CiscoCCNPEnterprise NetworkingIntermediate26 min read

What Is Policy Based Routing in Networking?

Also known as: Policy Based Routing, PBR, route map, CCNP ENCOR PBR, ENARSI policy routing

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Policy Based Routing is a way to make network traffic take a specific path based on rules you set, not just where it is going. Normally, routers only look at the destination address to decide the path. With PBR, you can choose a path based on things like the type of traffic, who sent it, or the size of the data packet. This gives you more control over how data flows across your network.

Must Know for Exams

Policy Based Routing is a significant topic in Cisco CCNP certification exams, particularly in the Implementing Cisco Enterprise Advanced Routing and Services (300-410 ENARSI) exam and the Implementing Cisco Enterprise Network Core Technologies (350-401 ENCOR) exam. These exams test a candidate's ability to design, configure, implement, and troubleshoot complex routing solutions. PBR appears in several exam objectives, including 'Layer 3 technologies' and 'Infrastructure services'.

In the ENCOR exam, PBR is part of the 'Routing Technologies' section, which covers advanced routing features beyond basic OSPF, EIGRP, and BGP. The exam expects you to understand the use cases for PBR, the configuration steps using route maps, and how to verify PBR operation using show commands like 'show ip policy' and 'show route-map'. In ENARSI, PBR is tested in more depth.

Candidates may be asked to configure PBR to redirect traffic for security or performance reasons, to troubleshoot a scenario where PBR is not working as expected, or to analyze a multi-path BGP environment and decide where PBR might help. The exam also tests your knowledge of the interaction between PBR and routing tables, including recursive lookups and the order of operations when both PBR and standard routing apply. For example, a common exam scenario might show a router with two internet links.

The candidate must write a PBR configuration that sends HTTP traffic to a web server over link A and all other traffic over link B. Questions may present a network diagram and ask which interface traffic will exit based on a given policy. You may also see troubleshooting questions where the PBR configuration is partially correct but missing a route-map sequence or a match statement.

Additionally, the exams test your understanding of performance implications: PBR can be CPU-intensive, so you should know when to use it and when alternative solutions like VRF or SD-WAN might be better. Because PBR is relatively straightforward compared to BGP or OSPF, examiners often use it as a differentiator — a candidate who understands PBR thoroughly will answer both configuration and troubleshooting questions quickly and accurately.

Simple Meaning

Imagine you are in a large office building with many hallways, floors, and exits. Normally, when someone needs to leave the building, they just follow the signs to the nearest exit. That is how standard routing works — the router looks at the destination address and sends the data out the best path to that address.

Now suppose your boss says that all mail from the marketing department must go through a special mailroom on the third floor before leaving the building, no matter where the mail is going. Maybe the marketing mail needs extra scanning for security. Also, all large packages must be sent out the back loading dock because they do not fit through the front doors.

And urgent packages marked red must go out through the express courier on the first floor. These are policies you create. You are no longer just following the quickest route to the destination.

You are making decisions based on other conditions: who sent it, how big it is, or how urgent it is. That is exactly what Policy Based Routing does for network traffic. Instead of always using the destination IP address to pick the path, a router configured with PBR can look at other attributes of the packet, such as its source IP address, the protocol (like HTTP, FTP, or VoIP), the packet size, or even the time of day.

Based on your policy rules, the router will forward that packet to a specific next-hop router, a specific interface, or even drop it. For example, you might send all video conferencing traffic across a high-bandwidth dedicated link, all employee web browsing out through a backup internet link, and all database backups through a separate secure link. This gives network administrators very fine-grained control over how different types of traffic are handled, which is extremely useful in complex enterprise networks where different applications have different performance or security requirements.

PBR is not a replacement for standard routing; it is an additional tool you use for special traffic that needs to be treated differently than the rest.

Full Technical Definition

Policy Based Routing (PBR) is a feature supported on Cisco IOS, IOS-XE, and many other network operating systems that allows a router to forward packets based on criteria other than the destination IP address in the routing table. Standard routing, also known as destination-based routing, relies on the longest prefix match of the destination IP address against the routing table to determine the next hop. PBR overrides this behavior for selected traffic by applying a route map (or policy map) to an incoming interface.

