Networking

Cisco IOS Path Control: PBR, IP SLA, and Offset Lists

Part of pathway: Full Guide for All IOS Commands
6 min read

When the Routing Table Isn’t Enough

Sometimes routing protocols give you the “best” path according to their metric, but business logic wants something different. The voice subnet should always exit via the MPLS link, even though the Internet uplink has lower OSPF cost. The default route should fail over to a backup ISP automatically when the primary stops responding to pings. The remote-office route should be deprefered without breaking neighbor relationships. These are path control problems, and Cisco IOS has three tools for them: PBR, IP SLA, and Offset Lists.

Policy-Based Routing — Route by Source / Application / DSCP

PBR overrides the routing table for matching traffic. The router consults the policy before the routing table; if the policy matches, the policy’s next-hop wins.

! ACL identifying the traffic to override
R1(config)# ip access-list extended VOICE
R1(config-ext-nacl)# permit udp 10.10.0.0 0.0.0.255 any range 16384 32768

! Route-map setting the new next-hop
R1(config)# route-map FORCE-MPLS permit 10
R1(config-route-map)# match ip address VOICE
R1(config-route-map)# set ip next-hop 10.99.0.1
R1(config-route-map)# exit
R1(config)# route-map FORCE-MPLS permit 20
! No match clause = match anything; no set = use the routing table

! Apply on the inbound interface
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip policy route-map FORCE-MPLS

Critical: PBR applies on the inbound interface (where traffic enters the router). The policy match runs before the routing table lookup. Match by source, destination, port, DSCP, or input interface.

Locally-originated PBR

To apply PBR to traffic the router itself originates (e.g., its own ICMP, syslog):

R1(config)# ip local policy route-map FORCE-MPLS

IP SLA — Active Measurement

IP SLA periodically sends test traffic (ICMP, TCP connect, HTTP, DNS) to a target and tracks success/latency. By itself it’s a measurement tool; combined with object tracking, it becomes the trigger for automatic failover.

Configure the SLA probe

R1(config)# ip sla 1
R1(config-ip-sla)# icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
R1(config-ip-sla-echo)# frequency 5
R1(config-ip-sla-echo)# threshold 1500
R1(config-ip-sla-echo)# timeout 2000
R1(config-ip-sla-echo)# exit
R1(config)# ip sla schedule 1 life forever start-time now

Track the SLA

R1(config)# track 1 ip sla 1 reachability
R1(config-track)# delay down 10 up 20

The track object is now “up” or “down” based on whether the IP SLA is reaching its target. delay down 10 means a 10-second debounce before declaring the track down.

Tie a route to the track — automatic failover

! Primary default route, conditional on track 1
R1(config)# ip route 0.0.0.0 0.0.0.0 198.51.100.1 track 1

! Floating static through backup, kicks in when track goes down
R1(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1 200

When the IP SLA fails (Google’s DNS becomes unreachable through the primary path), track 1 goes down, the primary default route is withdrawn, and the floating static through the backup ISP takes over. When SLA recovers, the primary returns. Fully automatic, no router-level scripting needed.

Tracking the WAN interface itself

R1(config)# track 2 interface GigabitEthernet0/1 line-protocol

Used for primary-link-down detection where the link goes physically down (vs the upstream stops responding). Combine with track 1 for layered detection.

Offset Lists — Adjust Routing Protocol Metrics

An offset list adds to (or subtracts from) the metric of routes matching an ACL, in or out of a routing process. Used to deprefer specific routes without changing the protocol’s topology.

! ACL identifying which routes to adjust
R1(config)# access-list 10 permit 10.99.0.0 0.0.0.255

! In EIGRP: add 1000 to the metric of matching routes coming in Gi0/1
R1(config)# router eigrp 100
R1(config-router)# offset-list 10 in 1000 GigabitEthernet0/1

The offset can be applied to incoming or outgoing routes, on a specific interface or all. Common use case: a backup link advertised via the same EIGRP process as the primary — offset the backup’s routes upward so the primary always wins under normal conditions, but the backup’s routes are still in the topology table for fast failover.

Putting It Together — Resilient Default Route

The classic dual-WAN failover pattern combines all three tools:

! IP SLA on each path
R1(config)# ip sla 1
R1(config-ip-sla)# icmp-echo 8.8.8.8 source-interface Gi0/1
R1(config-ip-sla-echo)# frequency 5
R1(config-ip-sla)# exit
R1(config)# ip sla schedule 1 life forever start-time now

R1(config)# ip sla 2
R1(config-ip-sla)# icmp-echo 1.1.1.1 source-interface Gi0/2
R1(config-ip-sla-echo)# frequency 5
R1(config-ip-sla)# exit
R1(config)# ip sla schedule 2 life forever start-time now

! Tracks
R1(config)# track 1 ip sla 1 reachability
R1(config)# track 2 ip sla 2 reachability

! Two default routes, each conditional on its tracker
R1(config)# ip route 0.0.0.0 0.0.0.0 198.51.100.1 track 1     ! primary
R1(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1 200 track 2  ! backup, AD 200

! PBR for VOIP - always use primary as long as it’s up, else fail through
R1(config)# route-map VOIP-PRIMARY permit 10
R1(config-route-map)# match ip address VOICE
R1(config-route-map)# set ip next-hop verify-availability 198.51.100.1 1 track 1
R1(config-route-map)# set ip next-hop verify-availability 203.0.113.1 2 track 2

Verifying

R1# show ip sla statistics
R1# show track
R1# show route-map
R1# show ip policy
R1# show ip protocols   ! shows offset-lists in effect

Common Pitfalls

  • PBR applied outbound. PBR runs on inbound interfaces. Outbound makes no sense (the routing decision has already happened).
  • PBR with no fallthrough. The route-map needs a permit-with-no-match clause at the end to cover traffic that doesn’t match the policy. Otherwise PBR drops everything that doesn’t match.
  • IP SLA without schedule. Configuring ip sla 1 ... without ip sla schedule 1 life forever start-time now creates the SLA but never runs it.
  • Track delay too short. Without delay, a brief blip in IP SLA flips the track up/down repeatedly — route flapping. Add delay down 10 up 20 for stability.
  • Offset-list on the wrong direction. Outbound offset deprefers what others see; inbound offset deprefers what this router sees. Pick the direction based on intent.
  • Forgetting verify-availability. PBR’s set ip next-hop does NOT check the next-hop is reachable by default. set ip next-hop verify-availability ... track N conditions on a tracker.

Conclusion

Path control is what separates a network that “works” from one that survives gracefully when something fails. Three tools for three jobs:

  1. PBR — force specific traffic to use a non-default path (VoIP via MPLS, web via Internet).
  2. IP SLA + Track — auto-failover based on actual reachability, not just link state.
  3. Offset List — tune routing-protocol metrics to deprefer specific paths without breaking neighbor relationships.
Tags: #CCNP #Cisco IOS #IP SLA #Path Control #PBR

Related Articles

Leave a Reply