Policy-Based Routing: CCNP ENCOR Infrastructure Guide

Policy-Based Routing: Complete CCNP ENCOR Guide

Why Policy-Based Routing is Important

Policy-Based Routing (PBR) is a critical technology in modern enterprise networks because it provides granular control over packet forwarding decisions beyond traditional destination-based routing. In traditional routing, routers make forwarding decisions solely based on the destination IP address using routing table lookups. However, many enterprise requirements demand more sophisticated routing logic.

Key reasons why PBR is important:

• Load Balancing: Distribute traffic across multiple links or paths based on application requirements
• QoS Implementation: Route traffic with different quality requirements through different paths
• Service Differentiation: Route premium customers or critical applications through preferred paths
• Traffic Engineering: Direct traffic away from congested routes to optimize network utilization
• Security: Route traffic through specific security appliances or firewalls based on criteria
• Cost Optimization: Route traffic through less expensive links during off-peak hours
• Application Performance: Ensure latency-sensitive applications use optimal paths

What is Policy-Based Routing

Policy-Based Routing is a routing mechanism that allows network administrators to define routing policies based on multiple criteria beyond just the destination IP address. Instead of following the standard longest-match lookup in the routing table, PBR uses route maps to match packets based on various attributes and then applies specific forwarding actions.

Core Definition: PBR enables routers to apply custom routing decisions to packets based on policies that match against source IP address, destination IP address, protocol type, port numbers, packet size, DSCP values, and other Layer 3 and Layer 4 characteristics.

Key Components of PBR:

• Route Maps: The primary tool for defining PBR policies, consisting of match and set commands
• Match Criteria: Conditions that packets must satisfy to be processed by a specific route map entry
• Set Actions: Forwarding instructions applied to matched packets
• Policy Application: Configuration on interfaces to apply the policy to incoming traffic

How Policy-Based Routing Works

Step-by-Step Process:

1. Packet Arrival: A packet arrives at an interface where PBR is enabled
2. Route Map Evaluation: The router evaluates the packet against the configured route map entries in sequential order
3. Criteria Matching: The router checks if the packet matches the conditions specified in the match clause
4. Action Execution: If a match is found, the set commands define the forwarding action (next hop, interface, etc.)
5. Forwarding Decision: The packet is forwarded according to the set action instead of consulting the routing table
6. Default Route Behavior: If no match is found, the packet is forwarded using normal routing table lookup

Route Map Syntax Structure:

route-map policy-name permit/deny sequence-number
match [criteria]
set [action]

Example Scenario:

Imagine an organization wants to route traffic from the HR department through one ISP and traffic from the finance department through a different ISP for security and performance reasons. Without PBR, this would be impossible. With PBR, you could:

• Create a route map that matches source IP addresses from the HR subnet (10.1.0.0/24)
• Set the next hop to the HR department's preferred ISP gateway
• Create another route map entry matching finance subnet (10.2.0.0/24)
• Set its next hop to the finance department's ISP gateway
• Apply this route map to the router's outgoing interface

Common PBR Actions (Set Commands):

• set ip next-hop: Specifies the IP address of the next hop router
• set interface: Directs packets to a specific outgoing interface
• set ip default next-hop: Sets a default next hop if primary is unreachable
• set metric: Modifies the metric value for routing decisions
• set as-path: Modifies BGP AS path (used in BGP PBR)
• set local-preference: Sets BGP local preference value

Common Match Criteria:

• match ip address: Matches source or destination IP address
• match protocol: Matches IP protocol (TCP, UDP, ICMP, etc.)
• match ip dscp: Matches Differentiated Services Code Point values
• match length: Matches packet length (minimum and maximum)
• match interface: Matches incoming interface
• match route-type: Matches route type in routing table

Practical Configuration Example

Scenario: Route traffic from subnet 192.168.1.0/24 destined for 10.0.0.0/8 through next hop 172.16.1.1, while all other traffic uses normal routing.

