Cisco PBR
- Base routing decision on rules, rather than routing protocol and learned routed.
- RISK: Hard to maintain, Can black hole traffic if network topology changes, as policy is fixed.
- Debug:
- debug ip policy
- Example, applied to eth0, matches traffic entering, and forces it to eth1 if acl matches.
- Note: The log keyword in access-list command is not supported by PBR.
interface Ethernet0 ip address 172.16.1.1 255.255.255.0 no ip directed-broadcast ip policy route-map net-10 ! access-list 111 permit ip 10.0.0.0 0.255.255.255 any ! route-map net-10 permit 10 match ip address 111 set interface Ethernet1 !!<<Only works if arp can resolve.>>!! !!or!!set ip next-hop 172.2.1.1 !!<<Better forwards to next hop router.>>!! ! route-map net-10 permit 20 !
- Note:
- Policy Based Routing for encrypted traffic
- Forward the decrypted traffic to a loopback interface in order to route the encrypted traffic based on policy routing and then do PBR on that interface. If the enrypted traffic is passed over a VPN tunnel then disable ip cef on the interface, and terminate the vpn tunnel.
Enables fast switching of PBR.
Router(config-if)# ip route-cache policy
- Beginning in IOS 12.0, PBR is supported in CEF switching path. CEF-switched PBR has better performance than fast-switched PBR and, therefore, is the optimal way to perform PBR on a router.
- Policy Based Routing for encrypted traffic
No special configuration is required to enable CEF-switched PBR. It is on by default as soon as you enable CEF and PBR on the router.
- Enabling Local PBR
- Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by using the following command in global configuration mode:
- Router(config)# ip local policy route-map map-tag
...