The route map contains a sequence of statements that match particular packet characteristics and then set specific forwarding actions. Common match criteria include source IP address, source and destination port numbers, protocol type (TCP, UDP, ICMP), packet length, IP precedence or DSCP values, and even the input interface. Set actions can include the next-hop IP address, output interface, and IP precedence or DSCP marking for QoS.

PBR is configured using route maps, which are logical sequences of permit or deny statements, each with a match clause and a set clause. When a packet arrives on an interface with an active PBR configuration, the router evaluates it against the route map statements in ascending order. If the packet matches a permit statement, the router applies the set actions indicated and forwards the packet accordingly, bypassing the regular routing table lookup.

If it matches a deny statement, the router reverts to standard destination-based routing for that packet. If no match is found, the packet is also forwarded using standard routing. It is important to note that PBR is applied on the ingress interface — it only influences the path the packet takes from that router onward, not the path the packet took to get to the router.

On Cisco routers, PBR can also be used to set the next-hop recursively via an IP address that may be learned through a dynamic routing protocol, or to set the output interface directly. PBR is often combined with Cisco Express Forwarding (CEF) for performance, though it can cause some performance overhead on high-speed interfaces because each packet must be evaluated against the policy. PBR is defined in RFC 1102 (policy routing in internetworks) and is widely implemented in enterprise and service provider networks.

It works at Layer 3 (the network layer) and is supported for both IPv4 and IPv6 traffic. For certification exams like CCNP ENARSI and ENCOR, learners need to understand the configuration syntax, the order of operations, the interaction with standard routing, and typical use cases such as traffic engineering, load balancing, and multi-homed internet connectivity.

Real-Life Example

Think of a large hospital with multiple entrances and departments. The hospital has a busy emergency room (ER) entrance, a main lobby entrance, and a loading dock for supplies. Normally, when a person arrives at the hospital, they just go to the nearest door.

That is like standard routing — everyone uses the destination address of the hospital and finds their own way. But now the hospital administration decides to set some rules. All ambulance patients must be directed to the ER entrance, regardless of which gate they arrive at.

All visitors with children must use the main lobby because it has a play area. All delivery trucks must use the loading dock, no matter what time it is. And all staff with security badges must enter through a separate staff entrance to avoid crowding the main lobby.

These are policies based on the type of person (patient, visitor, delivery driver, staff), not just the final destination (the hospital itself). In networking, PBR works the same way. Instead of every data packet going to the same router interface because its destination IP address is the same, PBR examines the packet's source (who sent it), its type (what kind of traffic), its size (like a large delivery), and other attributes.

The router then sends that packet out a specific interface based on the policy you set. For example, you might send all VoIP traffic (like ambulance patients) to a dedicated voice VLAN (the ER entrance), all bulk data transfers (like delivery trucks) to a separate high-bandwidth link (the loading dock), and all regular employee web browsing (like staff with badges) to the main internet link (the staff entrance). If one of these policies is not defined, traffic is handled with standard routing (finding the nearest door).

This analogy shows exactly how PBR gives network administrators the power to control traffic flow with granular, condition-based rules.

Why This Term Matters

Policy Based Routing matters in real IT work because it gives network engineers a way to manage traffic that standard routing cannot handle well. Enterprise networks often have multiple internet links, VPN connections, and WAN circuits that serve different purposes. For example, a company might have a fast but expensive MPLS link for critical business applications and a slower, cheaper broadband link for general internet access.

Without PBR, the router would send traffic to the destination network based on the routing table, which might not distinguish between a critical database query and a YouTube video. With PBR, the network team can write policies that send all traffic destined for a specific cloud application (like Salesforce) over the MPLS link while sending all other internet traffic out the cheaper link. This can save significant money while ensuring performance for important applications.

PBR is also important for traffic engineering in service provider networks. Internet service providers use PBR to steer customer traffic across specific paths to meet service level agreements (SLAs). For instance, they might send traffic for a high-paying customer through a less congested core router to guarantee low latency.

In cybersecurity, PBR can be used to redirect traffic to security appliances such as firewalls or intrusion prevention systems. For example, an organization might configure PBR to send all traffic from untrusted sources (like the internet) through a firewall for inspection before allowing it to reach internal servers. Additionally, PBR helps with load balancing across multiple links when the traffic mix is not symmetric.

