CCNA Policy-Based Routing (PBR) Questions

75 questions · Policy-Based Routing (PBR) · All types, answers revealed

1
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-TEST R1# show route-map PBR-TEST route-map PBR-TEST, permit, sequence 10 Match clauses: ip address (access-lists): 110 Set clauses: ip next-hop 192.168.100.1 Policy routing matches: 0 packets, 0 bytes R1# show access-lists 110 Extended IP access list 110 10 permit tcp 10.0.0.0 0.255.255.255 any eq 80 20 permit tcp 10.0.0.0 0.255.255.255 any eq 443 R1# show ip route 192.168.100.1 Routing entry for 192.168.100.1/32 Known via "ospf 1", distance 110, metric 20 Last update from 10.1.1.2 on GigabitEthernet0/1 Based on this output, what is the most likely reason for zero policy routing matches?

A.The next-hop 192.168.100.1 is not reachable.
B.The access list 110 is not matching any traffic arriving on GigabitEthernet0/0.
C.The route map sequence number is too high.
D.The route map needs to be applied globally.
AnswerB

Zero matches indicate that no packets matching the ACL have been received on the interface where PBR is applied.

Why this answer

The access list 110 matches TCP traffic from 10.0.0.0/8 to any destination on ports 80 and 443. The route map is applied to GigabitEthernet0/0, but traffic arriving on that interface may not match these conditions. The next-hop is reachable, so the issue is likely that no traffic matching ACL 110 is entering GigabitEthernet0/0.

2
MCQeasy

Which of the following is a valid 'set' action in a PBR route-map?

A.set metric 100
B.set ip next-hop 10.0.0.1
C.set tag 5
D.set community 100:100
AnswerB

This is a standard PBR action to override the routing table.

Why this answer

PBR supports 'set ip next-hop', 'set interface', 'set ip default next-hop', 'set default interface', and 'set ip tos/precedence'. 'set metric' is not a PBR action.

3
MCQmedium

Which statement correctly describes the behavior of PBR when the next-hop specified in a 'set ip next-hop' command is unreachable?

A.The packet is dropped immediately.
B.The router sends an ICMP unreachable message.
C.The router uses the routing table to forward the packet.
D.The router uses the default route if configured.
AnswerC

If the PBR next-hop is unreachable, the router performs a normal routing table lookup.

Why this answer

If the next-hop is unreachable, PBR will fall back to the normal routing table lookup, unless a 'set ip default next-hop' is configured.

4
MCQmedium

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 172.16.1.0/24 should be forwarded to next-hop 10.10.10.2. The route map 'PBR-172' is applied to interface GigabitEthernet0/0. The engineer notices that the PBR policy is not working at all. The engineer checks the route map configuration and sees 'match ip address 110' and 'set ip next-hop 10.10.10.2'. The engineer also checks the ACL 110 and confirms it matches 172.16.1.0/24. The engineer then checks the interface configuration and sees 'ip policy route-map PBR-172' applied. What should the engineer do next to isolate the issue?

A.Check if the next-hop 10.10.10.2 is reachable via the routing table.
B.Add the 'set ip default next-hop' command to the route map.
C.Change the route map to use 'set interface' instead of 'set ip next-hop'.
D.Apply the route map to the outgoing interface instead of the incoming interface.
AnswerA

Correct because PBR requires the next-hop to be reachable; if not, traffic uses the routing table.

Why this answer

The engineer should verify that the next-hop 10.10.10.2 is reachable via a directly connected interface or a static route. PBR will not forward traffic to a next-hop that is not in the routing table or not directly connected, and will fall back to the routing table. The engineer can use 'show ip route 10.10.10.2' to check reachability.

5
MCQhard

A router is configured with PBR using a route-map that sets the next-hop to 10.0.0.2 for traffic from subnet 192.168.1.0/24. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also configures 'ip policy route-map' on the same interface. However, the engineer notices that PBR is not working for traffic that is fragmented. What is the most likely reason?

A.PBR only matches the first fragment; subsequent fragments are forwarded based on the routing table because they lack Layer 4 headers.
B.The route-map is missing a 'match fragment' command.
C.Fragmented packets are always dropped by PBR.
D.The ACL in the route-map is using a 'deny' statement for fragmented packets.
AnswerA

Fragments after the first do not have Layer 4 info, so ACLs with port matching fail; PBR may not apply.

Why this answer

PBR processes only the first fragment of a fragmented packet; subsequent fragments do not contain Layer 4 information (e.g., TCP/UDP ports) and may not match the ACL if it includes Layer 4 criteria. Additionally, PBR may not be applied to non-initial fragments by default, causing them to be forwarded normally.

6
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 192.168.50.0/24 should be forwarded to next-hop 10.50.50.2. The route map 'PBR-50' is configured with 'match ip address 160' and 'set ip next-hop 10.50.50.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for traffic from 192.168.50.0/24, but the router is also policy-routing traffic from other subnets that should not be affected. The engineer checks the ACL 160 and confirms it only matches 192.168.50.0/24. What is the most likely cause?

A.The route map has a sequence with no match condition, which matches all traffic.
B.The ACL 160 has a 'permit ip any any' statement at the end.
C.The 'ip policy route-map' command is applied to multiple interfaces, and traffic from other subnets is entering those interfaces.
D.The router is using CEF switching, and PBR is applied to all traffic regardless of ACL.
AnswerA, B

Correct because a route map sequence without a match condition will match all packets, causing PBR to apply to all traffic.

Why this answer

If PBR is affecting traffic from other subnets despite the ACL being correct, it could be because the route map has a permit statement without a match condition, or the route map is applied to multiple interfaces. However, a common cause is that the route map has a 'match ip address' that references an ACL with a 'permit ip any any' statement at the end, or the route map has a sequence that matches all traffic. The engineer should check the route map for any sequence that does not have a match statement.

7
MCQeasy

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop 10.1.1.2 Policy routing matches: 50 packets, 6000 bytes What does this output indicate?

A.PBR is successfully forwarding matching traffic to 10.1.1.2.
B.The next-hop 10.1.1.2 is not reachable.
C.The ACL 101 is misconfigured.
D.PBR is not applied to any interface.
AnswerA

The packet counter shows successful matches and forwarding.

Why this answer

The output shows that 50 packets have matched the route-map and have been policy-routed to next-hop 10.1.1.2. This indicates PBR is working.

8
MCQhard

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-QOS R1# show route-map PBR-QOS route-map PBR-QOS, permit, sequence 10 Match clauses: ip address (access-lists): 120 Set clauses: ip next-hop 10.0.0.2 Policy routing matches: 500 packets, 45000 bytes R1# show access-lists 120 Extended IP access list 120 10 permit ip 192.168.1.0 0.0.0.255 any R1# debug ip policy Policy routing debugging is on *Mar 1 00:05:23.123: IP: s=192.168.1.100 (GigabitEthernet0/0), d=8.8.8.8, len 100, policy match *Mar 1 00:05:23.123: IP: s=192.168.1.100 (GigabitEthernet0/0), d=8.8.8.8, len 100, policy rejected Based on this output, what is the most likely problem?

A.The next-hop 10.0.0.2 is unreachable.
B.The access list 120 is misconfigured.
C.The route map is applied to the wrong interface.
D.The route map sequence number is incorrect.
AnswerA

The debug 'policy rejected' after a match typically means the set next-hop is not reachable, so the packet is not policy-routed.

Why this answer

The debug output shows 'policy match' followed by 'policy rejected'. This indicates that the packet matched the route map, but the set clause was not applied because the next-hop is unreachable or the route map's set condition fails (e.g., verify-availability if used, or next-hop not in routing table). The show route-map shows matches, but the packet is rejected and forwarded normally.

9
MCQhard

An engineer configures PBR with a route-map that sets the next-hop to 10.0.0.2 for traffic from subnet 192.168.1.0/24. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also enables 'ip cef' globally. Traffic from 192.168.1.0/24 is not being policy-routed; instead, it follows the routing table. What is the most likely cause?

A.CEF is disabled globally, causing PBR to fail.
B.The interface needs the 'ip route-cache policy' command to enable CEF support for PBR.
C.The route-map is missing a 'set interface' command.
D.The ACL in the route-map is using a named ACL instead of a numbered one.
AnswerB

CEF fast-switching bypasses PBR unless policy routing is explicitly enabled in CEF.

Why this answer

PBR and CEF interact in a specific way: PBR is processed in software (process switching) by default, but CEF-switched packets bypass PBR unless 'ip route-cache policy' is enabled on the interface. Without this command, CEF fast-switches packets, ignoring PBR.

10
MCQmedium

Router R5 has the following configuration: ``` interface GigabitEthernet0/6 ip address 10.5.5.5 255.255.255.0 ip policy route-map PBR-METRIC ! route-map PBR-METRIC permit 10 match ip address 103 set metric 50 ! access-list 103 permit ip any any ``` What is the effect of the 'set metric 50' command in this PBR context?

A.The metric of packets matching ACL 103 is set to 50, affecting routing decisions.
B.The route-map has no effect because 'set metric' is not a valid PBR action; packets are routed normally.
C.The router applies the metric to the route in the routing table for the source network.
D.The configuration is invalid and will be rejected by the router.
AnswerB

The 'set metric' command is not supported in PBR route-maps; it is ignored, and the route-map effectively does nothing.

Why this answer

The 'set metric' command in a route-map used for PBR is not a standard PBR action. PBR actions include set ip next-hop, set interface, set ip default next-hop, set default interface, and set ip tos/precedence. 'set metric' is used in redistribution route-maps, not PBR. This configuration will not cause an error, but the metric setting is ignored for PBR.

