Policy Based Routing

Policy Based Routing (PBR)

Policy-based routing, generally referred to as “policy routing”, is the use of route maps to determine the path a packet will take to get to its final destination.

* I remember the PBR lab in the CCNP Route exam. The requirement was to redirect a users machine via a slow WAN link. This involving setting their next hop IP to that of the 56k WAN link, as apposed to the 2Mbps Serial WAN link. Nice!

* For QoS purposes, traffic can be “marked” by policy routing in order to give different levels of service to various classes of traffic.

PBR Rules

  • Policy routing doesn’t affect the destination of the packet, but does affect the path that is taken to get there.
  • Policy routing can forward traffic based on the source IP address or the destination IP address (with the use of an extended ACL).
  • Policy routing can be configured globally or on a per-interface level.
  • If a packet doesn’t match any of the specific criteria in a route map, or does match a line that has an explicit deny statement, the data is sent to the routing process and will be processed normally.

Applying policy routing on an interface affects only packets arriving on that interface – in this case, Serial0.

R2(config)#int s0
R2(config-if)#ip policy route-map CHANGE_NEXT_HOP

Applying the policy globally applies the route map to packets generated on the router, not on all packets received on all interfaces.

R2(config)#ip local policy route-map CHANGE_NEXT_HOP

Verify either or both with show ip policy.

Chris Bryant Tip: If you don’t want to route packets that don’t match a route-map clause, the set command must be used to send those packets to the null0 interface. Naturally, this set command should be the final set command in the route map.

Route Map Configuration

1. Create an ACL to identify the traffic. (Standard or Extended where relevant)

R2(config)#access-list 32 permit host

2. Create Route Map with intuitive name.

R2(config)#route-map EXAMPLE permit 10
R2(config-route-map)#match ip address 29
R2(config-route-map)#set ip next-hop
R2(config-route-map)#route-map EXAMPLE deny 20
R2(config-route-map)#match ip address 30

3. Apply route map under interface or globally (Where applicable!)

R2(config)#int s0
R2(config-if)#ip policy route-map CHANGE_NEXT_HOP

Redistribution: Route Tagging

Redistribution: Route Tagging

“tag Tag value for destination routing protocol”

Tagging routes can help you prevent some big nasty routing loops, especially with 2-way redistribution. You can tag routes with a numeric value as they’re redistributed, and then prohibit routes with that same value from being “re-redistributed” back into the original routing protocol.

Example: Tagging routes with a value of 10 that are being redistributed from RIP into OSPF:

R1(config)#route-map RIP2OSPF permit 10
R1(config-route-map)#set tag 10

The redistribution config:

R1(config)#router ospf 1
R1(config-router)#redistribute rip route-map RIP2OSPF subnets
R1(config-router)#redistribute connected subnets

You won’t see tag values in the routing table, but you will see them in the extended show ip route command with the network number specified.

R3#show ip route
Routing entry for
Known via "ospf 1", distance 110, metric 20
Tag 10, type extern 2, forward metric 64
Last update from on Serial1, 00:00:43 ago
Routing Descriptor Blocks:
*, from, 00:00:43 ago, via Serial1
Route metric is 20, traffic share count is 1

The following config will prevent any routes with the tag 10 from being redistributed from OSPF back into RIP, while allowing any untagged routes to be redistributed and tagged with 20.

R1(config)#route-map OSPF2RIP deny 10
R1(config-route-map)#match tag 10
R1(config-route-map)#route-map OSPF2RIP perm 20
R1(config-route-map)#set tag 20

So we use ‘tagging’ to simply mark a route learned via redistribution and then ‘do something’ (Permit or Deny) to it using a route map.

Redistribution: Route Maps

Redistribution: Route Maps

Using Route Maps To Change Route Values And Attributes

Distribute-lists are a powerful tool in our route redistribution toolbox – but sometimes we’ll want to do more than simply permit or deny routes to be advertised and redistributed. Sometimes we’ll want to set different metrics for different routes, and maybe even change an OSPF external route type or two – and we’ll do that with route maps.

Let’s take a look at the mechanics of route map operation:

  • Route maps are somewhat similar to access-lists.
  • They both come to a basic decision of “permit” or “deny”.
  • Route lists give us additional power over the data beyond just a simple “transmit” or “don’t transmit”.
  • With route maps, we can actually change route attributes.

