Policy-Based Routing: Configuration Changes and Enhancements Over Time

Policy-Based Routing (PBR) has long been a powerful tool in networking, enabling administrators to route packets based on criteria beyond the destination address. One of its common uses is to route traffic based on the source address, allowing for more granular control over network traffic flows. While the core concepts of PBR remain the same, there are subtle differences in configuration approaches and syntax across different Cisco IOS releases. This blog explores how PBR configuration has evolved and highlights the key differences.

---

### **Understanding Policy-Based Routing (PBR)**

PBR allows for the creation of custom routing rules, empowering network administrators to override the default routing logic of IP routing tables. A common use case involves sending traffic from specific source subnets out via different interfaces or next-hop addresses. To implement this, access control lists (ACLs), route maps, and interfaces are configured to define and apply these custom routing policies.

---

### **Configuring PBR: Then and Now**

The foundational steps for configuring PBR are largely consistent:

1. Define an ACL to match specific traffic.

2. Create a route map to specify actions for matched traffic.

3. Apply the route map to an interface.

4. Specify next-hop actions or outbound interfaces for routed traffic.

However, over time, subtle changes have been introduced to improve functionality and streamline configurations.

---

### **1. Access Control List (ACL) Syntax and Usage**

In earlier versions, extended and standard ACLs were primarily used to match source IP addresses. While the functionality remains intact, newer versions of Cisco IOS introduce enhancements such as:

- **Improved ACL features:** Named ACLs offer a more descriptive approach to defining match conditions.

- **IPv6 support:** Modern configurations allow the use of IPv6-specific ACLs alongside IPv4 ACLs, offering compatibility for dual-stack environments.

**Example: Defining ACLs**

Earlier configurations:

access-list 1 permit 10.15.35.0 0.0.0.255

access-list 2 permit 10.15.36.0 0.0.0.255

Modern configurations:

ip access-list standard ENGINEER-TRAFFIC

 permit 10.15.35.0 0.0.0.255

ip access-list standard MARKETING-TRAFFIC

 permit 10.15.36.0 0.0.0.255

---

### **2. Route Map Enhancements**

Route maps remain at the heart of PBR, allowing administrators to specify policies for matched traffic. Key improvements over time include:

- **Sequence Numbering:** Modern route maps support sequence numbering for better management of individual policies. This allows the insertion, deletion, or modification of specific entries without recreating the entire route map.

- **Flexible Match Criteria:** While earlier configurations were limited to matching IP addresses, modern route maps support additional match criteria like DSCP, packet length, and protocols.

**Example: Configuring a Route Map**

Earlier configurations:

route-map Engineers permit 10

 match ip address 1

 set ip next-hop 10.15.27.1

route-map Engineers permit 20

 match ip address 2

 set interface Ethernet1

Modern configurations:

route-map ENGINEER-ROUTE permit 10

 match ip address ENGINEER-TRAFFIC

 set ip next-hop 10.15.27.1

route-map ENGINEER-ROUTE permit 20

 match ip address MARKETING-TRAFFIC

 set interface Ethernet1

---

### **3. Applying PBR to Interfaces**

In both older and newer configurations, the route map is applied to an interface, ensuring that PBR rules are enforced on inbound traffic. The command remains consistent but now supports additional options like applying policies at different layers (e.g., Layer 3 or 4) or for specific protocols.

**Example: Applying PBR**

interface Ethernet0

 ip address 10.15.22.7 255.255.255.0

 ip policy route-map ENGINEER-ROUTE

---

### **4. Enhancements in Troubleshooting Tools**

Modern IOS versions come with advanced debugging and verification tools that simplify PBR troubleshooting:

- **Verification Commands:**

  - `show ip policy` – Displays applied policies and matched packets.

  - `show route-map` – Provides detailed insights into route map actions.

- **Debugging Commands:**

  - `debug ip policy` – Outputs real-time logs for policy-based routing actions.

