakes over and over again until I mastered all the routing protocols for CCNP.

Would you like to be a master of routing too? In a short time without having to read 900 page books or google the answers to your questions and browsing through forums?

I collected all my knowledge and created a single ebook for you that has everything you need to know to become a master of routing.

You will learn all the secrets about routing, policy based routing (PBR), route-maps and more.

Does this sound interesting to you? Take a look here and let me show you how to Master CCNP ROUTE

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

Policy Based Routing

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

24 Comments

  1. Hi,
    For:
    Make changes on router Bilbo so traffic from 192.168.12.2 towards 3.3.3.3 are sent down the serial link:

    Where can I apply the policy route-map on BILBO so it can take effect?.
    Thanks.

  2. In response to Rene and Alex.

    Packets generated by the router are not policy routed. If you want to policy route traffic generated by the router, you must enable it. To enable local PBR, use the following global configuration command.

    ‘ip local policy route-map’

    1. Thanks for sharing this, this is important to keep in mind in case you test things.

      There’s a big difference between traffic that flows "through" the router and traffic "generated" by the router itself and how the router deals with it. Traffic generated by the router is indeed not policy-routed so you need that command 🙂

      Same thing applies to access-lists btw, traffic generated by your own router will not hit your access-lists on your interfaces.

  3. I don’t know how you recommend going about mastering these labs, but I find them very useful to have the video running, and to pause before you give an answer to exhaust every way I think something could be done prior to following your lead. I found this lab excellent. I’ve been working through 5-6 labs/day along with other studies.

    1. I believe this is a good way to "master" the labs. If you just watch the video you might get a good understanding but it’s MUCH better when you try to wrap your head around it yourself. If you struggle on a topic and finally finish it you’ll learn a valuable lesson and it will be easier to remember.

      Watching the video and pausing it, doing the lab step-by-step is a good idea because it will prevent you from going down a rabbit hole that might not exist 🙂

      have fun!

  4. I cannot get passed the first step. For some reason it keeps inserting 2 ip adresses for the next hop even though I only enter one IP:

    Bilbo#sho route-map
    route-map ONE, permit, sequence 10
    Match clauses:
    ip address (access-lists): 1
    Set clauses:
    [u]ip next-hop 192.168.24.2 192.168.24.4[/u]
    Policy routing matches: 21 packets, 1260 bytes

    Bilbo#sho access-lists
    Standard IP access list 1
    10 permit 1.1.1.0, wildcard bits 0.0.0.255 (78 matches)

    as a result the policy tries to push traffic to .2 which then drops it. I cannot see when I am going wrong.

    *Mar 1 00:51:06.179: IP: s=1.1.1.1 (FastEthernet0/0), d=3.3.3.3, len 28, policy match
    *Mar 1 00:51:06.179: IP: route map ONE, item 10, permit
    *Mar 1 00:51:06.179: IP: s=1.1.1.1 (FastEthernet0/0), d=3.3.3.3 (Serial2/0), len 28, policy routed
    *Mar 1 00:51:06.183: IP: FastEthernet0/0 to Serial2/0 192.168.24.2
    Bilbo(config)#

    Bilbo#show run int fa0/0
    Building configuration…

    Current configuration : 122 bytes
    !
    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    ip policy route-map ONE
    duplex auto
    speed auto

    Bilbo#sho ver
    Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(16a), RELEASE SOFTWARE (fc2)

    1. I think if you use the "set" command for a route-map that it will only "add" something. Get rid of the entire set line and then enter the correct IP address.

  5. I am getting this error and i don’t see where i made the mistake

    Mar 1 00:03:08.795: IP: s=192.168.12.1 (FastEthernet0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) – normal forwarding.

    I see that source is wrong but see my configuration, i did the same you did in the video.

    Can you please point me where i got mistake. Here my Conf

    interface Loopback0
    ip address 2.2.2.2 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    ip policy route-map Name
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    ip address 192.168.23.2 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial2/0
    ip address 192.168.24.2 255.255.255.0
    serial restart-delay 0
    !
    interface Serial2/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial2/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial2/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    router ospf 1
    log-adjacency-changes
    network 0.0.0.0 255.255.255.255 area 0
    !
    no ip http server
    no ip http secure-server
    !
    !
    !
    access-list 101 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
    !
    route-map Name permit 15
    match ip address 101
    set ip next-hop 192.168.24.4
    !
    !
    !
    control-plane

    1. Hi Risaaq

      Mar 1 00:03:08.795: IP: s=[b]192.168.12.1[/b] (FastEthernet0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) – normal forwarding.

      access-list 101 permit ip [b]1.1.1.0 0.0.0.255[/b] 3.3.3.0 0.0.0.255

      Correct ur access-list

      access-list 101 permit ip 192.168.12.0 0.0.0.255 3.3.3.0 0.0.00.255
      or
      access-list 101 permit ip host 192.168.12.1 3.3.3.0 0.0.00.255

    2. your configuration is correct no need to change anything

      but when u ping from frodo ping like this
      Frodo(config)#do ping 3.3.3.3 so l0
      because here u specified your pings from source l0 which is 1.1.1.1
      but in normal pings
      it will be specified from int f0/0 of router frodo

      anyway u r correct just specify the source

  6. ………Im noticing a number of these labs state they are pre configured (ip addresses, routing protocols, interfaces etc) and most of them are missing incorrect information of the start up config. Are you going to update these labs or will i be better of configuring the entire lab myself????

