Guest

IP Routed Protocols

Policy-Based Routing Using the set ip default next-hop and set ip next-hop Commands Configuration Example

Cisco - Policy-Based Routing Using the set ip default next-hop and set ip next-hop Commands Configuration Example

Document ID: 47121

Updated: Aug 10, 2005

   Print

Introduction

This document provides a sample configuration for policy-based routing (PBR) using the set ip default next-hop and set ip next-hop commands.

The set ip default next-hop command verifies the existence of the destination IP address in the routing table, and…

  • if the destination IP address exists, the command does not policy route the packet, but forwards the packet based on the routing table.

  • if the destination IP address does not exist, the command policy routes the packet by sending it to the specified next hop.

The set ip next-hop command verifies the existence of the next hop specified, and…

  • if the next hop exists in the routing table, then the command policy routes the packet to the next hop.

  • if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions; however, the software used must support policy based routing. Use Feature Navigator to determine which hardware and software is supported for this configuration.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses this network setup:

pbr_cmds_ce_01.gif

Case Study 1: Policy Routing Using the set ip default next-hop Command with Dynamic Routing Protocol

This section uses these configurations:

R1
R1# show running-config 
Building configuration...
.
!
interface Ethernet0/0
 ip address 100.100.100.1 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.1 255.255.255.0
!
interface Serial2/0
 ip address 20.20.20.1 255.255.255.0
!
router ospf 1
  
!--- OSPF is not configured on Serial1/0.

 log-adjacency-changes
 network 20.20.20.0 0.0.0.255 area 0
 network 100.100.100.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 100 permit ip host 100.100.100.3 host 200.200.200.4
!
route-map blah permit 10
 match ip address 100
 set ip default next-hop 10.10.10.2
.
.
!
end

R2
R2# show running-config 
Building configuration...
.
!
!
interface Ethernet0/0
 ip address 200.200.200.2 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.2 255.255.255.0
 fair-queue
!
interface Serial2/0
 ip address 20.20.20.2 255.255.255.0
!
router ospf 1
 
!--- OSPF is not configured on Serial1/0.

 log-adjacency-changes
 network 20.20.20.0 0.0.0.255 area 0
 network 200.200.200.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 100 permit ip host 200.200.200.4 host 100.100.100.3
!
route-map blah permit 10
 match ip address 100
 set ip default next-hop 10.10.10.1
!
end

Verify Case Study 1

When the destination route exists in the routing table, normal forwarding is used—do not policy route the packet.

R1# show ip route 200.200.200.4 
   Routing entry for 200.200.200.0/24
   Known via "ospf 1", distance 110, metric 74, type intra area
   Last update from 20.20.20.2 on Serial2/0, 00:11:48 ago
   Routing Descriptor Blocks:
   * 20.20.20.2, from 30.30.30.3, 00:11:48 ago, via Serial2/0
   Route metric is 74, traffic share count is 1

R1# debug ip policy 
Policy routing debugging is on
*Dec 4 12:50:57.363: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:50:57.363: IP: route map blah, item 10, permit
*Dec 4 12:50:57.363: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 4 12:50:57.431: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:50:57.431: IP: route map blah, item 10, permit
*Dec 4 12:50:57.431: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 4 12:50:57.491: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:50:57.491: IP: route map blah, item 10, permit
*Dec 4 12:50:57.491: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
  
R2# show ip route 100.100.100.3
Routing entry for 100.100.100.0/24
  Known via "ospf 1", distance 110, metric 74, type intra area
  Last update from 20.20.20.1 on Serial2/0, 00:11:42 ago
  Routing Descriptor Blocks:
  * 20.20.20.1, from 100.100.100.1, 00:11:42 ago, via Serial2/0
      Route metric is 74, traffic share count is 1

R2# debug ip policy 
Policy routing debugging is on
*Dec 4 12:50:57.779: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec 4 12:50:57.779: IP: route map blah, item 10, permit
*Dec 4 12:50:57.779: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 4 12:50:57.839: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec 4 12:50:57.839: IP: route map blah, item 10, permit
*Dec 4 12:50:57.839: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 4 12:50:57.911: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec 4 12:50:57.911: IP: route map blah, item 10, permit
*Dec 4 12:50:57.911: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial2/0), len 100, policy rejected -- normal forwarding

When Serial 2/0 goes down and the destination address disappears from the routing table, the packet is policy routed.

