Policy Based Routing
This chapter describes how to configure the Cisco ASA to support policy based routing (PBR). The following sections describe policy based routing, guidelines for PBR, and configuration for PBR.
About Policy Based
Traditional routing is destination-based, meaning packets are
routed based on destination IP address. However, it is difficult to change the
routing of specific traffic in a destination-based routing system. With Policy
Based Routing (PBR), you can define routing based on criteria other than
destination network—PBR lets you route traffic based on source address, source
port, destination address, destination port, protocol, or a combination of
Policy Based Routing:
Lets you provide Quality of Service (QoS) to differentiated traffic.
Lets you distribute interactive and batch traffic across
low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched
Allows Internet service providers and other organizations to route
traffic originating from various sets of users through well-defined Internet
Policy Based Routing can implement QoS by classifying and
marking traffic at the network edge, and then using PBR throughout the network
to route marked traffic along a specific path. This permits routing of packets
originating from different sources to different networks, even when the
destinations are the same, and it can be useful when interconnecting several
Why Use Policy Based
Consider a company that has two links between locations: one a
high-bandwidth, low-delay expensive link, and the other a low-bandwidth,
higher-delay, less-expensive link. While using traditional routing protocols,
the higher-bandwidth link would get most, if not all, of the traffic sent
across it based on the metric savings obtained by the bandwidth and/or delay
(using EIGRP or OSPF) characteristics of the link. PBR allows you to route
higher priority traffic over the high-bandwidth/low-delay link, while sending
all other traffic over the low-bandwidth/high-delay link.
Some applications of policy based routing are:
Equal-Access and Source-Sensitive Routing
In this topology, traffic from HR network & Mgmt network can be configured to go through ISP1 and traffic from Eng network can be configured to go through ISP2. Thus, policy based routing enables the network administrators to provide equal-access and source-sensitive routing, as shown here.
Quality of Service
By tagging packets with policy based routing, network administrators can classify the network traffic at the perimeter of the network for various classes of service and then implementing those classes of service in the core of the network using priority, custom or weighted fair queuing (as shown in the figure below). This setup improves network performance by eliminating the need to classify the traffic explicitly at each WAN interface in the core of backbone network.
An organization can direct the bulk traffic associated with a specific activity to use a higher-bandwidth high-cost link for a short time and continues basic connectivity over a lower-bandwidth low-cost link for interactive traffic by defining the topology, as show here.
In addition to the dynamic load-sharing capabilities offered by ECMP load balancing, network administrators can now implement policies to distribute traffic among multiple paths based on the traffic characteristics.
As an example, in the topology depicted in the Equal-Access Source Sensitive Routing scenario, an administrator can configure policy based routing to load share the traffic from HR network through ISP1 and traffic from Eng network through ISP2.
The ASA uses ACLs to match traffic and then perform routing
actions on the traffic. Specifically, you configure a route map that specifies
an ACL for matching, and then you specify one or more actions for that traffic.
Finally, you associate the route map with an interface where you want to apply
PBR on all incoming traffic
Policy Based Routing
Supported only in routed firewall mode. Transparent firewall
mode is not supported.
Since the ASA
performs routing on a per-flow basis, policy routing is applied on the first
packet and the resulting routing decision is stored in the flow created for the
packet. All subsequent packets belonging to the same connection simply match
this flow and are routed appropriately.
PBR Policies Not Applied for Output Route Look-up
Policy Based Routing is an ingress-only feature; that is, it is
applied only to the first packet of a new incoming connection, at which time
the egress interface for the forward leg of the connection is selected. Note
that PBR will not be triggered if the incoming packet belongs to an existing
connection, or if NAT is applied.
Clustering is supported.
In a cluster
scenario, without static or dynamic routes, with ip-verify-reverse path
enabled, asymmetric traffic may get dropped. So disabling ip-verify-reverse
path is recommended.
All existing route map related configuration restrictions and
limitations will be carried forward.
A route map is comprised of one or more route-map statements.
