S-Series Policy Based Routing example targets all traffic

FAQ_User — Fri, 06 Dec 2013 23:47:00 GMT

Article ID: 13123

Products
S-Series

Discussion
There are three parts to a route map for Policy Based Routing (PBR):

The ACL to define the traffic which will be affected.
The IP of the next hop to which the traffic will be sent.
The command applying it to the interface.

This config has an additional parameter under the interface stating 'policy priority only', which affects ACL-permit-matching traffic.

'policy priority only' uses the PBR next hop, but if it is unavailable, drops the packet.
'policy priority first' uses the PBR next hop, but if it is unavailable, falls back to the routing table (FIB). This is the default behavior.
'policy priority last' uses the FIB, but if no route is found, falls back to the PBR next hop.

So here, ACL-permit-matching traffic crossing the interface is sent only to the next hop - and the routing table is ignored. By design, ACL-deny-matching traffic and non-matching traffic never uses the PBR next hop.

The configuration below will send all traffic from the interface vlan.0.1313 to 172.26.5.21. The ACL 100 matches any IP traffic, thus will match all traffic that crosses the interface to which the route map is applied. If you used a more specific ACL (i.e. using more rules), the packet must match all the rules for the route map action to be applied to the packet.
Note: You can use the same route map on multiple interfaces.

# router configuration
!
# **** VRF default (default) ****
configure terminal
!
ip access-list extended 100
permit ip any any
exit
route-map policy PC permit 2
match ip address 100
set next-hop 172.26.5.21
exit
!
interface vlan.0.1
ip address 172.26.5.20 255.255.255.0 primary
no shutdown
exit
interface vlan.0.1313
ip address 172.26.13.209 255.255.255.240 primary
ip policy route-map PC
ip policy priority only
no shutdown
exit
interface vlan.0.1314
ip address 172.26.13.225 255.255.255.240 primary
no shutdown
exit
!
#
It is common to not want traffic that is being routed from one local interface to a second interface on the same device to go to the PBR-specified next hop, but rather would like it to be routed locally to avoid the extra hop. You do this by adding a sequence number in the PBR that denies that traffic.

The configuration below contains this modification, so will send all traffic from the interface vlan.0.1313 to 172.26.5.21, except if it is destined for locally connected subnet 172.26.13.224 255.255.255.240 (the command uses reverse masking). Route-map sequence 1 denies traffic destined for locally connected subnets so it will be routed via the routing table, without being sent to the next hop.

# router configuration
!
# **** VRF default (default) ****
configure terminal
!
ip access-list extended 100
permit ip any any
exit
ip access-list extended 101
deny ip 172.26.13.224 0.0.0.15
exit
route-map policy PC permit 1
match ip address 101
exit
route-map policy PC permit 2
match ip address 100
set next-hop 172.26.5.21
exit
!
interface vlan.0.1
ip address 172.26.5.20 255.255.255.0 primary
no shutdown
exit
interface vlan.0.1313
ip address 172.26.13.209 255.255.255.240 primary
ip policy route-map PC
ip policy priority only
no shutdown
exit
interface vlan.0.1314
ip address 172.26.13.225 255.255.255.240 primary
no shutdown
exit
!
#
For more information about configuring route maps, please consult the S-Series Configuration and CLI Guides.

topic S-Series Policy Based Routing example targets all traffic in FAQs

S-Series Policy Based Routing example targets all traffic