11
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/1 PBR-MAP R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop verify-availability 10.1.1.2 10 track 1 Policy routing matches: 150 packets, 12000 bytes R1# show track 1 Track 1 IP SLA 1 reachability Reachability is Down 1 change, last change 00:05:20 Latest operation return code: timeout Tracked by: ROUTE-MAP 0 Based on this output, what is the most likely outcome?

A.Packets matching ACL 101 are forwarded to 10.1.1.2 regardless.
B.Packets matching ACL 101 are dropped.
C.Packets matching ACL 101 are routed normally via the routing table.
D.The route map is removed from the interface due to the track failure.
AnswerC

When the tracked object is down, PBR skips the set clause and the packet is forwarded using the destination-based routing table.

Why this answer

The route map uses 'ip next-hop verify-availability' with tracking. Track 1 is down because IP SLA 1 reports unreachability. Therefore, the set clause will not be applied, and packets matching ACL 101 will not be forwarded to 10.1.1.2; they will be routed normally via the routing table.

12
MCQmedium

Router R2 has the following configuration: ``` interface GigabitEthernet0/2 ip address 10.2.2.2 255.255.255.0 ip policy route-map CHECK ! route-map CHECK permit 10 match ip address 101 set interface GigabitEthernet0/3 ! access-list 101 permit tcp any any eq 80 ``` What is the effect of this configuration?

A.Incoming TCP packets with destination port 80 on G0/2 are forwarded out G0/3, overriding the routing table.
B.Outgoing TCP packets with source port 80 on G0/2 are forwarded out G0/3.
C.All TCP traffic is forwarded out G0/3 regardless of port.
D.The configuration is invalid because 'set interface' cannot be used with a route-map.
AnswerA

PBR matches the ACL and sets the output interface, bypassing the routing table.

Why this answer

The route-map matches TCP traffic with destination port 80 (HTTP) and sets the output interface to GigabitEthernet0/3. This is applied inbound on GigabitEthernet0/2.

13
Multi-Selecthard

Which TWO statements about Policy-Based Routing (PBR) are true? (Choose TWO.)

Select 2 answers
A.PBR is applied on the inbound interface of the router.
B.If a 'set interface' command specifies a down interface, the packet is automatically routed using the routing table.
C.PBR can be used to override the routing table for locally generated packets.
D.The 'set ip default next-hop' command overrides the routing table even when a route exists.
E.PBR uses a route-map to define match criteria and set actions for traffic.
AnswersA, E

PBR is configured with 'ip policy route-map' under the interface, which processes incoming packets.

Why this answer

PBR uses a route-map with match and set commands to override the routing table for selected traffic. The 'set interface' command can specify an outgoing interface, and if that interface is down, the packet is dropped unless a 'set ip next-hop' is also configured as a backup. PBR does not affect the router's own originated traffic by default.

The 'set ip default next-hop' is used only when there is no explicit route in the routing table, not for overriding an existing route. PBR is applied on the inbound interface.

14
MCQmedium

Router R3 has the following configuration: ``` interface GigabitEthernet0/4 ip address 10.3.3.3 255.255.255.0 ip policy route-map PBR-IN ! route-map PBR-IN permit 10 match ip address 102 set ip next-hop verify-availability 192.168.2.1 10 track 1 ! access-list 102 permit ip 10.3.3.0 0.0.0.255 any ``` What is the effect of the 'set ip next-hop verify-availability' command?

A.The next-hop 192.168.2.1 is used only if track object 1 is up; otherwise, normal routing applies.
B.The next-hop 192.168.2.1 is always used regardless of track status.
C.The router pings 192.168.2.1 every 10 seconds to verify reachability.
D.The configuration is invalid because 'verify-availability' requires a sequence number.
AnswerA

verify-availability checks the track object; if down, PBR does not use that next-hop and falls back to routing table.

Why this answer

This command enables Cisco Express Forwarding (CEF) and uses tracking to verify next-hop reachability. If the tracked object (track 1) is down, the next-hop is not used.

15
MCQhard

A DMVPN network uses PBR to route traffic from spoke routers to specific hubs based on source IP. After a hub failure, traffic from spoke 1 (source 192.168.1.0/24) is being sent to a backup hub, but the backup hub drops the traffic. Router R1 (spoke) shows: 'show ip policy' shows PBR applied, 'debug ip policy' shows traffic being forwarded to next-hop 10.1.1.2 (backup hub). Router R2 (backup hub) shows: 'show ip route 192.168.1.0' returns no route. What is the root cause?

A.The backup hub does not have a route to the source subnet, causing it to drop traffic. Add a static route or enable routing protocol on the backup hub for the spoke subnet.
B.The PBR route-map on the spoke is missing a 'set ip next-hop verify-availability' command, causing it to use the backup hub even when it is not fully reachable.
C.The spoke's routing table has a better route to the destination via the backup hub, overriding PBR.
D.The backup hub has a route to the source subnet but with a higher administrative distance, causing it to be ignored.
AnswerA

PBR forwards traffic to the backup hub, but without a return route, the hub cannot respond. This is a common issue in DMVPN with PBR when hubs are not fully meshed.

Why this answer

PBR on the spoke forwards traffic to the backup hub, but the backup hub does not have a route back to the source subnet (192.168.1.0/24). This causes asymmetric routing, where the backup hub drops the traffic because it cannot find a return route. The solution is to ensure the backup hub has a route to the spoke subnet, either via dynamic routing or a static route.

16
Multi-Selecthard

Which TWO statements about PBR and route-map sequence numbers are true? (Choose TWO.)

Select 2 answers
A.If a packet matches a route-map sequence with a 'permit' keyword, the set actions are applied, and no further sequences are evaluated.
B.If a packet matches a route-map sequence with a 'deny' keyword, the packet is dropped immediately.
C.The 'match ip address' command in a PBR route map can reference a named or numbered ACL, but not a prefix list.
D.If no sequence in a PBR route map matches a packet, the packet is forwarded using the routing table (normal routing).
E.The 'set ip next-hop' command can be used in a route-map sequence with a 'deny' keyword to override the default behavior.
AnswersA, D

Correct. Once a packet matches a permit sequence, the set actions are applied and evaluation stops; subsequent sequences are ignored.

Why this answer

Route maps used for PBR are evaluated in sequence number order. Each sequence can have match and set statements. If a packet does not match any permit sequence, it is subject to normal routing (implicit deny).

The 'match ip address' command can reference an ACL or prefix list. The 'set' commands in a permit sequence are executed only when the match conditions are met.

17
MCQeasy

What is the default action for a packet that does not match any route-map entry in a PBR policy?

A.The packet is dropped.
B.The packet is forwarded using the routing table.
C.The packet is sent to the CPU for processing.
D.The router sends an ICMP unreachable message.
AnswerB

This is the default behavior for unmatched packets.

Why this answer

If no route-map entry matches, the packet is forwarded using the normal routing table lookup. PBR does not drop unmatched packets by default.

18
Multi-Selecthard

Which TWO statements correctly describe the behavior of Policy-Based Routing (PBR) when using the 'set ip next-hop' and 'set ip default next-hop' commands? (Choose TWO.)

Select 2 answers
A.The 'set ip next-hop' command overrides the routing table only when the next-hop address is reachable; if unreachable, the packet is dropped unless a default route exists.
B.The 'set ip default next-hop' command is used to forward packets that match the route-map permit statement, regardless of whether a route exists in the routing table.
C.The 'set ip next-hop verify-availability' feature uses ICMP echo requests to verify next-hop reachability before applying PBR.
D.When using 'set interface' in a PBR route map, the router forwards the packet out the specified interface without requiring a next-hop IP address, but the interface must be up/up.
E.If a route map with 'set ip next-hop' is applied inbound on an interface, PBR processes only the first packet of a flow; subsequent packets use the routing table.
AnswersA, D

Correct. PBR with 'set ip next-hop' requires the next hop to be reachable; if not, the packet is forwarded using the routing table (if a default route exists) or dropped.

Why this answer

PBR uses route maps to override the routing table. The 'set ip next-hop' command is applied only if the packet matches the match criteria; if the next hop is unreachable, the packet is dropped (unless a default route exists). The 'set ip default next-hop' command is used only when the routing table has no explicit route for the destination.

The 'set ip next-hop verify-availability' option tracks reachability using CEF. The 'set interface' command does not require a next-hop IP but can be used for directly connected networks.

19
MCQhard

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-MULTI R1# show route-map PBR-MULTI route-map PBR-MULTI, permit, sequence 10 Match clauses: ip address (access-lists): 140 Set clauses: ip next-hop 10.0.0.2 10.0.0.3 Policy routing matches: 200 packets, 18000 bytes R1# show ip route 10.0.0.2 Routing entry for 10.0.0.2/32 Known via "eigrp 1", distance 90, metric 28160 Last update from 192.168.1.2 on GigabitEthernet0/1 R1# show ip route 10.0.0.3 % Network not in routing table Based on this output, what is the most likely behavior for packets matching ACL 140?

A.Packets are load-balanced between 10.0.0.2 and 10.0.0.3.
B.Packets are forwarded to 10.0.0.2.
C.Packets are dropped because one next-hop is unreachable.
D.Packets are forwarded to 10.0.0.3 via a recursive lookup.
AnswerB

Since 10.0.0.2 is reachable, PBR uses it. The unreachable 10.0.0.3 is ignored.

Why this answer

When multiple next-hops are specified in a set clause, PBR tries them in order. The first reachable next-hop is used. Here, 10.0.0.2 is reachable, so packets are forwarded to 10.0.0.2.

