Listen to this Post

Introduction:
In modern enterprise networks, standard routing table lookups are often insufficient for complex traffic engineering and security requirements. Policy-Based Routing (PBR) provides administrators with granular control, allowing them to override traditional routing decisions based on attributes like source IP, protocol, or packet size. This article dissects a real-world PBR lab scenario, providing the exact Cisco IOS commands and configurations needed to master traffic steering for your CCNA/CCNP exams and implement advanced network security policies.
Learning Objectives:
- Understand the architecture of PBR using route-maps and access control lists to selectively forward traffic.
- Learn to configure and verify PBR on Cisco IOS routers to direct specific subnet traffic through alternate ISP paths.
- Implement PBR for security and performance, including failover scenarios and policy enforcement.
You Should Know:
1. Understanding the PBR Lab Topology and Objective
In a typical CCNA/CCNP lab, the network consists of multiple routers (e.g., R1, R2, R3) representing an enterprise edge connected to two different Internet Service Providers (ISP-A and ISP-B). The default route on the edge router (R1) usually points all traffic to ISP-A. However, business requirements dictate that traffic originating from the Finance Department subnet (e.g., 192.168.10.0/24) must exit via ISP-B for auditing and security compliance. PBR allows us to achieve this by applying a policy on the interface facing the Finance VLAN.
2. Step‑by‑Step Guide: Configuring PBR for Traffic Steering
This guide walks you through configuring PBR on a Cisco router to match traffic from a specific source and set a different next-hop.
Step 1: Define the Traffic Match Criteria (Access-List)
First, create an extended access-list that identifies the traffic you want to manipulate. In this case, we match all IP traffic from the Finance subnet.
`R1(config) access-list 100 permit ip 192.168.10.0 0.0.0.255 any`
Step 2: Create the Route-Map for Policy Enforcement
A route-map acts as the policy. If the packet matches ACL 100, we will set the next-hop to the ISP-B router’s IP address (e.g., 209.165.201.2).
`R1(config) route-map PBR-TO-ISPB permit 10`
`R1(config-route-map) match ip address 100`
`R1(config-route-map) set ip next-hop 209.165.201.2`
Step 3: Apply the Route-Map to the Ingress Interface
PBR is applied on the interface where the traffic enters the router (the inside interface facing the LAN). It inspects packets upon arrival and forwards them based on the policy.
`R1(config) interface GigabitEthernet0/0`
`R1(config-if) ip policy route-map PBR-TO-ISPB`
3. Verifying PBR Operation and Troubleshooting
After configuration, it is critical to verify that the policy is active and working correctly.
Verification Commands:
show ip policy: Displays which interfaces have PBR applied and which route-map is used.show route-map: Shows the match criteria and any policy matches (hit counts).debug ip policy: A powerful command to monitor packets being processed by PBR in real-time (use with caution in production).- To test, initiate traffic from a device on the 192.168.10.0/24 subnet and perform a traceroute. It should show the path going through the ISP-B next-hop (209.165.201.2) instead of the default route.
4. Implementing PBR for Security (Blackhole and Redirection)
Beyond basic routing, PBR can act as a security tool. For instance, you can redirect suspicious traffic to a security appliance or drop it entirely.
To block traffic from a specific host attempting to scan the network, you can set the next-hop to a null interface (effectively dropping the packet):
`R1(config) access-list 101 permit ip host 10.0.0.50 any`
`R1(config) route-map PBR-BLOCK permit 10`
`R1(config-route-map) match ip address 101`
`R1(config-route-map) set interface Null0`
This ensures all traffic from the infected host is discarded at the router level without burdening the firewall.
- Configuring PBR for Performance and Link Load Balancing
PBR allows you to optimize bandwidth by sending large downloads or backups over a high-bandwidth link while keeping critical interactive traffic on a low-latency link.
By using the `set ip next-hop verify-availability` command, you can combine PBR with Cisco’s Object Tracking for failover. If the primary next-hop (ISP-B) goes down, the route-map can automatically fall back to the default route (ISP-A), ensuring high availability without manual intervention.
6. Linux/Windows Analogy: Source-Based Routing
While PBR is a Cisco IOS concept, similar functionality exists in Linux using `ip rule` and multiple routing tables.
To mimic the above scenario on a Linux gateway acting as a router, you would:
1. Add a secondary routing table: `echo “200 isp2” >> /etc/iproute2/rt_tables`
2. Add a default route via ISP-B to that table: `ip route add default via 209.165.201.2 dev eth1 table isp2`
3. Add a rule to use the table for traffic from the specific subnet: `ip rule add from 192.168.10.0/24 table isp2`
This demonstrates that the concept of source-based policy routing is universal across networking platforms.
- Advanced Scenario: QoS and Packet Marking with PBR
PBR can also be used to set the IP precedence or DSCP values for specific traffic flows as they enter the network. This integrates PBR with downstream QoS policies.
`R1(config-route-map) set ip precedence 5`
This command, added to the route-map, marks voice traffic with high priority before it is routed, ensuring the core network can prioritize it correctly even before queuing policies are applied.
What Undercode Say:
- Policy is Power: PBR elevates your network from a simple packet delivery system to an intelligent, policy-driven fabric, essential for modern SD-WAN and Zero Trust architectures.
- Verification is Mandatory: As seen in the lab, configuration is only half the battle. Mastering `show` and `debug` commands is crucial to ensure policies are enforced correctly and to avoid inadvertent blackholes.
- Security Integration: Using PBR to redirect traffic to firewalls or intrusion prevention systems (IPS) allows for “bump-in-the-wire” security inspection without changing endpoint configurations, providing a robust layer of network defense.
- Performance Engineering: By utilizing PBR for traffic engineering, organizations can significantly enhance user experience for critical applications and optimize expensive WAN links by offloading non-critical traffic to secondary paths.
- Foundation for Automation: Understanding the logic of route-maps and match/set conditions provides a direct pathway to understanding more complex automation and policy frameworks used in controller-based networks like Cisco ACI.
Prediction:
As networks evolve toward intent-based and SD-WAN architectures, the core principles of Policy-Based Routing will become even more critical. We predict that PBR logic will be abstracted into high-level business intents (e.g., “Finance traffic is most secure”), automatically translated into device configurations by controllers. However, for the foreseeable future, hands-on expertise with PBR will remain a non-negotiable skill for network engineers troubleshooting or designing hybrid cloud and multi-path enterprise environments.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sayed Hamza – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