Each statement has a sequence number, as well as a permit or deny clause. Each
route-map statement contains match and set commands. The match command denotes
the match criteria to be applied on the packet. The set command denotes the
action to be taken on the packet.
When multiple next-hops or interfaces are configured as a set
action, all options are evaluated one after the other until a valid usable
option is found. No load balancing will be done among the configured multiple
The verify-availability option is not supported in multiple
||In ASDM, configure one or more standard or extended ACLs to
identify traffic on which you want to perform Policy Based Routing. See
, and click
Add Route Map dialog box appears.
||Enter the route map name and sequence number. You will use this
same name for optional additional route map statements. The sequence number is
the order in which the ASA assesses the route maps.
The ACL also includes its own permit and deny statements. For
Permit/Permit matches between the route map and the ACL, the Policy Based
Routing processing continues. For Permit/Deny matches, processing ends for this
route map, and other route maps are checked. If the result is still
Permit/Deny, then the regular routing table is used. For Deny/Deny matches, the
Policy Based Routing processing continues.
Match Clause tab to identify the ACLs you created.
IPv4 section, choose
Access List from the drop-down menu, and then select
one or more standard or extended ACLs from the dialog box.
If you use a
standard ACL, matching is done on the destination address only. If you use an
extended ACL, you can match on source, destination, or both.
IPv6 ACLs are not
Based Routing tab to define policy for traffic flows.
Check one or
more of the following set actions to perform for the matching traffic flows:
Set PBR next hop
address—For IPv4, you can
configure multiple next-hop IP addresses in which case they are evaluated in
the specified order until a valid routable next-hop IP address is found. The
configured next-hops should be directly connected; otherwise the set action
will not be applied.
Set default next-hop IP address—For IPv4, if the normal route lookup fails for matching traffic, then the
ASA forwards the traffic using this specified next-hop IP address.
Recursively find and set next-hop IP address—Both
the next-hop address and the default next-hop address require that the next-hop
be found on a directly connected subnet. With this option, the next-hop address
does not need to be directly connected. Instead a recursive lookup is performed
on the next-hop address, and matching traffic is forwarded to the next-hop used
by that route entry according to the routing path in use on the router.
Configure Next Hop Verifiability—Verify if the next
IPv4 hops of a route map are available. You can configure an SLA monitor
tracking object to verify the reachability of the next-hop. Click
Add to add next-hop IP address entries, and specify
the following information.
Sequence Number—Entries are assessed in order using
the sequence number.
IP Address—Enter the next hop IP address.
Tracking Object ID—Enter a valid ID.
Set interfaces—This option configures the interface
through which the matching traffic is forwarded. You can configure multiple
interfaces, in which case they are evaluated in the specified order until a
valid interface is found. When you specify
null0, all traffic matching the route map will be dropped.
There must be a route for the destination that can be routed through the
specified interface (either static or dynamic).
Set null0 interface as the
default interface—If a normal route lookup fails, the ASA forwards
the traffic null0, and the traffic will be dropped.
Set do-not-fragment bit to either 1or 0—Select the
appropriate radio button.
Set differential service
code point (DSCP) value in QoS bits—Select a value from the IPv4 drop-down list.
OK, and then click
||To remove an existing PBR route map, select it in the Route Maps
list and then click
History for Policy
Table 1 History for Route Maps
Policy based routing
Policy Based Routing (PBR) is a mechanism by which traffic is
routed through specific paths with a specified QoS using ACLs. ACLs let traffic
be classified based on the content of the packet’s Layer 3 and Layer 4 headers.
This solution lets administrators provide QoS to differentiated traffic,
distribute interactive and batch traffic among low-bandwidth, low-cost
permanent paths and high-bandwidth, high-cost switched paths, and allows
Internet service providers and other organizations to route traffic originating
from various sets of users through well-defined Internet connections.
We updated the following
screens: Configuration > Device Setup > Routing > Route Maps >
Policy Based Routing,
Configuration > Device Setup > Routing >
Interface Settings > Interfaces