Influencing Forwarding Conduct with Coverage Primarily based Routing


It had been a sizzling minute since I final put collectively a weblog, and I used to be fascinated by what is perhaps an fascinating subject. Nicely, as is typical, I thought of what I’d just lately run throughout, or labored on, in my “day job” as a part of the engineering workforce that builds and helps the lab environments for all of the Studying at Cisco coaching supplies.

On this explicit day, I used to be reviewing the present configurations of the core community routers (layer 3 switches actually) in our information facilities. I’m pretty new to this a part of the workforce, and I used to be to find that we had been leveraging Coverage Primarily based Routing to govern the forwarding habits for various kinds of visitors. I’m positive lots of you studying this weblog are conversant in the truth that there are all the time a number of methods to perform a job in networking (life actually, however undoubtedly in networking). As such, policy-based routing is a software within the community engineer’s toolkit that may typically be leveraged to deal with “odd enterprise necessities.”

And with that, I had a subject to make use of for this weblog and an accompanying video to kick off a brief video sequence referred to as “Technically Talking… with Hank Preston” on the Cisco U. by Studying and Certifications YouTube channel. Particularly, we’re going to take a look at how to configure policy-based routing to affect forwarding habits. The why I’ll depart for one more put up. 🙂

Additionally, for anybody finding out for the CCNP Enterprise certification, policy-based routing is on the ENARSI – Implementing Cisco Enterprise Superior Routing and Companies blueprint – “1.6 Configure and confirm policy-based routing.” 300-410 ENARSI is a focus examination that earns you the Cisco Licensed Specialist – Enterprise Superior Infrastructure Implementation certification.  So, it’s undoubtedly an ideal subject for the Cisco Studying weblog. Let’s dive proper in!

Setting the Stage

Earlier than we take a look at altering the standard routing and forwarding habits, let’s begin with the essential forwarding habits. For this exploration, I put the beneath community collectively in a Cisco Modeling Labs simulation. (You could find the topology file right here.)

Network Toplogy
The community topology used on this exploration of coverage based mostly routing and forwarding habits.

This community has two small LANs separated by a primary, single space OSPF community within the center. The prices within the OSPF community have been configured to make the perfect path from R1 to R5 by means of R3. We will see that in a pair methods.

First, let’s take a look at the interface prices on R1.

R1#present ip ospf interface temporary 

Interface    PID   Space            IP Handle/Masks    Value  State Nbrs F/C
Gi0/1.200    1     0        1     DR    0/0
Gi0/1.100    1     0        1     DR    0/0
Gi0/4        1     0           110   DR    1/1
Gi0/3        1     0           1     DR    1/1
Gi0/2        1     0           100   DR    1/1

Discover the prices for interface G0/2 and G0/4 (in direction of R2 and R4) have a value of 100 and 110 respectively, whereas the price of G0/3 (in direction of R3) is just one.

And now, we’ll confirm the routing desk entry for host H3 on R1.

R1#present ip route   

Routing entry for
  Identified through "ospf 1", distance 110, metric 3, sort intra space
  Final replace from on GigabitEthernet0/3, 00:23:02 in the past
  Routing Descriptor Blocks:
  *, from, 00:23:02 in the past, through GigabitEthernet0/3
      Route metric is 3, visitors share rely is 1

The routing desk lists the route as in direction of R3 out interface G0/3 — precisely as we’d anticipate.

The ultimate test will probably be a hint route from host H1.

H1:~$ traceroute -n

traceroute to (, 30 hops max, 46 byte packets
 1   5.534 ms  5.004 ms  3.038 ms
 2      5.528 ms  5.531 ms  4.137 ms       <- R3's G0/1 interface
 3      5.533 ms  5.656 ms  6.339 ms
 4   14.180 ms  9.787 ms  7.908 ms

And no huge shocker right here, the second hop within the hint is certainly R3.

Let’s shake issues up a bit bit.

Suppose there was some purpose that you simply wished to direct visitors acquired at router R1 from host H1 destined for H3 to cross by means of R2 . Possibly there was some visitors evaluation that occurred on that router. Or maybe that hyperlink is extra dependable, even when slower. There are any variety of causes this would possibly come up in a community design. The important thing half is that you simply don’t wish to change ALL forwarding habits, simply a few of it. You will have a “coverage,” so to talk, that identifies some visitors you wish to alter. That is the place coverage based mostly routing, sometimes called PBR, is available in.

Coverage based mostly routing can appear sophisticated. To be honest, if overused, it may well make networks very sophisticated and exhausting to take care of. Nonetheless, the technical fundamentals of PBR are fairly simple.

First, you want a solution to determine the visitors that you simply wish to apply the coverage to. Like many “matching” use instances in networking, that is typically completed with an access-list. So, right here’s the entry listing that I’ll use to match the visitors I’m inquisitive about.

ip access-list prolonged H1-to-H3
  10 allow ip host host

This single line prolonged ACL is all that’s wanted. I’m matching all IP visitors from H1 to H3, however I might be extra particular, to a selected port as properly. Possibly simply net visitors (tcp/80 & tcp/443) for instance.

Subsequent, a route-map is used to describe the coverage that we wish to configure. The “coverage” is made up of “match” circumstances to determine the visitors and “set” circumstances to make the “coverage based mostly adjustments” to the visitors that was matched.