By creating policies based on source IP or application, the network engineer can distribute the load more evenly than simple destination-based routing would allow. PBR also enables more efficient use of bandwidth by separating real-time traffic from bulk data transfers. In short, PBR is a critical tool for any network engineer working in medium to large networks where one-size-fits-all routing does not meet the diverse needs of users and applications.

How It Appears in Exam Questions

PBR appears in several distinct question types on CCNP exams. First, configuration questions typically present a scenario and ask you to complete a route map or set the correct match and set statements. For example, the question might state: 'An organization has two internet links: link A (192.

168.1.2) and link B (10.0.0.2). Configure PBR on interface GigabitEthernet0/1 so that all traffic from subnet 10.10.10.0/24 is sent to link A and all traffic from subnet 10.10.20.0/24 is sent to link B.'

You must write the route-map sequences with the correct match ip address and set ip next-hop commands. Second, verification questions ask you to interpret the output of show commands. For instance, you might be given the output of 'show route-map' and asked to determine which traffic matches each sequence or whether the policy is working correctly.

You might need to identify why a match count is zero, which often indicates a missing access list or incorrect sequence ordering. Third, troubleshooting questions describe a network problem and provide partial configurations. For example, the WAN link is overloaded even though PBR was supposed to route video traffic to a separate link.

You must find the error: maybe the video traffic does not match the criteria (wrong port number, wrong access list), or the set next-hop statement points to a down interface. Another common troubleshooting pattern is the PBR not being applied to the correct interface: the route-map may be configured but the 'ip policy route-map' command is missing on the ingress interface. Fourth, scenario questions test your conceptual understanding.

They may ask: 'In which scenario is PBR a better solution than VRF-lite?' or 'What is the effect of a 'deny' statement in a PBR route-map?' The answer may be that deny causes the router to fall back to standard routing.

Fifth, multiple-choice questions might present different policies and ask which traffic will be forwarded where. For instance, a question might show a route-map with three sequences and four different packets, and ask which sequence each packet matches. Finally, drag-and-drop questions on the ENCOR exam sometimes present a list of match conditions and set actions that must be placed in the correct order to achieve a given policy.

In all these question types, the exam expects you to know not just the syntax but the logical flow: PBR evaluates matches in order, first match wins, and if no match, default routing is used. Understanding these patterns will help you score well on PBR questions.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company called GreenLeaf Corp has two internet connections. The primary link is a fiber connection with a 100 Mbps speed and low latency, used for business-critical services like video conferencing and cloud ERP access. The secondary link is a cable broadband connection with 200 Mbps speed but higher latency, used for guest Wi-Fi and general web browsing.

The network administrator wants all traffic from the executive floor (subnet 192.168.1.0/24) to always use the primary fiber link to ensure high-quality video conferences and priority access to the company's financial system.

All other traffic, such as employee general browsing, should use the secondary broadband link to save bandwidth on the fiber link. The administrator decides to use Policy Based Routing on the router connected to both links. They create a route-map called EXECUTIVE-PRIORITY.

The first sequence in the route-map matches traffic with source IP address originating from 192.168.1.0/24 and sets the next-hop to the primary fiber link's gateway (203.0.113.1). The second sequence is a catch-all: it matches all other traffic and sets the next-hop to the secondary broadband gateway (198.

51.100.1). The administrator applies this route-map to the internal interface where packets from employees enter the router. Now, when an executive launches a Zoom call, the router sees the source IP from the executive subnet, matches the first route-map sequence, and sends the packets out the fiber link.

When a regular employee streams a video, the source IP is not in the executive subnet, so the first sequence does not match, and the second sequence matches, sending that traffic out the broadband link. This ensures no conflict and optimal use of both internet links. This scenario shows exactly how PBR can be used to separate traffic streams based on source, without any change to the destination IP addresses.

Common Mistakes

Thinking PBR replaces the routing table for all traffic.

PBR only overrides the routing decision for traffic that matches the policy. All traffic that does not match the policy uses standard destination-based routing. Thinking PBR replaces routing entirely leads to misconfigurations where expected behavior does not occur for non-matching traffic.

Remember: PBR is an override for specific traffic, not a replacement for the routing table. Always configure a default route or use a catch-all sequence for unmatched traffic.