Route Map Example

1. For source address only, change next hop IP address to

R2(config)#access-list 17 permit host
R2(config)#route-map ?
WORD Route map tag
R2(config)#route-map CHANGE_NEXT_HOP ?
<0-65535> Sequence to insert to/delete from existing route-map entry
deny Route map denies set operations
permit Route map permits set operations
R2(config)#route-map CHANGE_NEXT_HOP permit ?
<0-65535> Sequence to insert to/delete from existing route-map entry
R2(config)#route-map CHANGE_NEXT_HOP permit 10
R2(config-route-map)#match ip address 17
R2(config-route-map)#set ip next-hop

Key Points with Route Map

  1. The only factor that a standard ACL can match is the source IP address.
  2. Route map statements can be given a sequence number, and this is a great help when you want to go back to an existing route map and add statements. You do not have to assign a sequence number, and if you don’t, the first statement you enter will be numbered “10” and each statement after that will have a sequence number that increments by 10 from the previous statement.
  3. The <cr> indicates that this command could be entered just as it is, without a permit or deny statement. If you do not specify permit or deny, a route map statement will default to “permit”.

Example requirement for the use of ‘route maps’

  • — Double the default seed metric and set the route to OSPF external type 1.
  • – Keep the default seed metric, set the route to OSPF external type 1.
  • — Do not redistribute this route at all.
  • All future redistributed routes — allow redistribution with the default seed metric and OSPF route type.

1. Identify each network to be filtered using ACLs.

2. Create an overall route map with an intuitive name, such as RIP2OSPF. Using ‘match’ and ‘set’ statements, we work through the requirement a point at a time.

For our 1st requirement, here is what we would need to do:

access-list 2 permit

route-map RIP2OSPF permit 10

match ip address 2

set metric 40 (20 is the default for redistributed/external OSPF)

set metric-type type-1

Simple as that! 🙂

For our second requirement we will use the same route-map with a different sequence number:

route-map RIP2OSPF permit 20

Same as before, but based on the specific requirement.

Remember also a ‘catchall’ clause is required at the very end of your route map:

route-map RIP2OSPF permit 50 (Last sequence)

Route maps are mainly used in BGP, but can be used with IGPs in the manner.

‘show route-map’ is great for verification your map:

R1#show route-map
route-map RIP2OSPF, permit, sequence 10
Match clauses:
ip address (access-lists): 2
Set clauses:
metric 40
metric-type type-1
Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, permit, sequence 20
Match clauses:
ip address (access-lists): 22
Set clauses:
metric-type type-1
Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, deny, sequence 30
Match clauses:
ip address (access-lists): 44
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map RIP2OSPF, permit, sequence 40
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes

The next step is to now apply the route-map. 🙂

Example of applying route map for redistribution from RIP into OSPF:

R1(config)#router ospf 1

R1(config-router)#redis rip subnets route-map RIP2OSPF

Or ‘redis rip route-map RIP2OSPF subnets’ either way round will do the job. 🙂

Redistribution: Using Distribute Lists to Control Redistribution

Redistribution: Using Distribute Lists to Control Redistribution

distribute-list = filter networks in routing updates (From IOS Help)

Once you perform route redistribution, you’ll often find that you need to fine-tune the process by allowing some routes to be redistributed while preventing redistribution of other routes. We can do that with distribute lists.

A distribute-list uses an ACL to define the routes to be redistributed – and explicitly or implicitly prohibited from redistribution.

Example for redistribution into OSPF to filter out networks and

R1(config)#access-list 17 deny
R1(config)#access-list 17 deny
R1(config)#access-list 17 permit any

We would assume the command is completed in OSPF as follows:

R1(config-router)#distribute-list 17 out serial0
% Interface not allowed with OUT for OSPF

But OSPF will not work in this manner, as the routing updates are in the format of LSAs, where as EIGRP and RIP aren’t. Hence we can’t filter LSAs as such.


We need to specify a protocol as apposed to an interface.


R1(config-router)#distribute-list 17 out rip

This will filter routes going into OSPF, that match ACL 17 and originate from RIP.

NOTE: OSPF will converge extremely quickly and this will/should show in the best routes asap.

***show ip protocols will also show any applied distribute lists and their direction!***

RIP Example:

R1(config)#router rip
R1(config-router)#distribute-list 17 ?
in Filter incoming routing updates
out Filter outgoing routing updates
R1(config-router)#distribute-list 17 in ?
BRI ISDN Basic Rate Interface
Ethernet IEEE 802.3
Loopback Loopback interface
Null Null interface
Serial Serial
R1(config-router)#distribute-list 17 in ethernet0

Redistribution: Passive Interfaces

Not really specifically a redistribution concept, but categorised by Chris Bryant as redistribution so what the hell.

Passive Interfaces

Passive interfaces can be a big help in controlling routing updates and or/ routing control traffic, depending on which protocol you’re dealing with:

RIP: Passive interfaces do not send routing updates, but will accept them. RIP adjacencies aren’t affected by passive interfaces since RIP doesn’t have adjacencies in the first place. A RIP passive interface will not send routing updates, but it will accept them.

