Policy-based Routing in Cisco Routers

As I said in my previous article, Policy-based Routing on Fortigate Firewall, I now publish this article about policy-based routing on Cisco routers. Normally, routing is based on destination network/host to route the traffic to next-hop router. In some cases, you will need to define a smaller set of rules, such as traffic originated from certain source network will go this way, and the rest goes another way (in case you have multiple outgoing connections).

In the following diagram, I have two outgoing interfaces on Router R2.

Policy-based routing on Cisco

I want traffic from the Office network to route to the DSL router, and the rest goes to leased-line router. I could accomplish the task using policy-based routing by defining – source network and incoming interface, traffic type, and destination network and outgoing interface. Source/Destination network and traffic are define by an access list on Cisco routers. Outgoing interface and next-hop address are configured in a route-map policy, and the last part, incoming interface is configured by interface-configuration.

Defining access list

Access-list is the main part of the game by defining traffic type, source, and destination network. My Office network is 192.168.2.0/0 and everything means 0.0.0.0 0.0.0.0 in Cisco routers. My following access-list define every traffic from 192.168.2.0/24.

access-list 105 permit ip 192.168.2.0 0.0.0.255 0.0.0.0 0.0.0.0

For more examples, I want the IP address 192.168.1.5 (a Server in my Server network) to 4.2.2.2 (public DNS server) using DSL line, I would create an access-list as

access-list 105 permit ip host 192.168.1.5 host 4.2.2.2

Creating Route-map Policy

Next step is to define a route-map policy. This route-map policy includes the usage of the previous access-list, next-hop router IP, and outgoing interface.

route-map OfficeNet permit 10
  match ip address 105
  set ip next-hop 192.168.5.254
  set interface FastEthernet 0/1

!
route-map OfficeNet permit 20
!

In that configuration, 105 is the access-list number that I just defined in step 1, FastEthernet 0/1 is the interface of Cisco Router 2 that is connecting to the DSL router. This interface is used for outgoing.

Do not forget next-hop address
Do not forget to put the set ip next-hop address because the router will not know where to send the traffic to. You could omit this line if you’re using a point-to-point connection.

Determining Incoming Interface

The route-map policy is triggered when the right interface receives the define traffic from the route map. In this step, we will define which interface will handle the previous route-map policy. Look at the diagram, the traffic from Office network will hit Router R2 -FastEthernet 0/2 interface; therefore, Fa0/2 is the incoming interface.

interface FastEthernet 0/2
  ip policy route-map OfficeNet

When the interface FastEthernet 0/2 on Router R2 receives traffic as defined in access-list 105, it will follow the instructions in the route-map OfficeNet to redirect the traffic out by Fast0/1 and to the address 192.168.5.254.

You could interpret a policy-based routing policy as “if this traffic type is from this source network and goes to that destination, and is matched my policy by entering to the right incoming interface, I will route it this way.

About The Author

Hao Nguyen

Hao Nguyen

Hello! I'm Hao Nguyen and I'm currently working as a Network Engineer for a small firm in Houston. I enjoy writing technical documents and blog, such as PlanTutorials.com

Leave a Reply