Applying the route-map to the outbound interface instead of the inbound interface.

PBR works on ingress traffic. The router only evaluates the policy when a packet arrives on an interface. Applying the policy to the outbound interface (the exit) has no effect, and the router will ignore the policy entirely.

Always apply the route-map to the ingress interface using the 'ip policy route-map' command. For example, if you want to control traffic leaving a LAN, apply it to the LAN-facing interface.

Forgetting to include an access list or prefix list in the match clause, or using an empty access list.

The match ip address command references an access list that defines what traffic matches. If the access list does not exist or is empty (no permit statements), no traffic will match the sequence, and the policy will be skipped.

Always create the access list with the correct source and/or destination before writing the route-map. Verify the access list with 'show access-list' to ensure it contains the intended entries.

Configuring overlapping sequences in the route-map without planning the order.

PBR evaluates route-map sequences in order and stops at the first match (first match wins). If a specific policy is placed after a broader policy, the specific policy will never be applied because the broader one matches first.

Place more specific policies at the beginning of the route-map (lower sequence number) and more general policies at the end. For example, match a small subnet first, then match a larger subnet, then use a default route for everything else.

Using PBR to set a next-hop that is not reachable via the routing table.

PBR can set a next-hop IP address, but the router must be able to reach that next-hop through a connected network or a route. If the next-hop is unreachable, the packet is dropped or falls back to standard routing, depending on the configuration.

Before configuring PBR, ensure the next-hop IP address is directly connected or that a static or dynamic route to that next-hop exists. Use 'ping' from the router to verify reachability.

Assuming PBR works for all types of traffic, including packets destined for the router itself.

PBR applies to packets that are routed through the router (transit traffic), not to packets destined for the router's own IP addresses (management traffic). For example, if a packet is addressed to the router's interface IP, PBR will not redirect it.

Use PBR only for traffic that you want to route through the router to another destination. For controlling how the router itself handles incoming management traffic, use other mechanisms like ACLs or policy maps for control plane policing.

Exam Trap — Don't Get Fooled

A PBR exam question may present a route-map with a deny statement at the beginning, followed by a permit statement, and ask what happens to traffic matching the deny. Many learners think deny means the traffic is dropped. Remember: In a PBR route-map, a deny statement does not drop the packet.

It simply means the router does not apply the policy from that sequence. Instead, the router falls back to standard destination-based routing for that packet. The packet is still forwarded normally.

Dropping traffic in PBR requires explicitly setting the next-hop to null0 or using a separate action. Read the documentation: Cisco route-map deny for PBR means 'do not apply the policy, use routing table'.

Commonly Confused With

Policy Based RoutingvsRoute Maps for BGP Policy

Route maps used in BGP (Border Gateway Protocol) are used to filter or manipulate routing information exchanged between routers, such as setting BGP attributes like local preference or MED. PBR route maps are used to forward packets based on policies, not to influence routing updates. BGP route maps affect the routing table; PBR route maps bypass it for specific packet streams.

A BGP route map might be used to give a specific route a higher local preference so that traffic destined for that network uses a particular link. A PBR route map might be used to send all HTTP traffic to a specific next-hop regardless of the destination IP address.

Policy Based RoutingvsPolicy Based Routing vs. Policy Based Routing with VRF

VRF (Virtual Routing and Forwarding) creates separate routing tables on a single router, each isolated from the others. PBR can be used to route traffic into a specific VRF based on policy. The key difference is that VRF itself does not route based on match criteria other than destination; PBR can be the mechanism to classify traffic into a VRF. They are often used together, but VRF is a broader concept of network virtualization.

A customer might have two VRFs, one for guest traffic and one for corporate traffic. PBR can be used on the incoming interface to match traffic by source IP and then set the next-hop to the appropriate VRF. Without PBR, traffic would be routed solely based on destination in the global table.

Policy Based RoutingvsAccess Control Lists (ACLs) for Security

ACLs are used to permit or deny traffic based on IP addresses and ports primarily for security filtering. ACLs either block or allow traffic at a particular point (inbound or outbound). PBR does not block traffic by default; it only changes the forwarding path. PBR can also be used for traffic filtering if you set the next-hop to a null interface, but that is a secondary use. The primary purpose of ACLs is security, while the primary purpose of PBR is traffic engineering.

