Reliable PBR with IP SLA

In previous lessons I explained how you can use PBR (Policy Based Routing) to overrule the routing table for certain types of traffic. I also explained in another lesson how IP SLA can be used to measure your network performance.

This lesson will combine those two topics, we’ll use PBR to overrule the routing table but only when our IP SLA operation is up and running. Let’s check out the configuration!


Here’s the topology we will use:

Cisco Ip Sla Pbr Lab Topology

We have 4 routers and a webserver that we want to reach from R1. Because of the slow serial link between R2 and R4, all traffic is routed through R3:


Type escape sequence to abort.
Tracing the route to

  1 44 msec 44 msec 12 msec
  2 40 msec 44 msec 24 msec
  3 32 msec 60 msec 52 msec

For whatever reason we prefer to use R4 when we want to reach the webserver at The serial link however isn’t very reliable so instead of simply using PBR to forward traffic to R4, we’ll combine it with IP SLA. On R2 we will ping the other side of the serial link ( and when we get a reply, we’ll use R4 as the next hop to reach Here’s how it’s done:

R2(config)#ip sla 1
R2(config-ip-sla-echo)#frequency 10

R2(config)#ip sla schedule 1 start-time now life forever 

First we configure IP SLA. I’ll use a simple ICMP echo and we will run this operation forever. We can’t “attach” IP SLA directly to the route-map that we will use for policy based routing so we’ll configure object tracking:

R2(config)#track 1 ip sla 1

There we go, object number 1 is now connected to IP SLA operation 1. RTR (Response Time Reporter) is the old name for IP SLA. Let’s continue:

R2(config)#ip access-list extended HTTP_SERVER
R2(config-ext-nacl)#permit ip any host

The access-list above will be used in the route-map for PBR. It matches the IP address of the webserver. Now we can create the route-map:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

510 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Forum Replies

  1. Hi Rene,

    I have a question and it’s not in any of the subjects, maybe you can answer it.
    I have a router with 2 interfaces:
    G0/1–> ip address, G0/2–>, running OSPF. G0/1 Connects to my MASTER firewall with ip add and G0/2 connects to my SECONDARY firewall with ip address, the firewalls are configure HA. If I try to configure G0/2 with an ip add of it gives me an error. How can I make this scenario work with the 2 interfaces and the firewalls? or Do I need to get a switch module with 2 in

    ... Continue reading in our forum

  2. Hi Alfredo,

    The interfaces on a router are “routed ports”, each interface requires an IP address in a unique subnet. is in the same subnet as your first interface and it’s also a broadcast address. You’ll have to use a larger subnet, /30 only offers you two IP addresses. A /29 would work.

    Somehow you need to add the interfaces of the two firewalls and the router in a single broadcast domain. You can’t turn the routed ports into switchports so a switch module is not a bad idea…or create a VLAN on a switch and connect the firewall + router interfa

    ... Continue reading in our forum

  3. Hi Rene

    For activating PBR using method 2, we it is enable on the Fa 0/0? Since this is the next hop for from the routing table?


  4. Hi Laz,

    Thanks for your answering and clearing this up for me. Yes, it makes perfect sense and provides clarity to my doubts in logic. I thought this was the case. However, a second opinion from the experts is always a great way of confirmation. I will go and have a play with this again and see if I can produce the right results in my lab. Very many thanks for the clarification.


  5. Hi Laz,

    In my lab environment, I am able to use policy-based routing to push routes from internal VLANs to one single IP gateway and it works like a charm. My issue now is: I am trying to implement a DMZ in my lab. From the diagram, you will see that all the the default traffic is sent to the firewall from LAN to Internet (That is working fine as it’s just a default route). Routes from the firewall to the internal LAN is flowing well via firewall routing using (router on a stick method).

    Therefore traffic is flowing from LAN to internet - OK
    From Firewall to

    ... Continue reading in our forum

33 more replies! Ask a question or join the discussion by visiting our Community Forum