The second next-hop is not reachable, but that does not affect the first.

20
MCQhard

A multi-router network uses PBR to steer traffic from subnet 172.16.1.0/24 through a WAN link (next-hop 10.10.10.2). After a routing change, traffic from this subnet is being dropped. Router R1 shows: 'show route-map' indicates the route-map is applied, 'show ip policy' shows the policy on the interface, but 'debug ip policy' shows 'PBR: no route to next-hop 10.10.10.2'. What is the root cause?

A.The next-hop 10.10.10.2 is not reachable, and PBR drops packets when no route to the next-hop exists. Configure a fallback route or use 'set ip default next-hop'.
B.The ACL in the route-map is incorrectly denying traffic from 172.16.1.0/24, causing PBR to not match the traffic.
C.The interface where PBR is applied is in a different VRF, causing the next-hop to be unreachable.
D.The next-hop 10.10.10.2 is reachable but the route-map has a 'match ip address' that is too specific, excluding some traffic.
AnswerA

PBR drops packets if the set next-hop is not reachable. Using 'set ip default next-hop' allows PBR to use the routing table as a fallback if the next-hop is unreachable.

Why this answer

PBR requires the next-hop to be reachable via a route in the routing table. If the next-hop is not reachable (e.g., due to a routing change or a missing route), PBR will drop the packet unless a fallback is configured. In this case, the next-hop 10.10.10.2 is not reachable, so PBR drops the traffic.

The solution is to either ensure the next-hop is reachable or configure a default route or fallback action.

21
MCQmedium

What is the default administrative distance for a route installed by Policy-Based Routing (PBR) using the 'set ip next-hop' command?

A.0
B.1
C.The administrative distance of the routing protocol that learned the route.
D.120
AnswerC

PBR does not alter the administrative distance; the route retains the AD of the original routing protocol.

Why this answer

PBR does not change the administrative distance of the route; the route is installed with the AD of the routing protocol that learned it. The 'set ip next-hop' command does not modify AD.

22
MCQmedium

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# debug ip policy Policy routing debugging is on R1# *Mar 1 00:10:45.456: IP: s=172.16.1.5 (FastEthernet0/0), d=8.8.8.8, len 64, policy match *Mar 1 00:10:45.456: IP: s=172.16.1.5 (FastEthernet0/0), d=8.8.8.8, len 64, policy routed *Mar 1 00:10:45.456: IP: FastEthernet0/0 to Serial0/0 10.1.1.2 What does this output indicate?

A.The packet was successfully policy-routed to 10.1.1.2 via Serial0/0.
B.The packet was dropped due to no matching route.
C.The next-hop 10.1.1.2 is unreachable.
D.The route-map is misconfigured with wrong ACL.
AnswerA

The output shows 'policy routed' and the egress interface and next-hop.

Why this answer

The debug shows a packet from 172.16.1.5 to 8.8.8.8 that matched the policy and was routed out of Serial0/0 to next-hop 10.1.1.2. This indicates successful PBR operation.

23
MCQmedium

When using 'set ip next-hop verify-availability', what mechanism does the router use to determine if the next-hop is reachable?

A.It sends an ICMP echo request to the next-hop every 10 seconds.
B.It checks the ARP table for the next-hop MAC address.
C.It uses a tracked object that can be based on IP SLA, interface state, or other criteria.
D.It performs a recursive routing table lookup to see if the next-hop is reachable.
AnswerC

The track object defines the condition; if the track is up, the next-hop is considered reachable.

Why this answer

The 'verify-availability' option uses a tracked object (configured with the 'track' command) which can be based on IP SLA, interface line-protocol, or other criteria. It does not use ARP or ICMP by default.

24
MCQmedium

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 10.1.1.0/24 should be forwarded to next-hop 192.168.1.2. The route map 'PBR-10' is configured with 'match ip address 150' and 'set ip next-hop 192.168.1.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR is not working, and the router is using the routing table to forward traffic. The engineer checks the ACL 150 and confirms it matches 10.1.1.0/24. The engineer also checks the interface configuration and sees 'ip policy route-map PBR-10' applied. What is the most likely cause?

A.The ACL 150 does not exist or is misconfigured, causing the route map to not match any traffic.
B.The 'set ip next-hop' command is misspelled as 'set ip nexthop'.
C.The router is running an older IOS version that does not support PBR.
D.The 'ip policy route-map' command is applied to the outgoing interface instead of the incoming interface.
AnswerA

Correct because if the ACL referenced in the route map does not exist, the route map will not match any traffic, and PBR will not be applied.

Why this answer

If PBR is not working and the router uses the routing table, it could be because the route map is not being processed due to a missing 'match' statement or the route map being empty. However, a common cause is that the route map has a 'match ip address' that references an ACL that does not exist or is misconfigured. The engineer should verify that the ACL 150 exists and is correctly configured.

25
MCQmedium

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 192.168.20.0/24 should be forwarded to next-hop 10.20.20.2. The route map 'PBR-20' is configured with 'match ip address 120' and 'set ip next-hop 10.20.20.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for traffic from 192.168.20.0/24, but traffic from other subnets is also being forwarded to 10.20.20.2. What is the most likely cause?

A.The route map has a permit statement with no match condition, causing all traffic to be policy-routed.
B.The 'set ip next-hop' command is applied globally under the routing process.
C.The ACL 120 is configured with 'permit ip any any' at the end.
D.The route map is applied to the wrong interface, but the interface is receiving traffic from all subnets.
AnswerA, C

Correct because a permit statement without a match condition matches all traffic, causing PBR to apply to all packets.

Why this answer

If PBR is affecting traffic from other subnets, it is likely because the route map has a permit statement without a match condition, or the ACL is misconfigured to match all traffic. The engineer should check the route map for a permit statement that matches all traffic (e.g., 'match ip address any' or missing match).

26
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-TRACK R1# show route-map PBR-TRACK route-map PBR-TRACK, permit, sequence 10 Match clauses: ip address (access-lists): 170 Set clauses: ip next-hop verify-availability 10.0.0.2 10 track 2 Policy routing matches: 100 packets, 8000 bytes R1# show track 2 Track 2 IP SLA 2 reachability Reachability is Up 2 changes, last change 00:01:30 Latest operation return code: ok Tracked by: ROUTE-MAP 0 R1# show ip route 10.0.0.2 Routing entry for 10.0.0.2/32 Known via "eigrp 1", distance 90, metric 28160 Last update from 192.168.1.2 on GigabitEthernet0/1 Based on this output, what is the most likely behavior for packets matching ACL 170?

A.Packets are forwarded to 10.0.0.2.
B.Packets are forwarded using the routing table because the next-hop is not reachable.
C.Packets are dropped because the track object is not configured correctly.
D.Packets are load-balanced between the next-hop and the routing table.
AnswerA

Since track 2 is Up, the next-hop is verified as available and used for policy routing.

Why this answer

The route map uses 'ip next-hop verify-availability' with track 2. Track 2 is Up (IP SLA 2 reachability is ok). Therefore, the next-hop 10.0.0.2 is considered available, and packets matching ACL 170 are forwarded to 10.0.0.2.

27
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-DEFAULT R1# show route-map PBR-DEFAULT route-map PBR-DEFAULT, permit, sequence 10 Match clauses: ip address (access-lists): 150 Set clauses: ip next-hop 10.0.0.2 Policy routing matches: 0 packets, 0 bytes route-map PBR-DEFAULT, deny, sequence 20 Match clauses: Set clauses: Policy routing matches: 0 packets, 0 bytes R1# show access-lists 150 Extended IP access list 150 10 permit ip 192.168.1.0 0.0.0.255 any R1# show ip route 10.0.0.2 Routing entry for 10.0.0.2/32 Known via "ospf 1", distance 110, metric 20 Last update from 10.1.1.2 on GigabitEthernet0/1 Based on this output, what is the most likely problem?

A.The deny sequence 20 is blocking all traffic from being policy-routed.
B.No traffic matching ACL 150 is arriving on GigabitEthernet0/0.
C.The next-hop 10.0.0.2 is unreachable.
D.The route map is missing a permit statement.
AnswerB

Zero matches on both sequences indicate no packets are being evaluated by the route map.

Why this answer

The route map has a deny sequence 20 with no match clause, which means it matches all packets. Since route maps are processed in order, if sequence 10 does not match (zero matches), sequence 20 will match all remaining packets and deny them (i.e., not apply PBR), causing them to be routed normally. However, the counters show zero for both sequences, indicating no traffic is being processed at all, likely because no traffic matching ACL 150 arrives on the interface.

28
MCQhard

A network uses PBR to route traffic from a specific subnet (172.16.1.0/24) through a WAN link (next-hop 10.10.10.2). After a routing change, traffic from this subnet is being sent to the WAN link but is not reaching the destination. Router R1 shows: 'show route-map' shows the route-map is applied, 'debug ip policy' shows traffic being forwarded to 10.10.10.2, but 'show ip route' on R1 shows a route to the destination via a different next-hop (10.20.20.2). What is the root cause?

A.The next-hop 10.10.10.2 does not have a route to the destination, causing traffic to be dropped. Ensure the next-hop has a route to the destination or use a next-hop that does.
B.The route-map on R1 is missing a 'set ip next-hop verify-availability' command, causing PBR to use an unreachable next-hop.
C.The routing table on R1 has a better route to the destination via 10.20.20.2, but PBR is overriding it incorrectly.
D.The ACL in the route-map is matching traffic from the wrong subnet, causing PBR to be applied to the wrong traffic.
AnswerA

PBR forwards traffic to the set next-hop, but if that next-hop does not have a route to the destination, the traffic will be dropped. This is a common issue when PBR is used to steer traffic through a specific path that does not have full routing information.