An ACL configured on an interface might block all inbound traffic from a specific IP address range. A PBR configuration on the same interface might allow that traffic but send it through a different router interface for processing.

Policy Based RoutingvsQoS Policy Maps

QoS (Quality of Service) policy maps classify traffic and apply actions like marking, policing, or shaping. They work at Layer 2-3 and are about managing bandwidth and prioritization, not changing the routing path. PBR changes the path itself. Whereas QoS might mark VoIP traffic with high priority and guarantee bandwidth on an interface, PBR would send VoIP traffic out a different interface altogether.

Using QoS, you can mark voice traffic with DSCP EF and guarantee it priority over data on a single link. Using PBR, you can send voice traffic out a dedicated link separate from the data link.

Step-by-Step Breakdown

1

Identify traffic that needs special handling

First, determine which types of traffic should bypass the default routing table. This could be based on source IP, destination IP, protocol (HTTP, SSH, VoIP), packet size, or even the time of day. For example, you might identify that all traffic from the HR department must go through a security inspection appliance.

2

Create a route map with a sequence number

A route map is a logical container that holds one or more policy statements, each with a sequence number. The router evaluates these statements in ascending order. The first statement that matches the traffic determines the action. Use the 'route-map NAME permit sequence' or 'route-map NAME deny sequence' command to start.

3

Define match criteria using match commands

Inside each route map sequence, use one or more match commands to specify which packets the policy applies to. Common match commands include 'match ip address' (referencing an access list), 'match length' (for packet size), and 'match protocol'. You must create the referenced access list or ACL beforehand.

4

Define set actions for matched traffic

For a permit sequence, configure set commands to tell the router what to do with matched traffic. The most common is 'set ip next-hop IP_ADDRESS', which overrides the routing table. You can also set the output interface with 'set interface', or set DSCP/IP precedence values. Multiple set commands can be combined.

5

Apply the route map to the ingress interface

On the interface where the traffic enters the router, use the command 'ip policy route-map ROUTE-MAP-NAME'. This activates PBR for all incoming packets on that interface. Without this command, the route map is defined but not used.

6

Verify the PBR configuration

Use show commands to confirm the policy is applied and working. 'show ip policy' lists interfaces with PBR and the associated route map. 'show route-map' displays each sequence, match counts, and set actions. 'show ip route' can confirm the next-hop is reachable. Test with a ping or traceroute from a source matching the policy.

7

Troubleshoot if PBR is not working

If traffic does not follow the policy, check the following: Is the route map applied to the correct ingress interface? Does the access list permit the correct source/destination? Is the set next-hop reachable? Are there overlapping sequences where a previous sequence matches before your intended one? Use debug commands carefully in a lab to see packet matching.

Practical Mini-Lesson

Policy Based Routing is a powerful tool for network engineers who need to control traffic flow in complex environments. In practice, you will most often use PBR in multi-homed networks where you have multiple ISP connections, or when you need to send specific traffic through a security appliance. The configuration itself is not too difficult, but the key to success is careful planning.

Before you write any configuration, you must clearly answer two questions: which traffic needs special treatment, and where do you want it to go? Write down the match criteria and the target next-hop or interface. For example, you might decide that all traffic from the development VLAN (10.

1.1.0/24) to the internet should exit via ISP1 (203.0.113.1), while all other traffic uses ISP2 (198.51.100.1). Now, create an access list that matches the development VLAN: 'access-list 10 permit 10.

1.1.0 0.0.0.255'. Then create the route map: 'route-map DEV-TO-ISP1 permit 10' followed by 'match ip address 10' and then 'set ip next-hop 203.0.113.1'. You may also want a second sequence for all other traffic if you want it to go to ISP2: create a route-map permit 20 without match (or match all) and set ip next-hop 198.

51.100.1. Apply the route map to the LAN interface: 'int gi0/1' and 'ip policy route-map DEV-TO-ISP1'. One important practical consideration is performance. On high-speed routers or when handling many packets, PBR can introduce overhead because each packet is evaluated against the route map.

In hardware-accelerated switches, PBR may be offloaded to hardware, which is much faster. However, on older or lower-end routers, PBR can significantly impact throughput. Therefore, use PBR sparingly and only for traffic that genuinely needs it.

