Policy-Based Routing (PBR) can be used to gain more precise control over how traffic flows through the networks. PBR allows organizations to direct specific types of traffic over a preferred WAN link, which is different to the routing table.
In the scenario covered in this post, PBR is used to control the path of specific traffic leaving the router, overriding the default routing table. Traffic from a particular subnet (e.g., 192.168.4.0/24) is directed to WAN2 as the preferred path, while all other traffic follows the default route to WAN1. By using PBR with IP SLA tracking, the router will dynamically detect if WAN2 becomes unreachable and automatically forward the traffic via WAN1, ensuring continuous connectivity
The diagram below represents the topology described in this post.
Configuration
Interfaces
Configure the WAN and LAN interfaces with IP addresses.
interface GigabitEthernet0/0 description WAN 1 ip address 1.1.1.1 255.255.255.0 ! interface GigabitEthernet0/1 description WAN 2 ip address 2.2.2.1 255.255.255.0 ! interface GigabitEthernet0/2 description LAN ip address 192.168.250.1 255.255.255.252 ip ospf 1 area 0
Routing
Configure only a default route via the primary WAN interface, no need for a route via the secondary WAN interface as PBR will define this next hop.
ip route 0.0.0.0 0.0.0.0 1.1.1.2
Network Address Translation
Configure an ACL to match all internal networks, that will be translated using NAT.
ip access-list extended NAT permit ip 192.168.0.0 0.0.255.255 any
Configure two route-maps, each route-map match the NAT ACL and the different egress interface.
route-map NAT-R4 permit 10 match ip address NAT match interface GigabitEthernet0/1 ! route-map NAT-R3 permit 10 match ip address NAT match interface GigabitEthernet0/0
Configure NAT rules, matching each NAT route-map and translating the traffic behind the WAN interface IP address.
ip nat inside source route-map NAT-R3 interface GigabitEthernet0/0 overload ip nat inside source route-map NAT-R4 interface GigabitEthernet0/1 overload
Configure NAT under each of the WAN and LAN interfaces.
interface GigabitEthernet0/0 description WAN 1 ip nat outside ! interface GigabitEthernet0/1 description WAN 2 ip nat outside ! interface GigabitEthernet0/2 description LAN ip nat inside
SLA/Tracking
Configure an SLA to monitor an IP address via the WAN 2 interface, GigibitEthernet0/1.
ip sla 1 icmp-echo 9.9.9.9 source-interface GigabitEthernet0/1 frequency 5 ip sla schedule 1 life forever start-time now
Configure a tracking object to track the SLA previously created.
track 1 ip sla 1 reachability
Policy Based Routing
Created an ACL to define the traffic the PBR policy will apply to, in this instance traffic from source 192.168.4.0/24 will be matched in the PBR policy.
ip access-list extended PBR-ACL permit ip 192.168.4.0 0.0.0.255 any
Create a route-map to match the PBR ACL (as above) and route traffic via the specified next hop, only if the tracking object is reachable (up). When the track object is down, traffic will be routed via the default route.
route-map PBR permit 10 match ip address PBR-ACL set ip next-hop verify-availability 2.2.2.2 1 track 1
Configure the PBR policy under the ingress interface, in this instance the LAN interface GigabitEthernet0/2. All ingress traffic towards this interface will be subject to the PBR policy and routed out of the appropriate WAN interface.
interface GigabitEthernet0/2 description LAN ip policy route-map PBR
Testing/Verification
From the router with PBR configured, run the command debug ip policy to enable PBR debugging.
Confirm the track object is reachable using the command show track
R2#show track Track 1 IP SLA 1 reachability Reachability is Up 4 changes, last change 00:00:04 Latest operation return code: OK Latest RTT (millisecs) 1 Tracked by: Route Map 0
From a client computer generate traffic
CLIENT#ping 8.8.8.8 so lo3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 192.168.3.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms
On the PBR router, the debug output will in this instance confirm traffic did not match the PBR policy and routed via the default route.
*Jan 31 17:56:05.914: IP: s=192.168.3.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, FIB policy rejected(no match) - normal forwarding *Jan 31 17:56:05.917: IP: s=192.168.3.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, FIB policy rejected(no match) - normal forwarding *Jan 31 17:56:05.920: IP: s=192.168.3.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, FIB policy rejected(no match) - normal forwarding
Enter the command show ip nat translations confirms this traffic was translated behind WAN 1 interface IP address.
R2#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 1.1.1.1:65 192.168.3.1:65 8.8.8.8:65 8.8.8.8:65
Generate traffic again from the client device, this time from an IP address that matches the PBR ACL.
CLIENT#ping 8.8.8.8 so lo4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 192.168.4.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms
The debug on the PBR router will now confirm that traffic matches the PBR policy and routed via WAN 2.
*Jan 31 18:00:02.568: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, FIB policy match *Jan 31 18:00:02.568: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, PBR Counted *Jan 31 18:00:02.568: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, g=2.2.2.2, len 100, FIB policy routed *Jan 31 18:00:02.572: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, FIB policy match *Jan 31 18:00:02.572: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, PBR Counted *Jan 31 18:00:02.572: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, g=2.2.2.2, len 100, FIB policy routed
Checking the NAT translations table again with the command show ip nat translations, we can confirm that traffic from 192.168.4.0/24 is correctly translated behind WAN 2 interface IP address, and thus confirming PBR is working correctly.
R2#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 2.2.2.1:67 192.168.4.1:67 8.8.8.8:67 8.8.8.8:67
To test that the traffic object is working, ensure that the tracked IP address is unreachable via WAN 2. After a while the router will automatically detect the tracked IP address is unreachable and display the following message.
*Jan 31 18:02:50.945: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down
Run the command show track to confirm the state
R2#show track Track 1 IP SLA 1 reachability Reachability is Down 5 changes, last change 00:01:02 Latest operation return code: Timeout Tracked by: Route Map 0
From the client device, generate traffic again.
On the PBR router, the policy debugging logs confirms traffic matched the PBR policy but was rejected and routed normally.
*Jan 31 18:04:10.603: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, FIB policy match *Jan 31 18:04:10.603: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, PBR Counted *Jan 31 18:04:10.603: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, FIB policy rejected - normal forwarding *Jan 31 18:04:10.606: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, FIB policy match *Jan 31 18:04:10.606: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, PBR Counted *Jan 31 18:04:10.606: IP: s=192.168.4.1 (GigabitEthernet0/2), d=8.8.8.8, len 100, FIB policy rejected - normal forwarding
Run the command show ip nat translations again will confirm 192.168.4.1 was now translated behind WAN1 interface IP address.
R2#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 1.1.1.1:69 192.168.4.1:69 8.8.8.8:69 8.8.8.8:69
Once connectivity to the tracked object IP address is restored, the PBR router will detect reachability, and traffic will be routed according to the PBR policy again.
*Jan 31 18:06:45.947: %TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up