These tools help administrators quickly identify misconfigurations or traffic mismatches, significantly improving operational efficiency.

---

### **5. IPv6 and VRF Integration**

Newer configurations allow PBR to work seamlessly with advanced features like Virtual Routing and Forwarding (VRF) and IPv6. This makes it possible to implement PBR across diverse network architectures, ensuring compatibility with modern networking standards.

**Example: PBR with VRF**

route-map VRF-POLICY permit 10

 match ip address VRF-TRAFFIC

 set ip next-hop 192.168.1.1

!

interface Ethernet1

 ip vrf forwarding CUSTOMER-A

 ip policy route-map VRF-POLICY

---

### **Conclusion**

Policy-Based Routing remains a versatile tool for optimizing network traffic. While the core configuration steps have remained consistent, enhancements in ACL definitions, route map flexibility, troubleshooting tools, and integration with modern protocols have made PBR more powerful and adaptable to today’s complex networking environments. By understanding these differences, network administrators can leverage the full capabilities of PBR to meet evolving network requirements.

Configuring Trunk Interfaces and Subinterfaces on Cisco ASA: Old vs. New Methods

Cisco ASA Trunking Configuration

Traditional subinterfaces vs modern best practices

With newer versions of the Cisco ASA operating system and increasingly complex network environments, interface design has evolved. While the fundamentals remain the same, modern best practices emphasize scalability, redundancy, and stronger security controls.

Old Way (Traditional Method)

1️⃣ Create Subinterfaces on a Physical Interface

Each VLAN is represented by a subinterface on a single physical ASA interface. Every subinterface has its own IP address, VLAN tag, and security level.

interface GigabitEthernet0/0
 no shutdown

interface GigabitEthernet0/0.10
 vlan 10
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

interface GigabitEthernet0/0.20
 vlan 20
 nameif dmz
 security-level 50
 ip address 192.168.2.1 255.255.255.0

2️⃣ Configure the Switch Trunk

The switch port connecting to the ASA must be configured as a trunk to carry multiple VLANs.

interface GigabitEthernet1/0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20

New Way (Enhanced & Best Practices)

Modern designs still use VLAN subinterfaces, but add redundancy, scalability, and segmentation.

🔗 1️⃣ EtherChannel (Port-Channel)

Multiple physical interfaces are bundled into a Port-Channel. Subinterfaces are then created on the Port-Channel instead of a single interface.

interface Port-channel1
 no shutdown
 description Trunk to Switch

interface Port-channel1.10
 vlan 10
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

interface Port-channel1.20
 vlan 20
 nameif dmz
 security-level 50
 ip address 192.168.2.1 255.255.255.0

Switch-side EtherChannel:

interface range GigabitEthernet1/0/1 - 2
 switchport mode trunk
 channel-group 1 mode active

🧭 2️⃣ Virtual Routing and Forwarding (VRF)

VRF allows multiple isolated routing tables on the same device. This provides segmentation beyond VLANs and is useful in:

• Multi-tenant environments
• Overlapping IP address spaces
• Large enterprise networks

🔐 3️⃣ Enhanced Security Considerations

Newer designs emphasize security beyond IP and VLAN boundaries.

• Granular access policies
• Identity-based security (e.g., TrustSec)
• Stronger segmentation models

⚙️ 4️⃣ Dynamic Trunking Protocol (DTP)

DTP can automate trunk negotiation, but many environments prefer static trunk configuration for:

• Better security
• Predictable behavior
• Reduced misconfiguration risk

Key Differences & Best Practices

• EtherChannel: Redundancy and increased bandwidth
• VRF: Advanced routing isolation
• Scalability: Better support for growth
• Security: Policy enforcement beyond VLANs

💡 Key Takeaways

• The core subinterface concept remains relevant
• Modern designs favor Port-Channels over single links
• VRFs enable advanced segmentation
• Security and scalability drive newer best practices
• Static, intentional configurations reduce risk

Cisco ASA interface design: traditional vs modern best practices