Policy-Based Routing (PBR) gives you the power to override a router's normal destination-based routing decisions, steering traffic based on attributes like source IP, packet size, or application protocol. For the CCNA 200-301 exam (objective 3.7), PBR is an advanced topic that tests your understanding of how routing decisions can be made flexible beyond the routing table. In real networks, PBR is used for traffic engineering, cost optimization, and security policies—making it a valuable tool for any network engineer.
Jump to a section
Imagine a massive concert venue with multiple entrances. Normally, everyone enters through the main gate, which uses a simple rule: first-come, first-served. But the venue manager wants to give VIP ticket holders a better experience. So they create a policy: any person holding a VIP ticket (identified by their wristband color) is directed to a separate, faster entrance on the left side. This policy is checked at the main gate before the normal entry rule. The security guard looks at each person's wristband: if it's gold, they point to the left entrance; otherwise, they let them proceed to the main gate. This is exactly how PBR works: before consulting the routing table (the main gate), the router checks a route map (the policy) to see if the packet matches certain conditions (like source IP or protocol). If it matches, the router forwards the packet to a specified next hop or interface, bypassing the normal routing decision. The guard doesn't need to know the layout of the venue—they just follow the policy. Similarly, PBR doesn't care about the destination; it cares about the attributes of the packet. This analogy also highlights that PBR is processed per-packet, not per-flow, and that it can be used to enforce traffic engineering policies without changing the underlying routing protocol.
What is Policy-Based Routing?
Policy-Based Routing (PBR) is a feature on Cisco IOS routers that allows you to make routing decisions based on policies defined by the network administrator, rather than solely on the destination IP address in the routing table. While traditional routing uses the longest prefix match, PBR uses a route map to match packets based on criteria such as source address, destination address, protocol type, packet length, or even application-level information. When a packet matches a policy, the router can forward it to a specific next hop, out a specific interface, or even discard it. PBR is configured on the interface where the packet is received (ingress interface) and affects all packets arriving on that interface, unless otherwise filtered.
Why Use PBR?
PBR is used for several reasons: - Traffic engineering: Direct traffic from certain users or applications over specific links for load balancing or quality of service. - Cost savings: Send bulk data transfers over a cheaper link while keeping interactive traffic on a faster, more expensive link. - Security: Route traffic from untrusted sources to a firewall or inspection device. - Multihoming: Control outbound traffic from different sources to different ISPs without relying on default routes.
How PBR Works Step by Step
Packet arrives on an ingress interface: The router receives a packet on an interface that has PBR configured via an ip policy route-map command.
Route map evaluation: The router evaluates the packet against the route map's match clauses in sequence. Each route map entry (sequence number) can have one or more match conditions and one or more set actions.
Match criteria: The match criteria can include:
- Source IP address (via access-list or prefix-list) - Destination IP address (via access-list or prefix-list) - Protocol (IP, TCP, UDP, etc.) - Packet length - Interface type 4. Set actions: If a match is found, the router applies the set actions, which can include:
- Setting the next-hop IP address - Setting the output interface - Setting the default next-hop (used only if no route exists in the routing table) - Setting the IP precedence or DSCP value - Setting the next-hop recursive (for load balancing) 5. Forwarding decision: The router forwards the packet according to the set action. If no match is found in the route map, the router falls back to normal destination-based routing.
PBR Configuration and Verification
To configure PBR, you first create a route map. Here is an example that forwards all traffic from source 10.1.1.0/24 to next-hop 192.168.1.1:
route-map PBR-MAP permit 10
match ip address 100
set ip next-hop 192.168.1.1
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
!
interface GigabitEthernet0/0
ip policy route-map PBR-MAPVerification commands:
show route-map
show ip policy
show ip local policyExample output of show route-map:
route-map PBR-MAP, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 192.168.1.1
Policy routing matches: 0 packets, 0 bytesPBR and Fast Switching / CEF
By default, PBR is processed in software (process switching) on older platforms, but modern Cisco routers support CEF-based PBR (also called PBR with CEF switching). CEF-based PBR uses the Forwarding Information Base (FIB) to apply policies at hardware speed. However, not all match criteria are supported in CEF; for example, matching on packet length may require process switching. The command ip route-cache policy enables CEF-based PBR on an interface.
PBR Interaction with Routing Protocols
PBR does not affect routing tables or routing protocol updates. It only influences the forwarding decision for packets that match the policy. Routes learned via OSPF, EIGRP, etc., remain in the routing table. PBR can override the routing table for specific traffic, but it does not change the routing protocol's behavior. This is important: if you set a next-hop that is not reachable (e.g., the interface is down), the packet will be dropped unless you configure a fallback option like set ip default next-hop or use the ip policy route-map with a default route.
Defaults and Timers
PBR has no timers; it is a forwarding decision made per packet.
The default action for a route map if no match is found is to fall through to the next sequence. If no sequence matches, the router uses normal routing.
