Configure Policy-Based Routing (PBR) in a Cisco Router

Here's a link in configuring a Policy-Based Routing (PBR) in a Cisco router. I was trying to configure PBR on a customer VRF to test or simulate customer traffic to a new FortiGate firewall. The customer traffic is currently NAT'd to the Cisco ASA firewall.

CE#trace vrf CUST 8.8.8.8 source 192.168.199.1

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

  1 10.6.9.50 0 msec 0 msec 0 msec

  2 216.12.34.5 0 msec 0 msec 4 msec   // CISCO ASA HOP

  3 72.250.194.1 0 msec 4 msec 0 msec

 

<OUTPUT TRUNCATED>

 

  9  *  *  * 

 10 8.8.8.8 4 msec 8 msec 8 msec

 

Note you'll need to apply PBR in the "ingress" or LAN interface. You also can't configure a Loopback interface then do a ping test sourced from the said Loopback. The ping test should be sourced from an IP host/subnet located "behind" or a Layer 3 hop away from the router doing the PBR.

You'll also need to consider local traffic flows, i.e. if a host would need to access internal resources such as DNS, then you'll need a deny ACL statement to exclude those IP/subnets.

PE#show access-list 199 
Extended IP access list 199
    10 deny ip 192.168.199.0 0.0.0.255 10.1.1.0 0.0.0.255   // EXCLUDE INTERNAL DNS TRAFFIC 
    20 permit ip 192.168.199.0 0.0.0.255 any   // PERMIT 192.168.199.0/24 TO INTERNET (NEW FW)

PE#show run | sec route-map MY-PBR   // NO NEED TO CONFIGURE: set vrf <VRF>  
route-map MY-PBR permit 10 
 match ip address 199
 set ip next-hop 172.20.8.12

PE(config)#interface GigabitEthernet0/0/1   // LAN INTERFACE
PE(config-if)#ip policy route-map MY-PBR


CE#ping vrf CUST 8.8.8.8 source 192.168.199.1 rep 10   // GOOGLE DNS
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.199.1 
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 4/8/20 ms


CE#ping vrf CUST 72.163.4.185 source 192.168.199.1   // CISCO.COM
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.163.4.185, timeout is 2 seconds:
Packet sent with a source address of 192.168.199.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

CE#traceroute vrf CUST 8.8.8.8 source 192.168.199.1       

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

  1 10.6.9.50 0 msec 0 msec 0 msec

  2 172.20.8.12 msec 4 msec 0 msec   // FORTIGATE HOP

  3 66.12.34.56 0 msec 0 msec 0 msec

 

<OUTPUT TRUNCATED>

 11  *  *  * 
 12 8.8.8.8 4 msec 4 msec 4 msec

 

The PBR was confirmed working when CE router traceroute hop via the new FortiGate IP address. I also checked the NAT translations via the FortiView Sessions. The other RFC1918 IP subnets were still NAT'd via the Cisco ASA firewall.

Cisco Nexus cli alias Command

You can use the cli alias <command> to create a shortcut on your favorite Cisco commands. An example would be an alias for write memory (or just a wr) in a Cisco Nexus switch (it only supports copy run start).


N5K# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
N5K(config)# cli ?
  alias  Define an alias
  var    Define a variable

N5K(config)# cli alias ?
  name  Specify the alias

N5K(config)# cli alias name ?
  WORD  Alias command (Max Size 30)

N5K(config)# cli alias name wr ?
  LINE  Alias definition

N5K(config)# cli alias name wr copy run start ?
  <CR>  
  LINE   Alias definition

N5K(config)# cli alias name wr copy run start
N5K(config)# show run | i cli
cli alias name wr copy run start
N5K(config)# alias         // NEXUS VERIFICATION COMMAND
CLI alias commands
==================
alias  :show cli alias
wr     :copy run start
N5K(config)# wr
[########################################] 100%
Copy complete, now saving to disk (please wait)...

SecureCRT Button for Saved Credentials

Here's a link in managing login credentials to multiple systems or devices in SecureCRT. This can be a more viable and secure password manager tool. There's also another feature in SecureCRT wherein you can add a button to automate your device login. This prevents an admin from forgetting his username/password and avoids being locked out due to multiple login attempts. 

