Home > Policy Based Routing Lab

Policy Based Routing Lab

March 24th, 2014 in Basic Labs Go to comments

In this lab we will learn how to use Policy Based Routing to send traffic via the route we want.


IOS used: c3640-jk9s-mz.124-16.bin

+ Enable OSPF on all interfaces of R2, R3, R4, R5 using only one command on each router.
+ Create Policy Based Routing on R2 so that traffic from R1 to the Loopback interface of R5 ( must go through R3 (the less optimal path).

You can download the Initial Config Lab here: http://www.digitaltut.com/download/Policy_Based_Routing_Lab_Initial.zip.

Initial Config

In the initial config we will configure IP addresses on all interfaces and run OSPF on R2, R3, R4, R5. For R1 we only need a default route to R2.

interface FastEthernet0/0
  ip address
  no shut
ip route
interface FastEthernet0/0
  ip address
  no shut
interface FastEthernet1/0
  ip address
  no shut
interface Serial2/0
  ip address
  no shut
router ospf 1
  network area 0
interface Serial0/0
  ip address
  no shut
interface FastEthernet1/0
  ip address
  no shut
router ospf 1
  network area 0
interface FastEthernet0/0
  ip address
  no shut
interface FastEthernet1/0
  ip address
  no shut
router ospf 1
  network area 0
interface Loopback0
  ip address
interface FastEthernet0/0
  ip address
  no shut
interface FastEthernet1/0
  ip address
  no shut
router ospf 1
  network area 0

FastEthernet link has higher bandwidth (lower cost) than Serial link so traffic from R1 to R5 will surely go through R4 to R5:


Now we will create a Policy Based Routing on R2 so that all traffic destined for (R5 Loopback0) goes through R3:

access-list 100 permit ip any host
route-map OUT_R5 permit 10
  match ip address 100
  set ip next-hop
//Apply this route-map to Fa0/0
interface FastEthernet0/0
  ip policy route-map OUT_R5

The traffic now goes through R3:


We can turn on “debug ip policy” on R2 to have a closer look at the policy match. We should also disable CEF routing so that you can see the detailed match (use “no ip cef” command in global config mode)


Verify the traffic has been matched with the access list:

And that is all of Policy Based Routing on this lab. But what will happen to traffic that is not matched with the access-list? Will they be dropped? We will test this by replacing our access-list with an unmatched traffic like TCP.

no access-list 100
access-list 100 permit tcp any host

Notice that traceroute sends UDP traffic so it will not match with the above access-list.


We see the unmatched traffic is not dropped, it is routed through the normal destination-based routing process.

Other notice that I want to say is normal Policy Based Routing is only applied for traffic transiting to it. It cannot match traffic originating from R2 itself. For example traceroute from R2 still goes through R4:


Luckily we can also match traffic originating from R2 with the Local Policy Based Routing by adding this command in global configuration mode (not interface mode):

R2(config)#ip local policy route-map OUT_R5

Now both traffic from R1 and R2 go through R3


You can download the final configuration of this lab here: http://www.digitaltut.com/download/Policy_Based_Routing_Lab_Final.zip.

  1. Anonymous
    May 14th, 2016

    Good Lab

  2. next-gen
    May 26th, 2016

    wow great lab i enjoyed it

  3. Tej Bahadur
    May 28th, 2016

    how to make PBR to send traffic from R5 to R1 via R3>R2>R1 for example that serial link has bandwidth 128K only.

    i have tried but the problem is it goes to next hop R3 and again return traffic to R5 and goes to R4 and R2 and R1

    how to tweak this


  4. Isazu
    August 16th, 2016

    @Tej Bahdur
    You can add another PBR in R3 to make this work
    R3#sh ip access-lists
    Extended IP access list 101
    10 permit ip any host (18 matches)

    R3#sh route-map
    route-map BPI, permit, sequence 10
    Match clauses:
    ip address (access-lists): 101
    Set clauses:
    ip next-hop
    Nexthop tracking current:, fib_nh:0,oce:0,status:0

  5. Isazu
    August 16th, 2016

    @Tej pls see traceroute below
    Type escape sequence to abort.
    Tracing the route to
    VRF info: (vrf in name/id, vrf out name/id)
    1 32 msec 24 msec 24 msec
    2 64 msec 56 msec 64 msec
    3 76 msec 80 msec 56 msec

  6. oronyaniv
    December 3rd, 2016

    hi All,
    if i have only CFG and topology files,
    how i loading them on GNS3?

  7. irfi
    December 17th, 2016

    @oronyaniv Following link will help you, shows older version but implies same settings, don’t open GNS3, open Topology Directly by right click and open and select GNS3 from List.

  8. irfi
    December 17th, 2016

    First of all, many many thanks to the folks who are doing that awesome dude, and plus think also about CCNA and CCNP Service Provider LABS and Material, it would be awesome for us to get some help on that.

    Last but not the least.
    we can also change access-list 100 or 101 to the following that matches only matches telnet traffic from R1 and then policy routing wll happen,
    *Mar 1 00:14:03.323: IP: route map pbr, item 10, permit
    *Mar 1 00:14:03.323: IP: s= (FastEthernet0/0), d= (Serial2/0), len 44, policy routed
    and check debug ip policy on term mon of R2
    and when we will generate icmp traffic, it will go through via normal forwarding
    *Mar 1 00:13:41.479: IP: s= (FastEthernet0/0), d= (FastEtherne t1/0), len 28, policy rejected — normal forwarding
    R2# Tracert

    conf t
    R2# no ip cef
    R2# debug ip policy
    R2#sh ip access-lists 101
    Extended IP access list 101
    10 permit tcp any host eq telnet (20 matches)

  9. Rocky
    February 9th, 2017

    Hi, can someone advise how to run these labs under GNS3? Which GNS3 version?

  10. shalev
    May 7th, 2017

    it can’t run in packet tracer? if it can, which version?

  11. IntroVoys
    June 3rd, 2017

    Is this lab is also part of the exam?

  12. K
    July 3rd, 2017
  1. No trackbacks yet.