! Create an access list to match source address
access-list 10 permit 192.168.1.0 0.0.0.255

! Create route map for policy-based routing
route-map PBR-POLICY permit 10
match ip address 10
set ip next-hop 172.16.1.1

! Create second entry to deny other traffic (falls back to normal routing)
route-map PBR-POLICY permit 20

! Apply route map to incoming interface
interface GigabitEthernet0/0/1
ip policy route-map PBR-POLICY

Advanced PBR Concepts

PBR with Recursive Lookups: When using set ip next-hop, the router performs a recursive lookup to ensure the next hop is reachable through the normal routing table. This prevents routing loops and ensures convergence.

VRF Integration: PBR can route traffic into different VRF instances, enabling multi-tenancy and isolation scenarios in enterprise networks.

BGP PBR (Hardware-based): Modern platforms support BGP flowspec, which programs PBR rules in hardware for better performance and scalability than interface-level PBR.

Stateful PBR: Some platforms support PBR with state awareness, allowing different policies based on connection state (new, established, etc.).

How to Answer Exam Questions on Policy-Based Routing

Question Type 1: Identifying PBR Use Cases

Example Question: "Which scenario best demonstrates the need for Policy-Based Routing instead of standard destination-based routing?"

Answer Strategy: Look for scenarios involving:

• Routing decisions based on source address or port numbers
• Load balancing across multiple paths
• Traffic engineering requirements
• Different treatment for different customer/application types

Question Type 2: Route Map Syntax and Configuration

Example Question: "Which command applies a policy-based routing policy to an interface?"

Answer Strategy: Remember these key commands:

• ip policy route-map [name] - Applied to interface, enables PBR
• route-map [name] permit/deny [sequence] - Defines the policy
• match - Specifies criteria
• set - Specifies action

Question Type 3: Troubleshooting PBR Issues

Example Question: "Traffic is not being routed according to the policy-based routing configuration. Which is the most likely cause?"

Answer Strategy: Common issues to consider:

• Route map not applied to correct interface direction
• No match statement (implicitly denies traffic)
• Next hop is not reachable in routing table (recursive lookup fails)
• Access list criteria too restrictive or incorrect
• Route map sequence numbers causing unexpected behavior

Question Type 4: PBR vs. Standard Routing

Example Question: "What is the primary difference between PBR and traditional destination-based routing?"

Answer Strategy: Key differences to emphasize:

• Traditional routing: Uses destination IP address only via longest-match lookup
• PBR: Uses multiple criteria (source, destination, protocol, port, DSCP, etc.)
• Traditional routing: Follows routing table decisions
• PBR: Applies policy-based decisions before or instead of routing table lookup

Exam Tips: Answering Questions on Policy-Based Routing

Tip 1: Understand the Hierarchy of PBR Processing

Remember that PBR is evaluated before the standard routing table lookup. If a packet matches a route map entry with a set action, it follows that action. If no match occurs, normal routing takes over. This is crucial for understanding PBR behavior and troubleshooting scenarios.

Tip 2: Focus on the Three Key Commands

Master these three command patterns:

• route-map NAME permit/deny SEQUENCE - Creating the policy
• match [criteria] - Defining what traffic to match
• set [action] - Defining what to do with matched traffic

Practice writing these commands in different scenarios until they become automatic.

Tip 3: Remember the Interface Application

PBR is applied to interfaces using ip policy route-map NAME. This is a critical step that many candidates forget. A perfectly configured route map will not work if not applied to an interface. Also remember that this command applies to inbound traffic on that interface by default.

Tip 4: Know Common Match Criteria

Exam questions often test whether you know what can and cannot be matched in a route map. Remember:

• Can match: Source IP, destination IP, protocol, ports, DSCP, packet size, incoming interface
• Cannot match directly: Specific application names (must use port numbers)

Tip 5: Understand Recursive Lookups

When you use set ip next-hop, the router checks if that next hop is reachable through the normal routing table. If the next hop is not reachable, the packet may be dropped or follow normal routing depending on configuration. Understand this concept for troubleshooting questions.