To create a saved a Credential in SecureCRT, go to Options tab > Global Options > General > Credentials > Add

Type a Title > Username > Move up Authentication: Password > click Edit (gear icon) > select: Store Password > Type the password twice to confirm > OK. 

 

To add a new SecureCRT button > right-click (bottom area) > New Button

Select Function: Credentials > Select the newly created Credential > Select Send: Password.

Type a Label > select the Icon color > optional type a Description > OK.

SSH to a Cisco device and click the new button when prompted for a password.

svr01 ~]$ ssh -l cisco-admin 172.16.1.254

### ASA LAB ###

cisco-admin@172.16.1.254's password: <CLICK BUTTON>
User cisco-admin logged in to LAB-ASA5515x
Logins over the last 81 days: 3.  Last login: 00:59:39 UTC Sep 28 2025 from 192.168.1.100
Failed logins since the last login: 1.  Last failed login: 09:06:35 UTC Dec 5 2025 from 192.168.1.168
Type help or '?' for a list of available commands.
LAB-ASA5515x> 

Deleting Multiple Files in a Cisco Flash

Here's a Cisco link in managing files inside a device's flash memory or directory. In this example, I've transferred some dummy packet capture files.

C8000v#copy tftp://192.168.1.100/pcap3.pcap bootflash:

Destination filename [pcap3.pcap]?

Accessing tftp://192.168.1.100/pcap3.pcap...

Loading pcap3.pcap from 192.168.1.100 (via GigabitEthernet1): !

[OK - 125 bytes]

 

125 bytes copied in 0.067 secs (1866 bytes/sec)

 

 

C8000v#dir | i .pcap                                 

38      -rw-              125   Dec 1 2025 07:44:02 +00:00  pcap3.pcap

37      -rw-              125   Dec 1 2025 07:43:39 +00:00  pcap2.pcap

35      -rw-              125   Dec 1 2025 07:42:46 +00:00  pcap1.pcap

13      drwx             4096  Sep 25 2025 16:27:20 +00:00  pcap

C8000v#

 

 

You'll need to manually press Enter in deleting each file even when using a wildcard (*).

C8000v#delete *.pcap

Delete filename [*.pcap]?

Delete bootflash:/pcap3.pcap? [confirm]^U

Delete of bootflash:/pcap3.pcap aborted!

Delete bootflash:/pcap1.pcap? [confirm]^U

Delete of bootflash:/pcap1.pcap aborted!

Delete bootflash:/pcap2.pcap? [confirm]^U

Delete of bootflash:/pcap2.pcap aborted!

 

 

In order to delete all files without pressing Enter, include the /force keyword. In this scenario, I deleted all packet capture with a file extension of .pcap in a Cisco 8000v.

C8000v#delete ?

  /force      Force delete

  /recursive  Recursive delete

  bootflash:  File to be deleted

  crashinfo:  File to be deleted

  flash:      File to be deleted

  nvram:      File to be deleted

 

C8000v#delete /force *.pcap

C8000v#dir | i .pcap      

13      drwx             4096  Sep 25 2025 16:27:20 +00:00  pcap

C8000v#

Cisco Router Debug Using ACL

I was unable to debug an IP traffic using a named ACL so I used an extended numbered ACL instead. I also used an object group in order to group together public IP subnets and add more subnets as needed.

Router#debug ip packet ?      
  <1-199>      Access list
  <1300-2699>  Access list (expanded range)
  detail       Print more debugging detail
  <cr>         <cr>

Router#configure terminal          
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#object-group network MY-PUBLIC-IP 
Router(config-network-group)#202.8.6.0 255.255.255.0
Router(config-network-group)#exit
Router(config)#interface GigabitEthernet0/0/0
Router(config-if)#no ip access-group MY-PUBLIC-IP-IN in
Router(config-if)#ip access-list extended 101
Router(config-ext-nacl)# permit ip object-group MY-PUBLIC-IP any
Router(config-ext-nacl)# permit ip host 8.8.8.8 any 
Router(config-ext-nacl)#exit
Router(config)#interface GigabitEthernet0/0/0
Router(config-if)#ip access-group 101 in
Router(config-if)#end


Router#ping 8.8.8.8 source 192.168.14.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.14.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

Router#debug ip packet ?
  <1-199>      Access list
  <1300-2699>  Access list (expanded range)
  detail       Print more debugging detail
  <cr>         <cr>

Router#debug ip packet 101 ?
  detail  Print more debugging detail
  <cr>    <cr>

Router#debug ip packet 101 
IP packet debugging is on for access list 101

Router#terminal monitor   // DISPLAY DEBUG OUTPUT WHEN CONNECTED VIA SSH

I tried to ping to Internet (Google DNS 8.8.8.8) and the debug output displayed the traffic source and destination IP address.

