Policy Based Routing

A simple use case for Policy based routing

With the growth of networks and the added complexity of voice, data, applications and video, we need to be more flexible in the way our traffic moves within networks, the growth of cloud and mobility based applications has made this become more important than ever.

Policy based routing is a powerful tool in the arsenal of the network engineer.

With policy based routing we can forward and route packets based on policies or filters. These can be applied based on specific parameters such as source and destination, traffic type, protocols, destination ports or source ports and other criteria.

The question is why we even make use of policy based routing, well for one we can manipulate the traffic to best suit the needs of our network, thus benefit performance, resiliency, and availability of our network infrastructure.

A few things one can do with policy based routing is to prioritize traffic, certain traffic might be more important than other traffic, for example if we had two links to the internet, one link was lower bandwidth and higher latency for standard web browsing traffic and the other was a higher bandwidth and lower latency link that dealt with our high bandwidth applications. We could separate the traffic by classifying/marking it, and sending them towards the preferred paths.

In this demonstration below we will manipulate the preferred path of the desktop user so that an alternate path is taken to the destination network /30.

Topology Layout:


All routers have been assigned IP addresses and a routing protocol (OSPF) are being advertised. All Routes can be pinged.

If we run a trace route to on the desktop before implementing policy based routing we can see that the path is R3 – R2 – R1

Let’s get stuck in and change the path for this traffic.

We apply our routing based policy on R3 as it will be the one to make the routing decisions of which direction we manipulate the traffic.

Step one:

  • Define interesting traffic (In my case I used extended access-lists you may wish to do it differently – Standard IP access lists are used when you are routing based on source address only vs extended which is source and destination)
  • access-list 100 permit ip host host (In this command we are highlighting the fact that we will permit the traffic if the host is – Desktop user in our case and is forwarding traffic to destination of
  • access-list 101 permit ip any any (permitting any host to any destination)

Step two:

  • Next we configure our Route maps
  • Each route map has a permit or deny statement and a sequence number
  • We create our route map an allocate it a unique descriptive name (make sure its relevant ) and a permit or deny statement

In the case below we created a route map called Divert_192.168.3.2, we then stated in the next line to match our access list

In the first route map we specified if the source was coming from user and going to destination then we would send him along the following path R-3 – R-4 – R2 – R1

All other traffic would choose the preferred path to their destination.

Route-map Divert_192.168.3.2 permit 10

 Match ip address 100

  Set ip next-hop


In the second route map permit 20 statement we are calling up the second access list which specifies allowing any hosts to any destination

Route-map Divert_192.168.3.2 permit 20

 Match ip address 101

Step three:

  • Last step is to apply our route map on the interface we want to take traffic from.
  • R3 interface pointing to the network
  • ip policy route-map Divert_192.168.3.2 

Interface FastEthernet1/1

Ip policy route-map Divert_192.168.3.2

Time to verify!

We can verify with a tracert on the user desktop.

After the Route map is applied, desktop user route to

If I change the desktop user’s ip address to another address we can see the preferred path is the top path

As we can see Policy based Routing can be a powerful tool to be used and has many use cases!

Complete command line

R3#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R3(config)#access-list 100 permit ip host host

R3(config)#access-list 101 permit ip any any

R3(config)#route-map Divert_192.168.3.2 permit 10

R3(config-route-map)#match ip address 100

R3(config-route-map)#set ip next-hop


R3(config)#route-map Divert_192.168.3.2 permit 20

R3(config-route-map)#match ip address 101


R3(config)#int fastethernet 1/1

R3(config-if)#ip policy route-map Divert_192.168.3.2