R1# show ip route 200.200.200.0
% Network not in table
R1#
*Dec 5 13:26:27.567: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:26:27.567: IP: route map blah, item 10, permit
*Dec 5 13:26:27.567: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:26:27.567: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:26:27.655: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:26:27.655: IP: route map blah, item 10, permit
*Dec 5 13:26:27.655: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:26:27.655: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:26:27.727: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:26:27.727: IP: route map blah, item 10, permit
*Dec 5 13:26:27.727: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:26:27.727: IP: Ethernet0/0 to Serial1/0 10.10.10.2

Case Study 2: Policy Routing Using the set ip next-hop Command with Dynamic Routing Protocol

This section uses these configurations:

R1
R1# show running-config 
Building configuration...
.
!
interface Ethernet0/0
 ip address 100.100.100.1 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.1 255.255.255.0
!
interface Serial2/0
 ip address 20.20.20.1 255.255.255.0
!
router ospf 1
 
!--- OSPF is not configured on Serial1/0.

 log-adjacency-changes
 network 20.20.20.0 0.0.0.255 area 0
 network 100.100.100.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
access-list 100 permit ip host 100.100.100.3 host 200.200.200.4
!
route-map blah permit 10
 match ip address 100
 set ip next-hop 10.10.10.2
.
.
!
end

R2
R2# show running-config 
Building configuration...
.
!
!
interface Ethernet0/0
 ip address 200.200.200.2 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.2 255.255.255.0
 fair-queue
!
interface Serial2/0
 ip address 20.20.20.2 255.255.255.0
!
router ospf 1
 
!--- OSPF is not configured on Serial1/0.

 log-adjacency-changes
 network 20.20.20.0 0.0.0.255 area 0
 network 200.200.200.0 0.0.0.255 area 0
!
ip classless
no ip http server
!
!
!
access-list 100 permit ip host 200.200.200.4 host 100.100.100.3
!
route-map blah permit 10
 match ip address 100
 set ip next-hop 10.10.10.1
!
end

Verify Case Study 2

Verify the existence of the next hop, 10.10.10.2, in the routing table. If the destination route exists in the routing table, the packet is policy routed if the next hop is reachable.

R1# show ip route 200.200.200.4 
Routing entry for 200.200.200.0/24
  Known via "ospf 1", distance 110, metric 74, type intra area
  Last update from 20.20.20.2 on Serial2/0, 00:11:48 ago
  Routing Descriptor Blocks:
  * 20.20.20.2, from 30.30.30.3, 00:11:48 ago, via Serial2/0
      Route metric is 74, traffic share count is 1

R1# debug ip policy 
Policy routing debugging is on
*Dec 4 12:53:38.271: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:53:38.271: IP: route map blah, item 10, permit
*Dec 4 12:53:38.271: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec 4 12:53:38.271: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 4 12:53:38.355: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:53:38.355: IP: route map blah, item 10, permit
*Dec 4 12:53:38.355: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec 4 12:53:38.355: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 4 12:53:38.483: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 4 12:53:38.483: IP: route map blah, item 10, permit

R2# sh ip route 100.100.100.3
Routing entry for 100.100.100.0/24
  Known via "ospf 1", distance 110, metric 74, type intra area
  Last update from 20.20.20.1 on Serial2/0, 00:11:42 ago
  Routing Descriptor Blocks:
  * 20.20.20.1, from 100.100.100.1, 00:11:42 ago, via Serial2/0
      Route metric is 74, traffic share count is 1

R2# debug ip policy 
Policy routing debugging is on
*Dec  4 12:53:38.691: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:53:38.691: IP: route map blah, item 10, permit
*Dec  4 12:53:38.691: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:53:38.691: IP: Ethernet0/0 to Serial1/0 10.10.10.1
*Dec  4 12:53:38.799: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:53:38.799: IP: route map blah, item 10, permit
*Dec  4 12:53:38.799: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:53:38.799: IP: Ethernet0/0 to Serial1/0 10.10.10.1
*Dec  4 12:53:38.899: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:53:38.899: IP: route map blah, item 10, permit

When the destination IP address disappears from the routing, the packet is policy routed.

*Dec 5 13:33:23.607: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:33:23.607: IP: route map blah, item 10, permit
*Dec 5 13:33:23.607: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:33:23.607: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:33:23.707: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:33:23.707: IP: route map blah, item 10, permit
*Dec 5 13:33:23.707: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:33:23.707: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:33:23.847: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:33:23.847: IP: route map blah, item 10, permit

When Serial 1/0 interface goes down, we loose the next hop,, 10.10.10.1 from the routing table and the packet follows the normal routing table.

*Dec 5 13:40:38.887: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:40:38.887: IP: route map blah, item 10, permit
*Dec 5 13:40:38.887: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 5 13:40:39.047: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:40:39.047: IP: route map blah, item 10, permit
*Dec 5 13:40:39.047: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding
*Dec 5 13:40:39.115: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:40:39.115: IP: route map blah, item 10, permit
*Dec 5 13:40:39.115: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0), len 100, policy rejected -- normal forwarding

Case Study 3: Policy Routing Using the set ip default next-hop with a Default Route

This section uses these configurations:

R1
R1 
R1# show running-config 
Building configuration...
.
!
interface Ethernet0/0
 ip address 100.100.100.1 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.1 255.255.255.0
!
interface Serial2/0
 ip address 20.20.20.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 20.20.20.2
!
ip classless
no ip http server
!
access-list 100 permit ip host 100.100.100.3 host 200.200.200.4
!
route-map blah permit 10
 match ip address 100
 set ip default next-hop 10.10.10.2
.
.
!
end

R2
R2# show running-config 
Building configuration...
.
!
!
interface Ethernet0/0
 ip address 200.200.200.2 255.255.255.0
 ip policy route-map blah
!
interface Serial1/0
 ip address 10.10.10.2 255.255.255.0
 fair-queue
!
interface Serial2/0
 ip address 20.20.20.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
ip classless
no ip http server
!
!
!
access-list 100 permit ip host 200.200.200.4 host 100.100.100.3
!
route-map blah permit 10
 match ip address 100
 set ip default next-hop 10.10.10.1
!
end

Verify Case Study 3

When the only route to the destination is the default route—there is no specific route for that destination in the routing tale—the packet is policy routed.

R1# show ip route 200.200.200.4
% Network not in table


R1# show ip route 0.0.0.0 
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
* 20.20.20.2
Route metric is 0, traffic share count is 1

R1# 
*Dec  4 12:58:55.191: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec  4 12:58:55.191: IP: route map blah, item 10, permit
*Dec  4 12:58:55.191: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.191: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec  4 12:58:55.291: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec  4 12:58:55.291: IP: route map blah, item 10, permit
*Dec  4 12:58:55.291: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.291: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec  4 12:58:55.391: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec  4 12:58:55.391: IP: route map blah, item 10, permit
*Dec  4 12:58:55.391: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.391: IP: Ethernet0/0 to Serial1/0 10.10.10.2

R2# show ip route 100.100.100.3
% Network not in table

R2# show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
* 20.20.20.1
Route metric is 0, traffic share count is 1

R2#
*Dec  4 12:58:20.819: %SYS-5-CONFIG_I: Configured from console by console
*Dec  4 12:58:55.611: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:58:55.611: IP: route map blah, item 10, permit
*Dec  4 12:58:55.611: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.611: IP: Ethernet0/0 to Serial1/0 10.10.10.1
*Dec  4 12:58:55.739: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:58:55.739: IP: route map blah, item 10, permit
*Dec  4 12:58:55.739: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.739: IP: Ethernet0/0 to Serial1/0 10.10.10.1
*Dec  4 12:58:55.799: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3, len 100, policy match
*Dec  4 12:58:55.799: IP: route map blah, item 10, permit
*Dec  4 12:58:55.799: IP: s=200.200.200.4 (Ethernet0/0), d=100.100.100.3 (Serial1/0), len 100, policy routed
*Dec  4 12:58:55.799: IP: Ethernet0/0 to Serial1/0 10.10.10.1

When the default route does not exist because Serial 2/0 went down, the packet is policy routed.

R1# show ip route 0.0.0.0
% Network not in table
R1#
*Dec 5 13:02:31.283: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:02:31.283: IP: route map blah, item 10, permit
*Dec 5 13:02:31.283: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:02:31.283: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:02:31.375: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:02:31.375: IP: route map blah, item 10, permit
*Dec 5 13:02:31.375: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:02:31.375: IP: Ethernet0/0 to Serial1/0 10.10.10.2
*Dec 5 13:02:31.435: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 13:02:31.435: IP: route map blah, item 10, permit
*Dec 5 13:02:31.435: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial1/0),len 100, policy routed
*Dec 5 13:02:31.435: IP: Ethernet0/0 to Serial1/0 10.10.10.2

In the situation where Serial2/0 is up and Serial 1/0 goes down, we loose the next hop and the packet follows the normal forwarding (routing table) - policy rejected.

R1# debug ip policy 
Policy routing debugging is on
R1#
*Dec 5 12:46:49.543: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 12:46:49.543: IP: route map blah, item 10, permit
*Dec 5 12:46:49.543: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0),len 100, policy rejected -- normal forwarding
*Dec 5 12:46:49.623: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 12:46:49.623: IP: route map blah, item 10, permit
*Dec 5 12:46:49.623: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0),len 100, policy rejected -- normal forwarding
*Dec 5 12:46:49.691: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4, len 100, policy match
*Dec 5 12:46:49.691: IP: route map blah, item 10, permit
*Dec 5 12:46:49.691: IP: s=100.100.100.3 (Ethernet0/0), d=200.200.200.4 (Serial2/0),len 100, policy rejected -- normal forwarding

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Aug 10, 2005
Document ID: 47121