Why this answer

PBR forwards traffic to the set next-hop (10.10.10.2), but the routing table on R1 shows a different route to the destination. This indicates that PBR is overriding the routing table, but the next-hop 10.10.10.2 may not have a route to the destination, causing the traffic to be dropped. The solution is to ensure the next-hop has a route to the destination or use a different next-hop.

29
MCQhard

A router is configured with PBR using a route-map that sets the next-hop to 10.0.0.2 for traffic matching ACL 100. The engineer also configures 'set ip default next-hop 10.0.0.3' in the same route-map sequence. Traffic that matches ACL 100 is forwarded to 10.0.0.2, but traffic that does not match ACL 100 is forwarded to 10.0.0.3 only if there is no route in the routing table. However, the engineer expects all unmatched traffic to go to 10.0.0.3 regardless of the routing table. What is the misunderstanding?

A.The 'set ip default next-hop' command overrides the routing table only when no route exists; the engineer wants unconditional forwarding.
B.The route-map sequence order is incorrect; the default next-hop should be in a separate sequence.
C.The ACL 100 is blocking all traffic, so no traffic matches the set commands.
D.The 'set ip default next-hop' command requires a 'set interface' command to work.
AnswerA

'set ip default next-hop' is conditional on the absence of a route; 'set ip next-hop' is unconditional.

Why this answer

The 'set ip default next-hop' command is used only when the packet does not have a matching route in the routing table. If a route exists (even a default route), the packet follows the routing table. The engineer should use 'set ip next-hop' instead of 'set ip default next-hop' to force all unmatched traffic to the next-hop.

30
MCQmedium

A network engineer is troubleshooting PBR on a Cisco router where traffic from VLAN 100 (192.168.10.0/24) should be forwarded to next-hop 10.10.10.2 via a route map named 'VLAN100-PBR'. The engineer has applied the route map to interface GigabitEthernet0/0.100 (subinterface) using 'ip policy route-map VLAN100-PBR'. The engineer verifies that the route map is correctly configured with 'match ip address 100' and 'set ip next-hop 10.10.10.2', and the access list 100 matches the source subnet. However, traffic from VLAN 100 is still forwarded using the routing table. What is the most likely cause?

A.The traffic is arriving on the physical interface GigabitEthernet0/0 instead of the subinterface GigabitEthernet0/0.100.
B.The access list 100 is missing the 'permit' keyword; PBR only processes permit statements.
C.The 'set ip next-hop' command must be followed by 'force' to override the routing table.
D.The route map must be applied to the VLAN interface (SVI) instead of the subinterface.
AnswerA

Correct because PBR is applied per-interface; traffic must ingress the subinterface where the policy is configured.

Why this answer

PBR applied to a subinterface will only process traffic that arrives on that specific subinterface. If the traffic is arriving on the physical interface or another subinterface, it will not be matched. The engineer must ensure the traffic actually enters the subinterface where the policy is applied.

31
MCQmedium

A network engineer is troubleshooting a PBR configuration on a Cisco router. The engineer has configured a route map named 'PBR-MAP' with a match statement matching traffic from source IP 10.1.1.0/24 and a set statement to forward the traffic to next-hop 192.168.1.2. The engineer applies the route map to the incoming interface GigabitEthernet0/0 using 'ip policy route-map PBR-MAP'. However, traffic from 10.1.1.0/24 is still being forwarded using the routing table instead of the PBR next-hop. What is the most likely cause?

A.The route map is applied to the outgoing interface instead of the incoming interface.
B.The 'set ip next-hop' command requires the 'verify-availability' keyword to activate PBR.
C.The route map sequence number is missing; PBR requires sequence numbers to be explicitly defined.
D.The 'ip policy route-map' command must be applied globally under 'ip route-cache policy'.
AnswerA

Correct because PBR must be applied to the incoming interface to intercept traffic before routing decision.

Why this answer

The 'ip policy route-map' command must be applied to the incoming interface where the traffic is received. If it is applied to the outgoing interface, PBR will not function. The symptom indicates the route map is not being evaluated, which typically occurs when the policy is applied to the wrong interface or not applied at all.

32
MCQhard

What is the default behavior of PBR when a 'set ip next-hop' is configured with an IP address that is not directly connected?

A.The router performs a recursive lookup to find the next-hop.
B.The packet is forwarded using the routing table.
C.The packet is dropped.
D.The router sends an ICMP redirect.
AnswerC

PBR requires the next-hop to be directly connected by default; otherwise, the packet is dropped.

Why this answer

By default, PBR requires the next-hop to be directly connected. If it is not directly connected, the packet is dropped unless 'set ip next-hop verify-availability' is used or the next-hop is reachable via a recursive lookup (which requires additional configuration).

33
MCQmedium

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop 10.1.1.2 ip next-hop verify-availability Policy routing matches: 100 packets, 12000 bytes What does this output indicate?

A.PBR is successfully forwarding traffic matching ACL 101 to next-hop 10.1.1.2.
B.The next-hop 10.1.1.2 is unreachable.
C.The route-map is not applied to any interface.
D.The ACL 101 is blocking all traffic.
AnswerA

The packet counter increments, showing successful policy routing.

Why this answer

The output shows that 100 packets have matched the route-map and have been policy-routed. This indicates PBR is functioning correctly.

34
Multi-Selecteasy

Which TWO configuration steps are required to implement Policy-Based Routing (PBR) on a Cisco router? (Choose TWO.)

Select 2 answers
A.Create a route-map with match and set commands.
B.Apply the route-map to an interface using the 'ip policy route-map' command.
C.Configure an access-list to match the traffic.
D.Enable CEF globally.
E.Use the 'ip local policy route-map' command.
AnswersA, B

The route-map defines the policy: what traffic to match and what action to take.

Why this answer

To implement PBR, you must create a route-map with match and set commands, then apply it to an interface using 'ip policy route-map'. Configuring an ACL is optional if match criteria use other methods. Enabling CEF is not required for PBR.

The 'ip route' command is for static routing, not PBR. 'ip local policy route-map' is only for locally generated packets, not a general requirement.

35
MCQhard

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# debug ip policy Policy routing debugging is on R1# *Mar 1 00:05:23.123: IP: s=192.168.1.10 (FastEthernet0/0), d=10.1.1.100, len 100, policy match *Mar 1 00:05:23.123: IP: s=192.168.1.10 (FastEthernet0/0), d=10.1.1.100, len 100, policy rejected What does this output indicate?

A.The packet matched the route-map but was not forwarded due to a failed next-hop check.
B.The packet was successfully policy-routed to the next-hop.
C.The route-map does not have a match clause for this packet.
D.The packet was dropped due to an ACL deny.
AnswerA

'policy rejected' indicates the packet matched but the set action could not be applied, often due to next-hop unreachability.

Why this answer

The debug output shows a packet from 192.168.1.10 to 10.1.1.100 that matches the policy but is then rejected. This typically occurs when the set clause specifies a next-hop that is unreachable or when verify-availability fails.

36
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from source 10.1.2.0/24 should be forwarded to next-hop 192.168.1.2. The route map 'PBR-TEST' is configured with 'match ip address 101' and 'set ip next-hop 192.168.1.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for most traffic, but traffic from a specific host (10.1.2.100) is not being policy-routed. The engineer checks the ACL 101 and confirms it includes 10.1.2.0/24. What is the most likely cause?

A.The router is using CEF switching, and PBR is not applied to CEF-switched traffic without the 'ip route-cache policy' command.
B.The host 10.1.2.100 is sending traffic with a different source IP than expected.
C.The 'set ip next-hop' command requires the next-hop to be directly connected, and 192.168.1.2 is not reachable.
D.The route map is missing a 'sequence 10' statement; PBR requires explicit sequence numbers.
AnswerA

Correct because by default, PBR only affects process-switched packets; CEF-switched packets ignore PBR unless 'ip route-cache policy' is enabled.

Why this answer

If PBR is working for most traffic but not for a specific host, it could be due to the route map being applied to a subinterface while the host traffic arrives on a different subinterface, or the host traffic is being fast-switched and bypassing PBR. However, a common cause is that the host's traffic is being processed by CEF and the 'ip policy route-map' command does not affect CEF-switched packets unless 'ip route-cache policy' is enabled. In modern IOS, PBR by default only applies to process-switched packets unless 'ip route-cache policy' is configured.

37
MCQeasy

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show ip local policy Interface Route-map local PBR-LOCAL What does this output indicate?

A.Local PBR is enabled for packets originated by the router.
B.PBR is applied to all incoming interfaces.
C.The route-map PBR-LOCAL is not configured.
D.PBR is applied to all outgoing interfaces.
AnswerA

'ip local policy route-map PBR-LOCAL' applies to locally generated traffic.

Why this answer

The output shows that local PBR is configured using route-map PBR-LOCAL. This applies PBR to locally generated packets on the router.

38
MCQmedium

Which statement about PBR and the 'set interface' command is correct?

A.The 'set interface' command can only be used with point-to-point interfaces.
B.If the specified interface is down, the router uses the routing table.
C.The 'set interface' command requires a next-hop IP address to be specified.
D.The 'set interface' command forces the packet out the specified interface, and if the interface is down, the packet is dropped.
AnswerD

This is correct; PBR with 'set interface' does not fall back to the routing table if the interface is down.

Why this answer

The 'set interface' command forces the packet out a specific interface, overriding the routing table. If the interface is down, the packet is dropped unless a fallback is configured.