  7. I love doing labs here!
    "After getting rid of the ring that ruled them all things have changed in Middle Earth. The hobbits have become network engineers"

    😀 HAHAH! That’s just awesome.

  8. I don’t understand what is wrong.

    Bilbo#sh ip access 100
    Extended IP access list 100
    10 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255 log
    Bilbo#sh rou
    route-map questao1, permit, sequence 10
    Match clauses:
    ip address (access-lists): 100
    Set clauses:
    ip next-hop 192.168.24.4
    Policy routing matches: 0 packets, 0 bytes
    Bilbo#sh ip policy
    Interface Route map
    Fa0/0 questao1
    Bilbo#

    Is everything OK about configuration but the route-map debug says:
    Bilbo#

    *Mar 1 00:27:21.627: IP: s=1.1.1.1 (FastEthernet0/0), d=3.3.3.3, len 100, FIB policy rejected(no match) – normal forwarding

    R1 never get the right route.

    is it a bug?

    1. In your Route-map after you putt a match command you need a “Set” command: “SET IP NEXT_HOP 192.168.24.4”

      Then it will work correctly.

      Cheers

  9. Even I have same problem, even thought it matches my ACL, traffic is not routing thru defined next-hop

    ip access-list extended Redirect
    permit ip host 1.1.1.1 host 33.33.33.33 log
    !
    route-map SetNextHop permit 10
    match ip address Redirect
    set ip next-hop 192.168.24.4

    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    ip policy route-map SetNextHop

    ########################################
    Frodo#traceroute 33.33.33.33 source 1.1.1.1

    Type escape sequence to abort.
    Tracing the route to 33.33.33.33

    1 192.168.12.2 20 msec 20 msec 20 msec
    2 192.168.23.3 44 msec 36 msec 44 msec
    3 192.168.35.5 40 msec * 80 msec
    ########################################

    *Mar 1 00:38:46.243: IP: s=1.1.1.1 (FastEthernet0/0), d=33.33.33.33, len 28, FIB policy rejected(no match) – normal forwarding
    Bilbo#
    *Mar 1 00:38:49.231: IP: s=1.1.1.1 (FastEthernet0/0), d=33.33.33.33, len 28, FIB policy rejected(no match) – normal forwarding

  10. Bizzare

    I see hits on ACL but not PBR

    Extended IP access list 102
    10 permit ip 1.1.1.0 0.0.0.255 any log[b] (3 matches)[/b]

    route-map redirect, permit, sequence 10
    Match clauses:
    ip address (access-lists): 102
    Set clauses:
    ip next-hop 192.168.24.4
    [b] Policy routing matches: 0 packets, 0 bytes[/b]

  11. [quote=roovind]Bizzare

    I see hits on ACL but not PBR

    Extended IP access list 102
    10 permit ip 1.1.1.0 0.0.0.255 any log[b] (3 matches)[/b]
    [/quote]

    I think the issue is the [b]log[/b] option at the end of your access-list. It looks like this is writing the match to your sys log, as opposed to actually permitting the traffic for your route-map. Try it without the log option.

    This lab worked perfectly for me.

    1. Many thanks for leaving this comment, Josh.

      I have been working on this for a few hours. I first tried it with “log-input”, then “log”, neither would work. Cut & paste from Rene’s configs, worked fine. Could not understand. It works without the “log” option. No idea why.

  12. Hi Rene
    Cant we just use the set command to s2/0 instead of specifying the next hop to 24.4. I tried doing this and got the same results..
    please suggest.

    1. Only if the interface is point to point. It works for PPP, MLPPP, FR P2P subinterface, and HDLC, but not for multipoint FR. I would recommend using next-hop IP in case your L2 network changes. For example, what if you had an Ethernet link instead in the future? This way the route-map stays the same and you just migrate link-level settings.

  13. I did the first step and notice that PBR kicks in even though I didn’t put in an access-list which I accidentally forgot to insert .

    If there is not access-list to math to, then the packets should thke the path/route which is in the routing table.

    I even check CEF and its default path is 192.168.23.0 but without me entering an access-list it still going through 192.168.24.0.

    If I remove the rout-map config from the interface of cause it will go through 192.168.23.0 but the point is without a route-map matching an ACL it should take path 192.168.23.0.

    I should this to a network specialist in my place of work and he agreed with me, but at the same time he said he has never tried or lab PBR and forgot to add an ACL.

    Below is all I entered:
    route-map NAME permit 10
    match ip address 100
    set ip next-hop 192.168.24.4

    int fa0/0
    ip policy route-map NAME

Comments are closed.