Tip 6: Watch Out for Route Map Sequence Order

Route map entries are processed in sequence number order, and the first match wins. If you have:

• Entry 10: match address 1, set next-hop 10.1.1.1 (permit)
• Entry 20: match address 2, set next-hop 10.2.2.2 (permit)

Only entry 10 will be evaluated first. This can cause unexpected behavior if not properly understood. Look for exam questions that test this concept through configuration analysis.

Tip 7: Distinguish Between Permit and Deny in Route Maps

In PBR route maps:

• permit: Means "if matched, apply the set commands and don't check further entries" (or continue to next permit/deny clause based on configuration)
• deny: Means "if matched, skip this policy and use normal routing"

This is different from access lists, where deny means drop the packet. Don't confuse these concepts.

Tip 8: Practice Real-World Scenarios

Exam questions often present scenarios like:

• Load balancing across two ISP connections
• Routing traffic for different departments through different exit points
• Prioritizing certain traffic through lower-latency paths

Practice translating these scenarios into route map configurations. Ask yourself: "What criteria do I need to match? What set action do I need to apply?"

Tip 9: Know When PBR is NOT the Answer

Some questions try to trick you by presenting scenarios where PBR seems like the solution but isn't. Remember:

• If you only need destination-based routing, standard routing is sufficient
• For large-scale deployments, consider BGP or segment routing
• For stateful policy enforcement, consider Zone-Based Firewall or other solutions

Tip 10: Troubleshooting Approach for PBR Issues

When a question asks about PBR troubleshooting, follow this mental checklist:

1. Is the route map applied to an interface? (verify ip policy route-map)
2. Does the match criteria correctly identify the traffic? (verify match clauses)
3. Is the set action valid and the next hop reachable? (verify recursive lookup)
4. Are there any conflicting access lists or other policies?
5. Is traffic actually hitting the interface where PBR is applied?

Tip 11: Study Configuration Analysis Questions

Exams frequently present a configuration and ask "What will happen to traffic matching these criteria?" For these questions:

• Trace through the route map entries in order
• Determine what traffic matches each entry
• Identify the set action for matched traffic
• Determine what happens to non-matching traffic

Tip 12: Remember PBR Limitations

Be aware that:

• PBR is processed per-packet, not per-flow, which can cause out-of-order delivery
• PBR doesn't provide redundancy by itself (use with SLA monitoring for reliability)
• PBR on the egress interface (output policy) is less commonly used but should be understood
• PBR can impact CPU if not used appropriately, especially on older platforms

Tip 13: Practice with Command Output

Familiarize yourself with verification commands:

• show route-map [name] - Display the route map configuration and statistics
• show ip policy - Display interfaces where PBR is applied
• debug ip policy - See real-time PBR decisions (use sparingly in production)

Exams may show command output and ask you to interpret it. Know what normal output looks like and what indicates problems.

Tip 14: Understand PBR with Conditional Next Hop

Some configurations use set ip next-hop combined with set ip default next-hop:

• set ip next-hop: Primary next hop (must be reachable)
• set ip default next-hop: Used if primary is unreachable

Questions may test whether you understand when each is used and the fallback behavior.

Final Exam Strategy:

When you encounter a PBR question on the CCNP ENCOR exam, follow this approach:

1. Read the entire question carefully, noting what is being asked
2. Identify if the scenario truly requires PBR (multiple criteria for routing decision)
3. Trace through the configuration mentally or on paper
4. Consider all possible traffic flows and how they would be handled
5. Check for common mistakes: missing interface application, incorrect next hop, wrong match criteria
6. Eliminate answers that show misunderstanding of PBR concepts
7. Select the answer that correctly applies PBR principles to the scenario

PBR is a moderately weighted topic on CCNP ENCOR. With solid understanding of the concepts, practical configuration knowledge, and attention to the tips above, you can confidently answer PBR questions on the exam.