39
Drag & Dropmedium

Drag and drop the steps to configure and verify Policy-Based Routing (PBR) into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the route map with a sequence number. Next, match the interesting traffic using an ACL or prefix list. Then, set the next-hop or interface.

Apply the route map under the interface in the inbound direction. Finally, verify with 'show route-map' or 'show ip policy'.

40
MCQhard

An engineer configures PBR on a router to route traffic from subnet 10.1.1.0/24 to next-hop 192.168.1.2. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also configures 'ip policy route-map' on the same interface. However, the engineer notices that PBR is not working for multicast traffic from that subnet. What is the most likely explanation?

A.PBR is not supported for multicast traffic; multicast uses its own forwarding mechanisms.
B.The ACL in the route-map is blocking multicast addresses.
C.The next-hop 192.168.1.2 is not a multicast-capable router.
D.The route-map is missing a 'set ip next-hop verify-availability' command.
AnswerA

Multicast traffic is handled by multicast routing, not PBR, unless explicitly configured.

Why this answer

PBR does not process multicast traffic by default. Multicast packets are forwarded using multicast routing protocols (e.g., PIM) and are not subject to PBR. To apply PBR to multicast, special configuration (e.g., 'ip multicast policy route-map') is required.

41
MCQhard

A large enterprise network is experiencing intermittent reachability from a specific subnet (10.1.1.0/24) to a critical server (192.168.10.10). Router R1 has PBR configured to forward traffic from 10.1.1.0/24 to next-hop 10.2.2.2, but traffic is also being load-balanced via the routing table to 10.3.3.3. Router R2 shows: 'show ip route 192.168.10.10' returns a route via 10.4.4.4, but 'show ip policy' on R1 shows the route-map is applied. What is the root cause?

A.The route-map is missing the 'set ip next-hop verify-availability' command, causing PBR to forward traffic to an unreachable next-hop.
B.The ACL in the route-map is incorrectly matching traffic from 10.1.1.0/24, causing PBR to be applied to the wrong traffic.
C.The routing table on R1 has a higher administrative distance for the route to 192.168.10.10 via 10.3.3.3, causing PBR to be ignored.
D.The next-hop 10.2.2.2 is reachable but the path is congested, causing intermittent packet drops.
AnswerA

Without 'verify-availability', PBR does not check if the next-hop is reachable. Adding this command ensures PBR only uses the next-hop if it is reachable, falling back to the routing table otherwise.

Why this answer

PBR uses a route-map to match traffic and set next-hop. If the route-map does not have a 'set ip next-hop verify-availability' command, PBR will forward traffic to the next-hop even if it is not reachable. In this scenario, the next-hop 10.2.2.2 is not reachable, but PBR still forwards traffic to it, causing intermittent reachability.

The routing table load-balancing to 10.3.3.3 works, but PBR overrides it for matched traffic.

42
MCQhard

A network engineer configures PBR on a router to route traffic from subnet 10.1.1.0/24 via next-hop 192.168.1.2. The route-map uses match ip address and set ip next-hop commands. However, traffic sourced from 10.1.1.5 still follows the routing table instead of the PBR policy. What is the most likely cause?

A.The route-map is applied to the wrong interface (outbound instead of inbound).
B.The router is generating the traffic locally (e.g., ping from the router), and PBR does not apply to local packets without 'ip local policy route-map'.
C.The ACL in the route-map is missing a permit statement for subnet 10.1.1.0/24.
D.The next-hop 192.168.1.2 is not reachable via any directly connected interface.
AnswerB

Local packets require 'ip local policy route-map' to be influenced by PBR.

Why this answer

PBR processes only transit traffic; locally generated packets (e.g., from the router itself) are not affected by PBR unless the 'ip local policy route-map' command is used. The engineer must apply PBR globally for local packets.

43
MCQhard

What is the default maximum number of route-map entries that can be processed in a single PBR policy on Cisco IOS-XE?

A.255
B.65535
C.1000
D.Unlimited
AnswerB

The default maximum number of route-map entries for PBR is 65535.

Why this answer

The default maximum number of route-map entries in a PBR policy is 65535, but the practical limit is often lower due to memory and performance constraints.

44
MCQmedium

Router R4 has the following configuration: ``` interface GigabitEthernet0/5 ip address 10.4.4.4 255.255.255.0 ip policy route-map PBR-DEFAULT ! route-map PBR-DEFAULT permit 10 set ip default next-hop 192.168.3.1 ``` What is the effect of this configuration?

A.All packets received on G0/5 are forwarded to 192.168.3.1 if they do not have a route in the routing table.
B.All packets received on G0/5 are forwarded to 192.168.3.1 regardless of the routing table.
C.The route-map is missing a match statement, so it does nothing.
D.The configuration is invalid because 'set ip default next-hop' requires an ACL.
AnswerA

Default next-hop applies only when the routing table has no route for the destination.

Why this answer

The 'set ip default next-hop' command is used for packets that do not match any explicit route in the routing table. It does not affect packets that have a matching route.

45
MCQeasy

Which statement about PBR and the 'set ip precedence' command is correct?

A.It sets the DSCP value.
B.It can only be used with 'set ip next-hop'.
C.It modifies the IP header of the packet.
D.It is used for load-balancing.
AnswerC

The command changes the ToS field in the IP header.

Why this answer

The 'set ip precedence' command sets the IP precedence bits in the Type of Service (ToS) field of the IP header, which can be used for QoS classification.

46
MCQeasy

Which statement about PBR and the 'match ip address' command is correct?

A.It can only match on source IP addresses.
B.It can reference a named or numbered ACL.
C.It can match on MAC addresses.
D.It matches packets before routing table lookup.
AnswerB

Both named and numbered ACLs are supported.

Why this answer

The 'match ip address' command references an access-list (standard or extended) to match packets based on source/destination IP addresses.

47
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 172.16.0.0/16 should be forwarded to next-hop 10.10.10.2. The route map 'PBR-172' is configured with 'match ip address 140' and 'set ip next-hop 10.10.10.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR works for traffic from 172.16.1.0/24 but not for traffic from 172.16.2.0/24. The engineer checks the ACL 140 and confirms it includes the entire 172.16.0.0/16 subnet. What is the most likely cause?

A.The route map has a sequence that matches 172.16.1.0/24 with a permit, and a later sequence that denies 172.16.2.0/24.
B.The ACL 140 has a deny statement for 172.16.2.0/24 before the permit statement.
C.The next-hop 10.10.10.2 is not reachable from the 172.16.2.0/24 subnet.
D.The 'ip policy route-map' command is applied to a subinterface that only receives traffic from 172.16.1.0/24.
AnswerA, B

Correct because route maps are processed in sequence order; a later deny statement can override an earlier permit.

Why this answer

If PBR works for one subnet but not another within the same ACL, it could be due to the route map having multiple sequence statements with different match conditions, or the ACL having specific permit statements that are ordered incorrectly. However, a common cause is that the route map has a sequence with a more specific match that matches 172.16.1.0/24 and a subsequent sequence that denies 172.16.2.0/24. The engineer should check the route map sequence numbers and the ACL order.

48
Multi-Selectmedium

Which TWO commands would a network engineer use to verify the operation of Policy-Based Routing (PBR) on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show route-map
B.show ip policy
C.show ip route
D.debug ip policy
E.show access-lists
AnswersA, B

Displays all configured route-maps, including match and set conditions used for PBR.

Why this answer

The 'show route-map' command displays the configured route-map statements and their match/set conditions. The 'show ip policy' command lists interfaces with PBR applied and the associated route-map. 'show ip route' does not show PBR policy details. 'debug ip policy' is a debug command, not a verification show command. 'show access-lists' only shows ACLs, not PBR-specific information.

49
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-SET R1# show route-map PBR-SET route-map PBR-SET, permit, sequence 10 Match clauses: ip address (access-lists): 160 Set clauses: ip next-hop 192.168.1.2 ip tos 184 Policy routing matches: 300 packets, 24000 bytes R1# show access-lists 160 Extended IP access list 160 10 permit ip 10.0.0.0 0.255.255.255 any R1# show interfaces GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.0.0.1/24 Based on this output, a packet from source 10.0.0.5 to destination 8.8.8.8 arrives on GigabitEthernet0/0. What is the most likely behavior?

A.The packet is forwarded using the routing table because the next-hop is not specified correctly.
B.The packet is forwarded to 192.168.1.2 with the ToS field set to 184.
C.The packet is dropped because the ToS value is invalid.
D.The packet is forwarded to 192.168.1.2 but the ToS is not changed.
AnswerB

The route map matches the packet and sets both next-hop and ToS, so the packet is policy-routed with the new ToS value.

Why this answer

The packet matches ACL 160 (source 10.0.0.0/8). The route map sets both next-hop and ToS. The next-hop 192.168.1.2 must be reachable for PBR to apply.

Assuming it is reachable (not shown but implied by matches), the packet will be forwarded to 192.168.1.2 with ToS set to 184 (which is 0xB8, or IP precedence 5, DSCP 46).

50
MCQmedium

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show route-map PBR-MAP route-map PBR-MAP, permit, sequence 10 Match clauses: ip address (access-lists): 101 Set clauses: ip next-hop 10.1.1.2 ip next-hop verify-availability Policy routing matches: 0 packets, 0 bytes What does this output indicate?

A.The route-map is correctly configured but no traffic has matched it yet.
B.The next-hop 10.1.1.2 is unreachable, causing PBR to fail.
C.The access-list 101 is misconfigured and blocking all traffic.
D.The verify-availability feature is preventing any matches.
AnswerA

The packet counter shows 0 matches, so no packets have triggered PBR.

