Really simple policy-routing in IOS

2 10 2008

For some reason (and for quite a long time) policy routing seemed a bit of a scary subject.  I’ve noticed other people don’t like it very much either, but it is actually not all that bad.

Standard routing in IP networks is done based on the destination address of a packet.  The router receives a packet, checks the routing table and decides where to forward the packet next.

Policy-routing is simply a way of overriding what the routing table says.  By using policy routing, you can route packets from a certain source or host to a different next-hop than the one in the routing table.  Policy routing happens before standard routing, so if there is a hit on the policy, the normal routing-table isn’t even referred to.

It is a ‘swiss army knife’ kind of tool – if you know how to use it, it can be really helpful for those cases where you need to achieve something without major network changes.

Here’s a really simple example.  The configuration below is based on this diagram:

Policy routing example

Policy routing example

As you can see, R1 is connected to an internetwork which has (somewhere in the cloud) subnets and   R1 has a default static route via R2 – so traffic bound for the Internet will go that way.  What I need to do is make sure that traffic from subnet goes via R3 instead.

First write an ACL to match the source address of the traffic we are interested in:

R1(config)# access-list 10 permit

Now, write a route-map called NET-2.  It matches on the address from ACL 10, and sets an IP next-hop of (R3):

R1(config)# route-map NET-2
R1(config-route-map)# match ip address 10
R1(config-route-map)# set ip next-hop

This won’t work on its own though – you need to put the policy on interface e0/0:

R1(config)# int e0/0
R1(config-if)# ip policy route-map NET-2

What will happen now is this:

1. Packet arrives on e0/0

2. The ‘ip policy’ statement tells the router to look at route-map ‘NET-2’

3. Route-map NET-2 uses ACL 10 to match on a source-address from

4. If there is a match, the next-hop is set to

5. If there is no match, a normal routing-table lookup occurs and the default route (via is chosen.

This can be made even simpler if the networks are directly attached to the router.  Within a route-map, do a “match interface w/x” and then a “set interface y/z” to direct traffic – doing it this way, you don’t even need an access-list!



6 responses

26 03 2009

Thats very interesting, out of curiousity and as a noob could you extend the ACL so only certain traffic from is routed via i.e www traffic only…

30 04 2009

Good question. Sorry i’ve not replied until now. I think you can do that with an extended access-list, but I’ve not tried it. If I have time I will give it a go.

16 12 2009

Yes, that is possible. I’m managing a configuration like that myself.

With an extended accesslist, we’re redirecting all www traffic to a WCCP group.
In that WCCP group there’s a cluster of webcache engines doing their stuff.

Works fine.

30 04 2009
Neil Meadows

Excellent post, I love your dedication to simplicity……such a refreshing approach compared to those who feel that only protraying I.T. as super complex are they able to achieve their aims. You should do more of this, with a theme of making the inconmprehensible understandable to mere mortals!!!!! Good luck Regards Neil

30 04 2009

Thanks for your kind words Neil! I keep trying – I guess because I’ve realised my own mere mortality. As Oscar Wilde said, “we’re all in the gutter, but some of us are looking at the stars”.

17 07 2009
vitthal patil

Thats very interesting, good with basic question .basic concept..

thanx a lot

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: