Advanced Policy-Based Routing Configuration Techniques

This post explores advanced Policy-Based Routing configuration techniques including complex match conditions, object tracking for reliability, local policy routing, and performance optimization strategies for enterprise networks.

Advanced Policy-Based Routing Configuration Techniques

Policy-based routing (PBR) enables you to override standard destination-based routing decisions by applying custom routing policies based on source addresses, protocols, or other packet characteristics. While basic PBR implementations route traffic based on simple access lists, advanced configurations leverage sophisticated matching criteria and multiple next-hop scenarios to address complex enterprise requirements.

Enhanced Route Maps with Complex Match Conditions

Advanced PBR implementations utilize multiple match criteria within route maps to create granular traffic control policies. Consider this enterprise scenario where you need different routing behavior based on both source network and application type:

access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq 80
access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq 443
access-list 102 permit tcp 192.168.20.0 0.0.0.255 any eq 1433
access-list 103 permit ip 192.168.30.0 0.0.0.255 any

route-map PBR-ADVANCED permit 10
 match ip address 101
 match length 64 1500
 set ip next-hop verify-availability 203.0.113.1 1 track 1
 set ip next-hop verify-availability 203.0.113.2 2 track 2

route-map PBR-ADVANCED permit 20
 match ip address 102
 set ip next-hop verify-availability 198.51.100.1 1 track 3
 set ip precedence 5

route-map PBR-ADVANCED permit 30
 match ip address 103
 set interface GigabitEthernet0/1
 set ip df 1

This configuration demonstrates several advanced techniques. The match length command filters packets based on size, useful for handling fragmented traffic differently. The set ip next-hop verify-availability command provides redundancy with tracking objects and is available in Cisco IOS versions 12.4(6)T and later, while set ip precedence marks traffic for QoS processing downstream.

Implementing Reliable PBR with Object Tracking

Enterprise networks require PBR policies that adapt to link failures automatically. Object tracking integration ensures your policy routes remain functional even when primary paths become unavailable. This implementation uses IP SLA (Service Level Agreement), Cisco's network monitoring technology that continuously measures network performance metrics:

track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
track 3 interface GigabitEthernet0/2 line-protocol

ip sla 1
 icmp-echo 203.0.113.1 source-interface GigabitEthernet0/0
 threshold 2000
 timeout 5000
 frequency 10

ip sla 2
 icmp-echo 203.0.113.2 source-interface GigabitEthernet0/0
 threshold 2000
 timeout 5000
 frequency 10

ip sla schedule 1 life forever start-time now
ip sla schedule 2 life forever start-time now

route-map PBR-FAILOVER permit 10
 match ip address 110
 set ip next-hop verify-availability 203.0.113.1 1 track 1
 set ip next-hop verify-availability 203.0.113.2 2 track 2
 set ip next-hop 10.1.1.1

This configuration creates a three-tier failover mechanism. IP SLA probes monitor the reachability of next-hop addresses by sending ICMP echo requests every 10 seconds. If the primary next-hop 203.0.113.1 becomes unreachable (tracked via IP SLA), traffic automatically fails over to the secondary next-hop. If both tracked addresses fail, traffic routes to the default next-hop 10.1.1.1.

Local Policy Routing for Router-Generated Traffic

Standard PBR only affects transit traffic, but local policy routing enables PBR for traffic originated by the router itself. This proves essential in scenarios where management traffic must follow specific paths:

access-list 120 permit tcp any any eq 22
access-list 121 permit udp any any eq 161
access-list 122 permit tcp any any eq 443

route-map LOCAL-PBR permit 10
 match ip address 120
 set ip next-hop 192.0.2.10

route-map LOCAL-PBR permit 20
 match ip address 121 122
 set ip next-hop 192.0.2.20

ip local policy route-map LOCAL-PBR

The ip local policy route-map command applies the route map to locally generated packets, ensuring SSH sessions and SNMP traffic follow designated management paths while HTTPS traffic uses alternative routing.

Advanced Troubleshooting and Verification

Comprehensive verification requires multiple diagnostic approaches. Start with route map hit counters and policy routing statistics:

show route-map PBR-ADVANCED
show ip policy
show ip route policy
debug ip policy

The show route-map output displays match and set clause hit counters, helping identify which policies are actively processing traffic. For deeper analysis, examine the policy routing cache:

show ip cache policy
clear ip route cache

When troubleshooting PBR failures, verify that ip route-cache is enabled on the interface and check for conflicting routing configurations. The set ip default next-hop command only applies when no explicit route exists in the routing table, while set ip next-hop always overrides routing table decisions.

Performance Optimization Techniques

Large-scale PBR deployments require careful optimization to maintain forwarding performance. Use the most specific access lists possible and order route map sequences based on traffic volume patterns. The router evaluates route map entries sequentially, so place high-traffic matches early in the sequence.

Consider using set interface instead of set ip next-hop when the next-hop resides on a directly connected network, as this eliminates recursive route lookups. For environments with frequent topology changes, implement route map optimization through periodic hit counter analysis and reordering based on actual traffic patterns.

route-map PBR-OPTIMIZED permit 5
 match ip address HIGH-VOLUME-TRAFFIC
 set interface GigabitEthernet0/1

route-map PBR-OPTIMIZED permit 10
 match ip address MEDIUM-VOLUME-TRAFFIC
 set ip next-hop verify-availability 203.0.113.1 1 track 1

route-map PBR-OPTIMIZED permit 15
 match ip address LOW-VOLUME-TRAFFIC
 set ip next-hop 198.51.100.1

PBR in MPLS VPN Environments

In MPLS VPN deployments, PBR operates within the customer VRF context, allowing service providers to implement customer-specific routing policies. Here's an example of PBR configuration within a VRF:

ip vrf CUSTOMER-A
 rd 65001:100
 route-target export 65001:100
 route-target import 65001:100

interface GigabitEthernet0/1
 ip vrf forwarding CUSTOMER-A
 ip address 10.1.1.1 255.255.255.0
 ip policy route-map CUSTOMER-A-PBR

route-map CUSTOMER-A-PBR permit 10
 match ip address 130
 set vrf CUSTOMER-A next-hop 10.2.2.1

access-list 130 permit ip 192.168.100.0 0.0.0.255 any

The set vrf command ensures that next-hop resolution occurs within the specified VRF context, maintaining proper MPLS VPN isolation while enabling policy-based forwarding decisions.

What's Next

With advanced PBR techniques mastered, the next logical progression involves integrating these policies with BGP communities for large-scale service provider implementations and exploring PBR interactions with SD-WAN overlay networks. The combination of PBR with MPLS traffic engineering provides powerful tools for traffic optimization in complex networks.

🔧
While IP SLA provides basic reachability monitoring, dedicated network monitoring tools can give you deeper visibility into link performance and help you optimize your PBR thresholds and failover timing. PRTG Network Monitor, SolarWinds NPM and Nagios.

Tools and resources for this topic