EIGRP: Hellos aren’t sent, so no adjacency can be formed via a passive interface. If an adjacency exists on an interface that is then made passive, the adjacency is dropped. A subnet running a passive interface can be advertised.

EIGRP passive interfaces do not send Hellos, therefore the neighbour relationship on this specific interface is torn down.

EIGRP passive interfaces do not send Hellos, but the subnet running on that passive interface can still be advertised via the network command.

OSPF: Passive interfaces do not send OSPF Hellos, so again no adjacency can be formed, and existing adjacencies are lost on interfaces that are then configured as passive. Additionally, the subnet running on the passive interface will be advertised as a stub network.

Just as with EIGRP, the adjacency through the now passive interface is lost, but the subnet is still advertised via the network command.

You can set all interfaces on a router as passive for a given protocol with the passive-interface default command.

R3(config)#router ospf 1
R3(config-router)#passive-interface default

To set the interfaces back to their default, just use the no passive-interface default command.

R3(config-router)#no passive-interface default

Redistribution: ip default-gateway vs. ip default-network

ip default-gateway vs. ip default-network

The ip default-network command can be used to inject a default route into your routing process.

If the router has an interface directly connected to the network specified with this command, the router will generate a default route and send that route to its neighbor routers.

This command can be a little tricky to use, and it works differently with different protocols. It’s easy to get ip default-network and ip default-gateway mixed up.

They’re both used to generate a default route. The key difference is that ip default-gateway is used when IP routing is off, while ip default-network is used when IP routing is on.

Redistribution: Default-Information Originate (OSPF)

Default-Information Originate (Always?)

We know that default routes are generated in OSPF when stub and total stub areas are involved.

We also know that you can’t make Area 0 a stub area.

What we can do is run the OSPF command default-information originate with the always option to send a default route to all other OSPF routers — and that includes routers in Area 0.

The always option allows the router to propagate a default route without actually having one in its routing table.

Without that option, the router must have a default route in its table in order to advertise one. If there is no default route to advertise, neighbors will not receive a default route.

Redistribution: More EIGRP Redistribution

EIGRP has a default seed metric of “infinity”, and we need to define a seed metric when we perform the redistribution. With EIGRP, that means defining five different settings.

There are two ways to set the seed metric with EIGRP:

  1. Set the metric for the redistributed routes learned from a specific source at the end of the redistribute command.
  2. Use the default-metric command to set the default metric for all routes being redistributed.


R3(config-router)#redistribute rip metric 1544 10 255 1 1500
R3(config-router)#redistribute connected metric 1544 10 255 1 1500

Fairly straightforward stuff.

Or using default metric option:

R2(config)#router eigrp 100
R2(config-router)#default-metric 1544 10 255 1 1500

Be very careful when redistributing with RIP as the AD for RIP routes is 120 and will be ‘better’ then External EIGRP routes with an AD of 170. This is example where we may need to change the AD for EIGRP to something lower than 120.


R2(config)#router eigrp 100
R2(config-router)#distance ?
<1-255> Administrative distance
eigrp IP-EIGRP distance
R2(config-router)#distance eigrp ?
<1-255> Distance for internal routes
R2(config-router)#distance eigrp 90 ?
<1-255> Distance for external routes
R2(config-router)#distance eigrp 90 119

show ip protocols’ is an excellent command for reviewing redistribution.



Route Redistribution: Changing the AD

If we have an example whereby we are going to be redistributing between RIP and OSPF, we need to consider the AD.

We know that RIP uses an AD of 120 and OSPF uses 110, we might have an example whereby the best OSPF (selected by the AD) is not in fact the preferred or optimal path to the destination. We can get around this by changing the AD value for OSPF specifically.

To change the AD of a protocol on a router, use the distance command under the appropriate routing process. We’ll use this command to change the AD of OSPF on R2 to 200.

R2(config)#router ospf 1
R2(config-router)#distance ?
<1-255> Administrative distance
ospf OSPF distance
R2(config-router)#distance 121

This is now a higher value than RIP and therefore the RIP route with the AD of 120 will now be the ‘best’ route to the destination.

You can also change the AD for specific routes only!

Example config:

Let’s double the AD of the route for while leaving the other routes alone. ACL 5 identifies that route and that route only, and then we just use that ACL number at the end of the distance command.

R2(config)#access-list 5 permit
R2(config)#router eigrp 100
R2(config-router)#distance 180 ?
<1-99> IP Standard access list number
<1300-1999> IP Standard expanded access list number
WORD Standard access-list name
R2(config-router)#distance 180 5

After clearing the route table, the route to now has an AD of 180, while the other distances remain the same.