Another practical tip: always test PBR in a lab environment first. Use a tool like iperf to generate traffic from specific sources and verify with traceroute that the packets take the expected path. Also remember that PBR is stateless — it does not affect return traffic unless you also apply a policy on the return path.

If you send traffic out one link, return traffic will still use the routing table, which may send replies back through a different link. This can cause asymmetric routing and problems with firewalls. To handle this, you may need to apply PBR on both sides or use other mechanisms like NAT or policy-based routing for return traffic.

In your professional work, you will also encounter PBR in the context of Cisco SD-WAN, where it is implemented differently, but the core idea is the same: steer traffic based on application, source, or other attributes. Overall, mastering PBR gives you precise control over network traffic, which is essential for meeting performance, security, and cost objectives in enterprise networks. Practice the configuration on a simulator or real lab until you can write a route-map from memory.

Memory Tip

Route maps are like a doorman at a club: they check each packet's 'ID' (match criteria) and direct it to a specific VIP line (set next-hop). Remember: apply to the entrance (ingress), not the exit.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the main difference between PBR and standard routing?

Standard routing forwards packets based solely on the destination IP address using the routing table. PBR forwards packets based on other criteria such as source IP, protocol, or packet size, overriding the routing table for matching traffic.

Does PBR affect all traffic passing through the router?

No, PBR only affects traffic that matches the policy defined in the route map. Traffic that does not match any policy statement continues to be forwarded using standard destination-based routing.

Which Cisco exams test Policy Based Routing?

PBR is tested in the CCNP ENCOR (350-401) and CCNP ENARSI (300-410) exams. It may also appear in the CCNA exam at a high level, but the detailed configuration and troubleshooting are part of the CCNP curriculum.

Can PBR be used to block or drop traffic?

PBR is not designed to block traffic, but you can effectively drop traffic by setting the next-hop to a null interface (set ip next-hop NULL0). However, ACLs or firewall rules are more appropriate for blocking traffic. PBR's primary use is to change the forwarding path.

What is the purpose of the 'deny' statement in a PBR route-map?

A 'deny' statement in a PBR route-map means the policy is not applied to matching traffic. Instead, the router falls back to standard destination-based routing for those packets. It does not drop the traffic.

How do I verify that PBR is working on a Cisco router?

Use the commands 'show ip policy' to see which interfaces have PBR applied, 'show route-map' to see the policy details and match counts, and 'debug ip policy' (in a lab) to see real-time matching of packets. Also, use traceroute from a matching source to confirm the path.

What happens if the next-hop set by PBR becomes unreachable?

If the next-hop is unreachable, the router will drop the packet or fall back to standard routing, depending on the Cisco IOS version and configuration. To avoid this, ensure the next-hop is always reachable or configure a fallback using multiple set statements or a default route.

Can I apply PBR to multiple interfaces on the same router?

Yes, you can apply the same or different route maps to multiple ingress interfaces. Each interface can have its own policy. The route map is applied per interface, and the router evaluates each packet independently on each interface.

Summary

Policy Based Routing is a vital network feature that gives engineers the ability to route traffic based on rules rather than just the destination address. Throughout this glossary page, we have broken down PBR from a simple analogy comparing it to directing people in a building to a full technical explanation of route maps, match criteria, and set actions. The key takeaway is that PBR provides granular control over traffic flow, which is essential in enterprise networks with multiple internet links, security requirements, or performance needs.

For CCNP exam candidates, understanding PBR is not optional — it is a tested topic on both ENCOR and ENARSI exams, appearing in configuration, verification, and troubleshooting questions. You must know the syntax, the order of operations, the difference between permit and deny in route maps, and how to apply the policy to the correct interface. Common mistakes like applying PBR to the wrong interface, forgetting access lists, or misordering sequences can cost you points in the exam and cause network issues in real life.

The exam trap of misinterpreting deny as a drop action is particularly tricky. By learning the step-by-step process, practicing on a lab, and remembering the memory tip of the doorman checking IDs at the entrance, you will be well prepared to handle any PBR question on your certification journey. Ultimately, PBR is a practical skill that makes you a more capable and confident network administrator.