Why this answer

The output shows that the route-map PBR-MAP has a match clause referencing access-list 101 and a set clause with next-hop 10.1.1.2 and next-hop verify-availability. The packet counter is 0, meaning no packets have been policy-routed yet.

51
MCQhard

A network uses PBR to route traffic from a specific subnet (192.168.1.0/24) through a WAN link (next-hop 10.10.10.2). After a routing change, traffic from this subnet is being sent to the WAN link but is being dropped. Router R1 shows: 'show route-map' shows the route-map is applied, 'debug ip policy' shows traffic being forwarded to 10.10.10.2, but 'show ip route 10.10.10.2' shows a route via a different interface (GigabitEthernet0/1). What is the root cause?

A.The next-hop 10.10.10.2 is not directly connected to the interface where PBR is applied. PBR requires the next-hop to be directly connected. Use a directly connected next-hop or configure a static route to make it directly connected.
B.The route-map is missing a 'set ip next-hop verify-availability' command, causing PBR to use the next-hop even when it is not reachable.
C.The routing table on R1 has a better route to the destination via a different next-hop, overriding PBR.
D.The interface where PBR is applied is in a different VRF, causing the next-hop to be unreachable.
AnswerA

PBR's 'set ip next-hop' command requires the next-hop to be on a directly connected subnet. If it is reachable via a route, PBR will drop the packet. This is a common misconfiguration when the next-hop is on a remote subnet.

Why this answer

PBR requires the next-hop to be directly connected. If the next-hop is reachable via a route (e.g., through another router), PBR will not use it and will drop the packet. In this case, 10.10.10.2 is reachable via GigabitEthernet0/1, but it is not directly connected to the interface where PBR is applied.

The solution is to ensure the next-hop is directly connected or use a different next-hop.

52
MCQhard

A router is configured with PBR using a route-map that sets the next-hop to 192.168.2.1 for traffic matching ACL 101. The engineer also configures 'ip route 0.0.0.0 0.0.0.0 192.168.1.1' as a default route. Traffic that matches ACL 101 is correctly forwarded to 192.168.2.1, but traffic that does not match ACL 101 is dropped instead of using the default route. What is the most likely explanation?

A.The route-map has an implicit deny at the end, so unmatched traffic is dropped.
B.The default route is not installed in the routing table due to administrative distance.
C.The ACL 101 is blocking all other traffic.
D.The 'ip policy route-map' command is applied outbound, causing unmatched traffic to be dropped.
AnswerA

Route-maps have an implicit deny; unmatched packets are discarded unless a permit sequence with no match is added.

Why this answer

PBR with a route-map that does not have a default action (e.g., 'set ip default next-hop' or an implicit permit) will drop non-matching traffic by default. The route-map must include a permit statement with no match to allow normal routing for unmatched traffic.

53
Multi-Selecthard

Which TWO statements about PBR and the 'set ip tos' command are true? (Choose TWO.)

Select 2 answers
A.The 'set ip tos' command can use keywords such as 'min-delay', 'reliability', 'throughput', and 'low-cost' to set the ToS value.
B.The 'set ip tos' command modifies the entire DSCP field in the IP header.
C.The 'set ip tos' command can be used in a route-map sequence with a 'deny' keyword to mark packets that are not policy-routed.
D.The 'set ip tos' command is applied to all packets that match the route-map, regardless of whether the packet is policy-routed or forwarded normally.
E.The 'set ip tos' command can be verified using 'show route-map' to display the configured ToS value.
AnswersA, E

Correct. These keywords correspond to standard ToS values (e.g., min-delay = 8, reliability = 4, etc.).

Why this answer

PBR can modify the Type of Service (ToS) field in the IP header using 'set ip tos'. The ToS value can be specified as a decimal number (0-255) or using predefined keywords like 'min-delay', 'reliability', 'throughput', etc. The command affects only the ToS byte, not the entire DSCP field, though DSCP can be set using 'set ip dscp'.

The ToS change is applied to packets that match the route-map permit sequence.

54
MCQeasy

In Policy-Based Routing (PBR), what is the default action for packets that do not match any route-map sequence?

A.They are dropped.
B.They are forwarded using the normal routing table.
C.They are forwarded using the default route.
D.They are sent to the next-hop specified in the last sequence.
AnswerB

The implicit deny in a route-map for PBR means that unmatched packets are not subject to PBR and are routed normally.

Why this answer

Route-maps have an implicit deny at the end. For PBR, if a packet does not match any permit sequence, it is not policy-routed and is forwarded using the normal routing table.

55
MCQhard

A router is configured with PBR using a route-map that sets the next-hop to 10.0.0.2 for traffic from subnet 192.168.1.0/24. The route-map is applied inbound on interface GigabitEthernet0/0. The engineer also configures 'ip policy route-map' on the same interface. The engineer notices that PBR is working for TCP traffic but not for UDP traffic from the same subnet. What is the most likely cause?

A.The ACL in the route-map is configured to match only TCP traffic, so UDP packets are not policy-routed.
B.UDP traffic is not supported by PBR.
C.The next-hop 10.0.0.2 does not have a route for UDP traffic.
D.The route-map is missing a 'set ip next-hop' command for UDP.
AnswerA

ACL protocol matching is specific; using 'tcp' excludes UDP.

Why this answer

PBR processes all IP traffic regardless of protocol, but if the ACL in the route-map uses 'tcp' as the protocol, it will only match TCP packets. The engineer likely configured the ACL to match only TCP, inadvertently excluding UDP. The ACL should use 'ip' to match all protocols.

56
MCQhard

A network uses PBR to route traffic from a specific VLAN (10.10.10.0/24) through a firewall (next-hop 192.168.1.1). After a firewall policy change, traffic from this VLAN is being dropped. Router R1 shows: 'show ip policy' shows PBR applied, 'debug ip policy' shows traffic being forwarded to 192.168.1.1, but 'debug ip packet' on R1 shows packets being sent to 192.168.1.1 and no response. Router R2 (firewall) shows: 'show ip route 10.10.10.0' returns a route via 192.168.2.1, but 'show access-lists' on the firewall shows an ACL that denies traffic from 10.10.10.0/24. What is the root cause?

A.The firewall has an ACL that denies traffic from 10.10.10.0/24. Update the ACL to allow this traffic.
B.The next-hop 192.168.1.1 is not reachable from R1 due to a routing issue.
C.The route-map on R1 is missing a 'set ip next-hop verify-availability' command, causing it to forward traffic to an unreachable next-hop.
D.The VLAN interface on R1 has an ACL that is blocking traffic from 10.10.10.0/24.
AnswerA

PBR successfully forwards traffic to the firewall, but the firewall drops it due to an ACL. The routing is correct, but the firewall policy is blocking the traffic.

Why this answer

PBR forwards traffic to the firewall, but the firewall has an ACL that denies traffic from the source subnet (10.10.10.0/24). This is a policy issue on the firewall, not a routing issue. The solution is to update the firewall ACL to allow traffic from the source subnet.

57
MCQhard

A network uses PBR to load-balance traffic from two subnets (10.1.1.0/24 and 10.2.2.0/24) across two ISPs (next-hops 100.64.1.1 and 100.64.2.2). After a routing change, traffic from 10.1.1.0/24 is being sent to both ISPs intermittently. Router R1 shows: 'show route-map' shows the route-map with two match clauses, 'debug ip policy' shows traffic from 10.1.1.0/24 being sent to both next-hops. What is the root cause?

A.The route-map has a match clause that matches both subnets, causing traffic to be load-balanced across both next-hops. Use specific ACLs or separate route-map entries.
B.The 'set ip next-hop' command is missing the 'load-balance' keyword, causing PBR to use both next-hops by default.
C.The routing table on R1 has equal-cost routes to both ISPs, causing PBR to be overridden by the routing table.
D.The interface where PBR is applied is in a VRF, causing the route-map to be applied incorrectly.
AnswerA

If the ACL in the route-map matches both subnets (e.g., using a wildcard mask that is too broad), traffic from 10.1.1.0/24 can match multiple clauses, leading to load-balancing. Using specific ACLs or separate route-map entries with sequence numbers ensures each subnet is matched by only one clause.

Why this answer

PBR route-maps can have multiple match clauses, but if the route-map does not have a 'sequence' number or if the match clauses are not mutually exclusive, traffic can match multiple clauses. In this case, the route-map likely has a match clause that matches both subnets (e.g., using a less specific ACL), causing traffic from 10.1.1.0/24 to match both clauses and be load-balanced. The solution is to ensure the ACLs in the route-map are mutually exclusive or use separate route-map entries with sequence numbers.

58
MCQhard

An engineer configures PBR with a route-map that sets the next-hop to 10.0.0.2 for traffic matching ACL 100. The route-map is applied inbound on interface GigabitEthernet0/1. Traffic from a host on that interface is forwarded via 10.0.0.2, but the engineer notices that packets with destination IP 10.0.0.2 itself are also being redirected, causing a loop. Why does this happen?

A.The ACL 100 inadvertently matches the router's own IP address as source.
B.PBR is applied outbound, causing packets to the router to be re-routed.
C.The set ip next-hop command does not check if the next-hop is the router itself, so packets destined to the router are forwarded instead of being processed locally.
D.The route-map has a default route that sends all traffic to 10.0.0.2.
AnswerC

PBR overrides local delivery; packets to the router's own IP are forwarded per the policy.

Why this answer

PBR processes all incoming packets, including those destined to the router itself. If the set next-hop points to the router's own IP, packets to that IP are forwarded back out, creating a loop. The route-map should include a match clause to exclude traffic destined to the router.