There is no built-in load balancing; you can use multiple next-hop statements in a single set command for load sharing, but this is not true per-packet load balancing; it is per-flow based on the hash of the packet.
PBR vs. Policy Routing vs. Route Maps
It's important to distinguish PBR from route maps used for redistribution or BGP. PBR uses route maps, but route maps are also used for other purposes. The key is the ip policy route-map command on an interface, which invokes PBR.
Identify the Traffic to Match
First, determine which traffic you want to steer using PBR. This is typically based on source IP, destination IP, protocol, or application port. For example, you might want to route all HTTP traffic from a specific subnet to a web cache. Create an access list or prefix list that matches the desired traffic. Example: `access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq www`. This ACL matches HTTP traffic (port 80) from subnet 10.1.1.0/24 to any destination.
Create the Route Map
Define a route map with a sequence number and permit/deny keyword. Use `match` clauses to reference the ACL or other criteria. Use `set` clauses to specify the next-hop, output interface, or other actions. Example: `route-map PBR permit 10` followed by `match ip address 100` and `set ip next-hop 192.168.2.1`. The sequence number allows multiple policies; the router evaluates them in order until a match is found.
Apply the Route Map to an Interface
Enter interface configuration mode for the ingress interface (where the traffic comes in). Use the command `ip policy route-map PBR` to apply the route map. This tells the router to evaluate all incoming packets on that interface against the route map. For example: `interface GigabitEthernet0/0` then `ip policy route-map PBR`. The policy is applied only to traffic received on that interface, not to traffic originated by the router itself.
Verify the Configuration
Use `show route-map` to view the route map's match and set clauses, as well as packet counters. Use `show ip policy` to see which interfaces have PBR applied. Use `show ip local policy` to see any local PBR (for packets generated by the router). Example: `show route-map PBR` should show the sequence, match conditions, and set actions. The packet counters help verify if traffic is being matched.
Test and Troubleshoot
Generate traffic that matches the ACL (e.g., from a host in 10.1.1.0/24, send an HTTP request to any server). Use `debug ip policy` to see PBR decisions in real time (be cautious in production). Check the packet counters in `show route-map` to see if they increment. If not, verify the ACL is correct and that the interface is receiving the traffic. Also ensure the next-hop is reachable; PBR does not check reachability by default—if the next-hop is down, packets are dropped.
Consider Fallback Options
If the specified next-hop becomes unreachable, PBR will drop the packet unless you configure a fallback. Use `set ip default next-hop` to specify a next-hop that is used only if the routing table has no route to the destination. Alternatively, you can use multiple `set ip next-hop` commands; the router will try each in order until one is reachable. You can also configure a `set interface` as a fallback.
In enterprise networks, PBR is commonly used for traffic engineering across multiple WAN links. For example, consider a company with two internet connections: a high-speed MPLS link for critical applications and a lower-cost DSL link for non-critical traffic. By using PBR on the internal router, the network engineer can match traffic from the finance department (source subnet) and force it out the MPLS link, while all other traffic uses the default route to the DSL link. This ensures that important financial transactions get priority bandwidth without needing complex QoS configurations.
Another common scenario is routing traffic through a security appliance. Suppose a company wants to inspect all traffic from the guest wireless network before it reaches the internet. On the router connected to the guest VLAN, PBR is applied to match all traffic from the guest subnet and forward it to the firewall's inside interface. The firewall then forwards it to the internet after inspection. This avoids changing the default gateway on the guest devices and allows transparent security enforcement.
A third scenario is load balancing outbound traffic from multiple servers. For instance, a data center may have two upstream routers. By using PBR on the server-facing switch, traffic from certain server VLANs can be sent to one router, and traffic from others to the second router, achieving a simple form of load sharing without dynamic routing protocols.
Performance considerations: PBR can be CPU-intensive if processed in software. On high-traffic links, it is essential to use CEF-based PBR (ip route-cache policy) to offload the processing to hardware. Misconfiguration can lead to black-holing traffic if the set next-hop is not reachable. Always verify reachability and consider using set ip default next-hop as a safety net. Also, PBR does not affect return traffic; return packets follow normal routing unless PBR is also applied on the return path.
For CCNA 200-301, PBR is tested under IP Connectivity (objective 3.7). The exam expects you to understand the concept and basic configuration, but not deep troubleshooting. You should know the command syntax, the difference between PBR and normal routing, and how to verify it.
Common wrong answers:
1. 'PBR changes the routing table.' – False. PBR overrides the forwarding decision for specific packets but does not modify the routing table. The routing table remains unchanged.
2. 'PBR is applied on the egress interface.' – False. PBR is configured on the ingress interface where the packet is received. The policy is evaluated before the routing table lookup.
3. 'PBR can match on destination only.' – False. PBR can match on many attributes, including source, protocol, packet length, etc. The CCNA exam may test that you can use source-based routing.
4. 'If the set next-hop is unreachable, the router uses the routing table.' – False. By default, if the next-hop is not reachable, the packet is dropped. You must configure a fallback (e.g., set ip default next-hop) to have it fall back to the routing table.