Right here is the route-map for my coverage instance.

route-map POLICY-BASED-ROUTING allow 10
  description Site visitors from H1 -> H3 route by means of R2
  match ip handle H1-to-H3
  set ip next-hop

I’ve used the access-list I created in my “match ip handle” command. And, I’ve indicated that when visitors “matches” this coverage, I wish to “set” the next-hop to be

And spot the primary line within the configuration instance. It ends with the quantity “10.” This quantity identifies the place within the route map that this explicit coverage entry holds.  A route-map may be made up of many coverage units – every with a “match” and “set” assertion.  On this method, community engineers can have very granular management over how visitors is forwarded within the community.  Fairly useful proper!

Earlier than I am going a lot farther it’s undoubtedly necessary to notice that route-maps are used for extra than simply coverage based mostly routing.  The route-map assemble can be used as a part of high quality of service (QoS) configurations, routing protocol filtering, and BGP path manipulations.  So should you discover the configuration choices obtainable for match and set you’ll find a number of different choices.  Most of those are used to be used instances aside from coverage based mostly routing.

The final step to finish the configuration of my coverage is to use it to the router interface. Since this coverage is about controlling visitors from the LAN related to interface Gig0/1 on R1, that’s the place I’ll apply it.

interface Gig0/1.100
  ip coverage route-map POLICY-BASED-ROUTING

That’s it, we’ve configured coverage based mostly routing. Let’s take a look at to see if it’s working.

Testing the Outcomes

We’ll begin by rerunning the identical hint route command as earlier than and evaluating the outcomes.

1:~$ traceroute -n

traceroute to (, 30 hops max, 46 byte packets
 1  7.306 ms  3.017 ms  3.337 ms
 2     3.844 ms  4.335 ms  3.688 ms      <- R2's G0/1 interface
 3     7.906 ms  5.125 ms  5.962 ms
 4   8.951 ms  8.912 ms  7.348 ms

Take a look at that, visitors is certainly going by means of R2 now. However let’s confirm that it’s only for visitors to H3 by hint routing the visitors to H4.

H1:~$ traceroute -n

traceroute to (, 30 hops max, 46 byte packets
 1  3.681 ms  3.153 ms  2.563 ms
 2     3.613 ms  3.185 ms  3.747 ms     <- R3's G0/1 interface
 3     5.957 ms  7.555 ms  5.040 ms
 4  14.915 ms  7.157 ms  7.853 ms

Yep, visitors from H1 to H4 is certainly nonetheless following the “customary path” by means of R3. However what about visitors from H2 -> H3?  Will or not it’s redirected by means of R2?

H2:~$ traceroute -n

traceroute to (, 30 hops max, 46 byte packets
 1  7.284 ms  2.840 ms  3.173 ms
 2     3.526 ms  4.514 ms  3.498 ms    <- R3's G0/1 interface
 3     6.375 ms  7.212 ms  4.900 ms
 4   6.642 ms  6.270 ms  5.884 ms

Nope, solely visitors from H1 -> H3 is being redirected.

If we take a look at the routing desk on R1, we’ll see nothing has modified.

R1#present ip route   

Routing entry for
  Identified through "ospf 1", distance 110, metric 3, sort intra space
  Final replace from on GigabitEthernet0/3, 00:23:02 in the past
  Routing Descriptor Blocks:
  *, from, 00:23:02 in the past, through GigabitEthernet0/3
      Route metric is 3, visitors share rely is 1

There are a couple of helpful instructions on the router to test the standing of coverage based mostly routing.

First up, a primary “present” command value noting.

R1#present route-map 

route-map POLICY-BASED-ROUTING, allow, sequence 10
  Match clauses:
    ip handle (access-lists): H1-to-H3 
  Set clauses:
    ip next-hop
  Coverage routing matches: 12 packets, 756 bytes

This command offers “coverage match” statistics. We will see that once I ran this command there have been 12 matches to this point.

One other command that’s helpful is the “debug ip coverage” command. It offers helpful particulars in regards to the processing of the coverage as visitors flows by means of the router. However as with every “debug” command, watch out utilizing it on a manufacturing gadget as it may well put a heavy load on community units if there’s lots of visitors flowing by means of.

I’ll activate the debugging after which ship a single ICMP (ping) packet from H1 -> H3.

R1#debug ip coverage
Coverage routing debugging is on

*Apr 26 00:29:58.282: IP: s= (GigabitEthernet0/1.100), d=, len 84, FIB coverage match
*Apr 26 00:29:58.282: IP: s= (GigabitEthernet0/1.100), d=, len 84, PBR Counted
*Apr 26 00:29:58.282: IP: s= (GigabitEthernet0/1.100), d=, g=, len 84, FIB coverage routed

Evaluate the above output to the debug output once I ping H1 -> H4.

*Apr 26 00:31:00.294: IP: s= (GigabitEthernet0/1.100), d=, len 84, FIB coverage rejected(no match) - regular forwarding

Within the first instance, “FIB coverage match” signifies that the PRB coverage was triggered. And a following debug line exhibits that the visitors was “FIB coverage routed.” That’s the PBR in motion. Evaluate that to the output from the second ping that’s “FIB coverage rejected (no match) – regular forwarding.” That output is fairly descriptive.

Closing down

And with that, we’ve come to the tip of this put up. I hope this quick take a look at coverage based mostly routing helped break it down and introduce you to a brand new expertise software that you could put into your toolkit. Possibly it’ll aid you remedy a enterprise problem sometime. Or perhaps it’ll aid you in your preparation for the ENARSI examination or different research. Both method, thanks for hanging out with me immediately.

 Obtained a subject you’d like me to breakdown? Let me know within the feedback.



Be part of the Cisco Studying Community immediately at no cost.

Comply with Cisco Studying & Certifications

Twitter | Fb | LinkedIn | Instagram | YouTube

Use #CiscoCert to hitch the dialog.