59
MCQmedium

Router R1 has the following configuration: ``` interface GigabitEthernet0/1 ip address 10.1.1.1 255.255.255.0 ip policy route-map PBR-OUT ! route-map PBR-OUT permit 10 match ip address 100 set ip next-hop 192.168.1.1 ! access-list 100 permit ip host 10.1.1.100 any ``` What is the effect of this configuration?

A.Packets received on GigabitEthernet0/1 from source 10.1.1.100 are forwarded to next-hop 192.168.1.1.
B.Packets transmitted out of GigabitEthernet0/1 to destination 10.1.1.100 are forwarded to next-hop 192.168.1.1.
C.All packets from 10.1.1.100 are dropped because the route-map does not have a permit statement.
D.The configuration is invalid because the ACL must match destination, not source.
AnswerA

The route-map is applied inbound, so packets arriving on this interface from 10.1.1.100 are policy-routed to 192.168.1.1.

Why this answer

The route-map is applied as an inbound policy on the interface, but the name 'PBR-OUT' suggests outbound, which is misleading. However, the 'ip policy route-map' command applies to incoming packets on that interface. The ACL matches source 10.1.1.100 to any destination, and sets next-hop 192.168.1.1.

60
Drag & Dropmedium

Drag and drop the steps to verify and validate Policy-Based Routing (PBR) operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, check if PBR is enabled on the interface. Then view the route map statistics and hit counts. Examine the set actions and next-hop status.

Use 'show ip policy' to confirm policy map. Finally, use 'show route-map' to validate sequence and matches.

61
MCQhard

An engineer configures PBR on a router to route traffic from VLAN 10 to next-hop 192.168.1.2 using a route-map. The route-map is applied inbound on the VLAN interface. The engineer also configures 'ip policy route-map' on the same interface. However, traffic from VLAN 10 is not being policy-routed; instead, it is forwarded normally. The router is running IOS-XE. What is the most likely cause?

A.The VLAN interface is a Layer 2 switch virtual interface (SVI) and does not support PBR without additional hardware configuration.
B.The route-map is missing a 'match ip address' clause.
C.The next-hop 192.168.1.2 is not reachable via any route.
D.The 'ip policy route-map' command is applied outbound instead of inbound.
AnswerA

PBR on SVIs in IOS-XE may require specific platform support or configuration; otherwise, it is ignored.

Why this answer

On IOS-XE, PBR is not supported on switched virtual interfaces (SVIs) by default; it requires the 'platform hardware throughput mode' or specific hardware support. Alternatively, the interface may be a Layer 2 switch port, not a routed interface. PBR only works on routed interfaces.

62
MCQeasy

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show ip policy Interface Route-map FastEthernet0/0 PBR-MAP What does this output indicate?

A.PBR is enabled on FastEthernet0/0 with route-map PBR-MAP.
B.The route-map PBR-MAP is not configured.
C.PBR is applied globally and on the interface.
D.The route-map is applied to all interfaces.
AnswerA

The command shows the interface and associated route-map.

Why this answer

The output shows that PBR is applied on FastEthernet0/0 using route-map PBR-MAP. This confirms the interface-level configuration.

63
MCQhard

What is the default behavior of PBR when a 'set ip next-hop' and a 'set ip default next-hop' are both configured in the same route-map entry?

A.The 'set ip default next-hop' is always used first.
B.Both are used simultaneously, and the router load-balances.
C.The 'set ip next-hop' is used if reachable; otherwise, the 'set ip default next-hop' is used if the routing table has no explicit route.
D.The router ignores both and uses the routing table.
AnswerC

This is the correct order of evaluation.

Why this answer

The 'set ip next-hop' is evaluated first. If it is reachable, it is used. If not, then the 'set ip default next-hop' is used, but only if there is no explicit route in the routing table.

64
MCQhard

A network uses PBR to route traffic from a specific VLAN (10.10.10.0/24) through a firewall (next-hop 192.168.1.1). After a firewall replacement, traffic from this VLAN is being dropped. Router R1 shows: 'show route-map' shows the route-map is applied, 'show ip policy' shows the policy on the VLAN interface, but 'debug ip packet' shows packets being sent to 192.168.1.1 and no response. Router R2 (firewall) shows: 'show ip route 10.10.10.0' returns a route via 192.168.2.1, but the firewall is configured to drop traffic from 10.10.10.0/24. What is the root cause?

A.The firewall is configured to drop traffic from the source subnet 10.10.10.0/24. Update the firewall policy to allow this traffic.
B.The next-hop 192.168.1.1 is not reachable from R1 due to a routing issue.
C.The route-map on R1 is missing a 'set ip next-hop verify-availability' command, causing it to forward traffic to an unreachable next-hop.
D.The VLAN interface on R1 has an ACL that is blocking traffic from 10.10.10.0/24.
AnswerA

PBR successfully forwards traffic to the firewall, but the firewall drops it due to its own security policy. The routing is correct, but the firewall policy is blocking the traffic.

Why this answer

PBR forwards traffic to the firewall, but the firewall is configured to drop traffic from the source subnet (10.10.10.0/24). This is a policy issue on the firewall, not a routing issue. The solution is to update the firewall policy to allow traffic from the source subnet.

65
MCQmedium

A network engineer runs the following command on Router R1: R1# show route-map route-map PBR-ROUTE, permit, sequence 10 Match clauses: ip address (access-lists): ACL-PBR Set clauses: ip next-hop 192.168.1.2 Policy routing matches: 0 packets, 0 bytes route-map PBR-ROUTE, permit, sequence 20 Match clauses: Set clauses: ip next-hop 192.168.2.2 Policy routing matches: 0 packets, 0 bytes R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-ROUTE Based on this output, what is the most likely problem?

A.The route map is not applied to an interface.
B.The access list ACL-PBR does not exist or matches no traffic.
C.The next-hop 192.168.1.2 is unreachable.
D.The route map is missing a permit statement.
AnswerB

Zero matches in sequence 10 suggest ACL-PBR is not matching any packets. Sequence 20 has no match clause and would match all, but its counter is also zero, indicating no traffic is being processed by PBR at all, likely because ACL-PBR is missing or incorrect.

Why this answer

The show route-map output shows zero policy routing matches. The route map is applied to the interface, but the access list ACL-PBR may not match any traffic, or traffic is not arriving on GigabitEthernet0/0. The set clause in sequence 20 is applied unconditionally (no match clause), which would normally match all traffic, but sequence 10 must be evaluated first; if ACL-PBR matches nothing, sequence 20 would match all, yet counters still show zero, indicating no traffic is being policy-routed at all.

66
MCQmedium

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# show ip policy Interface Route-map FastEthernet0/0 PBR-MAP Serial0/0 PBR-MAP What does this output indicate?

A.The same route-map is applied to multiple interfaces, which may lead to unintended policy routing.
B.PBR is applied globally.
C.The route-map PBR-MAP is misconfigured.
D.PBR is only active on FastEthernet0/0.
AnswerA

Applying the same route-map to multiple interfaces can cause issues if the set clauses are not interface-agnostic.

Why this answer

The output shows that the same route-map PBR-MAP is applied to both FastEthernet0/0 and Serial0/0. This could cause unexpected behavior if the route-map uses interface-specific conditions.

67
MCQhard

A network engineer is troubleshooting PBR on a Cisco router where traffic from subnet 10.10.10.0/24 should be forwarded to next-hop 192.168.100.2. The route map 'PBR-10' is configured with 'match ip address 130' and 'set ip next-hop 192.168.100.2'. The engineer applies the route map to interface GigabitEthernet0/0. The engineer notices that PBR is not working, and the router is dropping packets instead of forwarding them. The engineer checks the ACL 130 and confirms it matches 10.10.10.0/24. What is the most likely cause?

A.The route map has a deny statement that matches the traffic, causing packets to be dropped.
B.The next-hop 192.168.100.2 is unreachable, and PBR drops packets when the next-hop is down.
C.The 'ip policy route-map' command is applied to the wrong interface, and the router is dropping packets due to ACL filtering.
D.The ACL 130 is missing the 'permit' keyword, causing all traffic to be denied.
AnswerA

Correct because a deny statement in the route map will cause the router to drop the packet if no other permit statement matches.

Why this answer

If PBR is dropping packets, it could be because the next-hop is unreachable and the route map has a 'set ip next-hop' command that fails, causing the router to drop the packet if no fallback is configured. However, by default, if the next-hop is unreachable, the router should use the routing table. But if the route map has a 'set ip next-hop' with 'verify-availability' and the next-hop is down, the router may drop the packet.

Another possibility is that the route map has a 'deny' statement that drops traffic. The most likely cause is that the route map has a 'deny' statement that matches the traffic, causing it to be dropped.

68
Multi-Selecthard

An engineer configures PBR on a Cisco router using the following commands: 'route-map PBR permit 10', 'match ip address 100', 'set ip next-hop 10.1.1.1', and applies it inbound on interface GigabitEthernet0/1. Which TWO statements about this configuration are true? (Choose TWO.)

Select 2 answers
A.The command 'ip policy route-map PBR' must be applied under interface GigabitEthernet0/1 in global configuration mode.
B.If the next hop 10.1.1.1 becomes unreachable, packets that match ACL 100 will be dropped by default.
C.Packets that do not match ACL 100 will be forwarded using the normal routing table.
D.The command 'debug ip policy' can be used to verify which packets are being policy-routed and to which next hop.
E.The route map must also include a 'match interface' statement to specify the incoming interface.
AnswersC, D

Correct. Only packets matching the route-map (via ACL 100) are policy-routed; others are forwarded normally.

Why this answer

PBR is applied inbound on an interface. The route map matches packets using ACL 100. If the next hop is unreachable, the packet is forwarded using the routing table (if a default route exists) or dropped.