Specific commands to remember:
- ip policy route-map <name> (interface configuration)
- route-map <name> permit <seq>
- match ip address <acl>
- set ip next-hop <ip>
- show route-map
- show ip policy
Calculation traps: There are no calculations with PBR. However, you may be asked about the order of operations: PBR happens before the routing table lookup. Also, remember that PBR only affects packets received on the interface, not packets originated by the router (unless local PBR is used).
Decision strategy: On scenario questions, first identify if the goal is to override the routing decision for specific traffic. If yes, PBR is the answer. If the goal is to influence routing protocol updates or redistribution, route maps are used but not PBR. Also, if the question mentions 'policy-based routing', it's PBR; if it says 'route map', it could be for other purposes.
PBR is configured with `ip policy route-map` on the ingress interface.
Route maps use `match` (e.g., `match ip address`) and `set` (e.g., `set ip next-hop`) clauses.
PBR overrides the routing table for matched packets; unmatched packets use normal routing.
If the set next-hop is unreachable, the packet is dropped unless a fallback is configured.
PBR does not affect the routing table or routing protocol updates.
Use `show route-map` to verify matches and packet counters.
CEF-based PBR (`ip route-cache policy`) improves performance.
These come up on the exam all the time. Here's how to tell them apart.
Policy-Based Routing (PBR)
Matches on multiple criteria (source, protocol, etc.)
Applied per-packet on ingress interface
Can override routing table for specific traffic
Does not change routing table
Uses route maps for configuration
Static Routing
Matches only on destination prefix
Configured globally and affects all traffic to that destination
Cannot differentiate by source or protocol
Adds a route to the routing table
Uses `ip route` command
Mistake
PBR changes the routing table entries.
Correct
PBR only affects the forwarding decision for packets that match the policy; the routing table remains unchanged.
Candidates confuse policy routing with route redistribution or administrative distance changes.
Mistake
PBR is applied on the outbound interface.
Correct
PBR is applied on the inbound (ingress) interface where the packet is received.
The name 'policy routing' might imply the policy is applied when forwarding out, but it's actually evaluated before the routing decision.
Mistake
PBR can only match on destination IP address.
Correct
PBR can match on source IP, destination IP, protocol, packet length, and more via ACLs or other match criteria.
Candidates may think it's like a static route, but PBR is more flexible.
Mistake
If the set next-hop is unreachable, the router falls back to the routing table.
Correct
By default, the packet is dropped if the next-hop is unreachable; you must configure `set ip default next-hop` for fallback.
This is a common trap; the default behavior is to drop, not to use the routing table.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A static route is a fixed path to a destination network based on the destination IP, added to the routing table. PBR is a policy that overrides the routing table for specific traffic based on criteria like source IP, protocol, or packet length. Static routes are destination-based; PBR is policy-based. For example, a static route sends all traffic to 10.0.0.0/8 via next-hop 192.168.1.1, while PBR can send traffic from 10.1.1.0/24 to next-hop 192.168.2.1 regardless of destination.
Yes, but not true per-packet load balancing. You can configure multiple next-hop addresses in a single `set ip next-hop` command, and the router will use a hash of the source and destination IP to choose one next-hop per flow. This provides per-flow load balancing. For per-packet load balancing, you would need to use other mechanisms like CEF load balancing. PBR is more commonly used for policy-based traffic steering rather than pure load balancing.
Yes, PBR can be applied to multicast traffic, but it is not commonly used for that purpose. Multicast routing uses its own protocols (PIM) and RPF checks. PBR can override the RPF interface for multicast, which may cause issues. Cisco does not recommend using PBR for multicast unless you fully understand the implications. On the CCNA exam, you can assume PBR is for unicast traffic only.
`set ip next-hop` forces the packet to be forwarded to the specified next-hop, even if the routing table has a valid route. `set ip default next-hop` is used only if the routing table does not have a route to the destination (i.e., the packet would be sent to the default route). So `set ip default next-hop` is a fallback when there is no explicit route, while `set ip next-hop` always overrides.
Use `show route-map [name]` to see the match counters increment when packets match. Use `show ip policy` to confirm the interface has the policy applied. You can also use `debug ip policy` to see real-time decisions (use with caution). Additionally, you can generate test traffic and use `traceroute` from a source host to see if the path changes as expected.
Yes, on multilayer switches (Layer 3 switches) that support PBR. The configuration is similar to routers. However, not all switches support PBR in hardware; some may require software processing, which can impact performance. Check the platform documentation. For CCNA, assume it works on routers and Layer 3 switches.
It applies a route map to an interface for policy-based routing. When a packet arrives on that interface, the router evaluates the route map. If the packet matches a `permit` sequence in the route map, the router applies the `set` actions (like next-hop). If no match is found, the router uses normal destination-based routing. The command is entered in interface configuration mode.
You've just covered Policy-Based Routing (PBR) — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?