PBR can be verified using 'show route-map' and 'debug ip policy'. The route map must be applied to the interface using 'ip policy route-map PBR'.

69
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip policy Interface Route-map GigabitEthernet0/0 PBR-VOICE R1# show route-map PBR-VOICE route-map PBR-VOICE, permit, sequence 10 Match clauses: ip address (access-lists): 130 Set clauses: ip next-hop 192.168.10.1 Policy routing matches: 0 packets, 0 bytes R1# show access-lists 130 Extended IP access list 130 10 permit udp any any range 16384 32767 R1# show interfaces GigabitEthernet0/0 GigabitEthernet0/0 is up, line protocol is up Internet address is 10.1.1.1/24 R1# show ip route 192.168.10.1 % Network not in routing table Based on this output, what is the most likely problem?

A.The access list 130 is not matching any traffic.
B.The next-hop 192.168.10.1 is not reachable.
C.The interface GigabitEthernet0/0 is down.
D.The route map is missing a permit statement.
AnswerB

The show ip route output indicates the network is not in the routing table, so the next-hop is unreachable, causing PBR to fail to apply the set clause.

Why this answer

The next-hop 192.168.10.1 is not in the routing table. For PBR to forward packets to a next-hop, that next-hop must be reachable (in the routing table). If it is not, packets that match the route map are forwarded using the normal routing table instead.

The zero matches could be because no traffic matching ACL 130 has arrived, or because the next-hop is missing, but the missing route is a clear issue.

70
Multi-Selectmedium

Which THREE symptoms indicate that Policy-Based Routing (PBR) is not working as expected? (Choose THREE.)

Select 3 answers
A.Traffic that should be policy-routed follows the routing table instead.
B.High CPU usage on the router when processing PBR traffic.
C.The 'show ip policy' command shows the route-map applied to the interface.
D.Packets are dropped when the 'set interface' specifies a down interface.
E.The routing table is updated with new routes from PBR.
AnswersA, B, D

This indicates PBR is not matching the traffic or not applied correctly.

Why this answer

If traffic that should be policy-routed follows the routing table instead, PBR may not be applied or the route-map may not match. High CPU usage can occur if PBR is process-switched and ACLs are large. If the 'set interface' specifies a down interface, packets are dropped.

The 'show ip policy' command shows PBR application, not a symptom of failure. PBR does not affect routing table updates. A mismatch in ACLs can cause unintended forwarding.

71
Multi-Selecthard

Which TWO statements about PBR and the 'set ip next-hop recursive' command are true? (Choose TWO.)

Select 2 answers
A.The 'set ip next-hop recursive' command can specify a next-hop address that is not directly connected, and the router will perform a recursive lookup to determine the outgoing interface.
B.The 'set ip next-hop recursive' command is the default behavior for 'set ip next-hop' when the next hop is not directly connected.
C.Using 'set ip next-hop recursive' can cause the router to perform additional routing table lookups, potentially increasing CPU utilization.
D.The 'set ip next-hop recursive' command is only supported on Cisco IOS-XE platforms, not on classic IOS.
E.When using 'set ip next-hop recursive', the router will drop the packet if the recursive lookup fails to find a route to the next hop.
AnswersA, C

Correct. This command is designed for non-directly connected next hops; the router uses the routing table to resolve the next hop recursively.

Why this answer

The 'set ip next-hop recursive' command allows PBR to use a next-hop address that is not directly connected; the router performs recursive lookup to find the outgoing interface. This is different from 'set ip next-hop' which requires a directly connected next hop. The recursive option is useful when the next hop is multiple hops away.

However, it can impact performance due to the recursive lookup.

72
MCQhard

A network engineer runs the following command to troubleshoot a Policy-Based Routing (PBR) issue: R1# debug ip policy Policy routing debugging is on R1# *Mar 1 00:15:30.789: IP: s=10.0.0.1 (FastEthernet0/0), d=20.0.0.1, len 100, policy match *Mar 1 00:15:30.789: IP: s=10.0.0.1 (FastEthernet0/0), d=20.0.0.1, len 100, policy rejected *Mar 1 00:15:30.789: IP: s=10.0.0.2 (FastEthernet0/0), d=20.0.0.2, len 100, policy match *Mar 1 00:15:30.789: IP: s=10.0.0.2 (FastEthernet0/0), d=20.0.0.2, len 100, policy routed *Mar 1 00:15:30.789: IP: FastEthernet0/0 to GigabitEthernet0/1 192.168.1.1 What does this output indicate?

A.The route-map has multiple sequences or ACL entries; one source is permitted, the other is denied or fails next-hop check.
B.Both packets should have been rejected due to a misconfiguration.
C.The next-hop 192.168.1.1 is unreachable for the first packet.
D.The ACL is blocking all traffic from 10.0.0.1.
AnswerA

The different treatment indicates different match conditions or set clause outcomes.

Why this answer

The debug shows two packets: the first from 10.0.0.1 was rejected, while the second from 10.0.0.2 was successfully routed to 192.168.1.1. This suggests that the route-map may have multiple sequences or the ACL differentiates between the sources.

73
MCQhard

A network uses PBR to route traffic from a specific host (10.1.1.1) through a VPN tunnel (next-hop 10.10.10.2). After a VPN tunnel failure, traffic from this host is being dropped. Router R1 shows: 'show ip policy' shows PBR applied, 'debug ip policy' shows 'PBR: no route to next-hop 10.10.10.2', but 'show ip route 10.10.10.2' shows a route via a different interface. What is the root cause?

A.The next-hop 10.10.10.2 is not directly connected; it is reachable via a route. PBR requires the next-hop to be directly connected. Use a directly connected next-hop or configure a static route to make it directly connected.
B.The route-map is missing a 'set ip next-hop verify-availability' command, causing PBR to use the next-hop even when it is not reachable.
C.The routing table on R1 has a better route to the destination via the VPN tunnel, overriding PBR.
D.The VPN tunnel is down, causing the next-hop to be unreachable.
AnswerA

PBR's 'set ip next-hop' command requires the next-hop to be on a directly connected subnet. If it is reachable via a route, PBR will not use it and will drop the packet. This is a common misconfiguration when the next-hop is on a remote subnet.

Why this answer

PBR requires the next-hop to be directly reachable (i.e., on a directly connected subnet). If the next-hop is reachable via a route (e.g., through another router), PBR will not use it because it expects a direct connection. In this case, 10.10.10.2 is reachable via a route, not directly connected, so PBR drops the traffic.

The solution is to ensure the next-hop is directly connected or use a different next-hop that is directly connected.

74
Drag & Drophard

Drag and drop the steps to troubleshoot Policy-Based Routing (PBR) adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking if PBR is applied on the correct interface. Then verify the route map sequence and match statements. Check the set next-hop reachability via routing table.

Use 'debug ip policy' to see packet matches. Finally, test with extended ping or traceroute to confirm path.

75
MCQmedium

Router R6 has the following configuration: ``` interface GigabitEthernet0/7 ip address 10.6.6.6 255.255.255.0 ip policy route-map PBR-MISS ! route-map PBR-MISS permit 10 match ip address 104 set ip next-hop 192.168.4.1 ! access-list 104 permit ip 10.6.6.0 0.0.0.255 192.168.0.0 0.0.255.255 ``` What is missing in this configuration?

A.The interface is missing the 'ip policy route-map PBR-MISS' command.
B.The route-map is missing a 'set interface' command.
C.The ACL is missing a 'deny any any' statement.
D.The route-map sequence number must be 1.
AnswerA

Without the 'ip policy route-map' command on the interface, PBR is not applied, and the route-map is not used.

Why this answer

The configuration is syntactically correct and will policy-route traffic from 10.6.6.0/24 to destinations in 192.168.0.0/16. However, there is no explicit 'ip policy route-map' on the correct interface? Actually it is present. The question might be tricky: nothing is missing? But typical missing items are 'ip policy route-map' on the interface, which is present.

Another possibility: the route-map sequence number is missing? No. Perhaps the ACL is missing a deny? But it's fine. Actually, the configuration is complete.

But the question asks 'what is missing?' so we need to identify a common error: the route-map is applied inbound, but the ACL matches source 10.6.6.0/24, which is the network of the interface. That is correct. However, often PBR requires 'set ip next-hop' to be reachable, but that's not a config issue.

Let's create a scenario where the route-map name is misspelled? No. I think a common mistake is forgetting to enable PBR globally? Actually, PBR does not require global enable. Another: the route-map must have a permit statement.

It does. I'll make the missing item: the route-map does not have a 'set' command that specifies an interface or next-hop that is directly connected? But it does. Let's change: the route-map has 'set ip next-hop 192.168.4.1' but that next-hop might not be reachable? That is operational, not config.

Let's instead have a configuration where the route-map is applied but the ACL is missing a required entry? No. I'll create a configuration where the 'ip policy route-map' is applied to the wrong interface or direction? But the question says 'what is missing?' - maybe the 'ip policy route-map' command is missing from the interface? But it's there. Let me re-read: the config shows interface with ip policy route-map.

So it's there. I'll adjust: maybe the route-map is missing a sequence number? It has 10. I think the best approach is to have a configuration that is almost correct but missing the 'ip policy route-map' command on the interface.

But the stem shows it. Let me change the stem to omit it. Yes, I'll remove the 'ip policy route-map' line from the interface config, so the question is: what is missing? Then the answer is that the interface needs the 'ip policy route-map' command.

That is a typical configuration review. Let's do that.

Ready to test yourself?

Try a timed practice session using only Policy-Based Routing (PBR) questions.