 Router#ping 8.8.8.8 source 192.168.144.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.14.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

Oct 26 09:53:48.164 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
Oct 26 09:53:48.169 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
Oct 26 09:53:48.175 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
Oct 26 09:53:48.181 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
MCT1-OOB-GW01#
Oct 26 09:53:48.186 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB

 

Configure Cisco no service password-recovery

The no service password-recovery is a security enhancement that prevents anyone with physical console access to perform router configuration and change local passwords. It also prevents anyone from changing the configuration register values and access the NVRAM which stores the startup config.

This command is applicable in a highly secure environment and for our scenario wherein we don't intend to retrieve or re-use our network gear since it's located in a very remote area.

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#no service password-recovery
WARNING:
Executing this command will disable the password recovery mechanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes]: yes
Router(config)#end
Router#write memory
Building configuration...
[OK]

Router#show run | inc no service
no service pad
no service password-recovery


Disabling password recovery in a Cisco Catalyst switch use a slightly different command. You'll need to verify first if the switch is a standalone or a stacked using the show switch command.

Switch#show switch
Switch/Stack Mac Address : 3c0e.2357.1234 - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W   Current
Switch#   Role    Mac Address     Priority Version  State
------------------------------------------------------------
*1       Active   3c0e.2357.1234     1      V02     Ready

Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
3850(config)#system ?
  debug        Debug Shell
  disable      Disable password recovery
  environment  Set the system environment settings
  fnf          Flexible Netflow
  ignore       Ignore Startup Config
  mode-button  Enable Mode button for reset
  mtu          Set the global ethernet payload size

Switch(config)#system disable ?
  password  Disable password recovery

Switch(config)#system disable password ?
  recovery  Disable password recovery

Switch(config)#system disable password recovery ?
  switch  Set config on switches in stack

Switch(config)#system disable password recovery switch ?
  <1-9>  Switch number
  all    Set config for all switches in stack

Switch(config)#system disable password recovery switch all
Applying config on Switch 1...[DONE]
Switch(config)#end
Switch#write memory
Building configuration...
Compressed configuration from 14004 bytes to 6042 bytes[OK]


The system disable password recovery switch command is not visible when you issue a show run.

Switch#show run | inc system
system mtu 1500
spanning-tree extend system-id

Switch#show run all | inc system disable
Switch# <BLANK>

Deleting a Cisco File Directory

Some older Cisco switches have limited flash memory and would require deleting large files such as an IOS/IOS-XE .bin to free up space.

 

Switch#copy ftp://ftp:ftp123@192.168.1.251/me360x-universalk9-mz.123-3.S5.bin flash
Destination filename [me360x-universalk9-mz.123-3.S5.bin]?
Accessing ftp://*****:*****@192.168.1.251/me360x-universalk9-mz.123-3.S5.bin...
Loading me360x-universalk9-mz.123-3.S5.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!
%Error writing flash:/me360x-universalk9-mz.123-3.S5.bin (No space left on device)


Switch#dir
Directory of flash:/

    2  -rwx       12196  Jul 20 2018 09:21:37 +00:00  vlan.dat
    3  -rwx        2251  Feb 25 2013 15:28:47 +00:00  FOC1637V0NF_20130225072612345.lic
    4  -rwx    24390193   Mar 5 2013 10:53:32 +00:00  me360x-universalk9-mz.456-1.S1.bin
    5  -rwx        4774  Feb 25 2013 13:38:53 +00:00  config.old
    6  drwx         512   Mar 1 1993 00:13:28 +00:00  me360x-universalk9-mz.789-2.S1
   14  -rwx        2072   Oct 2 2018 10:51:46 +00:00  multiple-fs
   15  -rwx       22731   Oct 2 2018 10:51:46 +00:00  config.text
   16  -rwx        3786   Oct 2 2018 10:51:46 +00:00  private-config.text

57931776 bytes total (6690816 bytes free)


You can't delete a directory if there are files within it. You'll need to issue a delete /recursive command to delete the entire directory and all its files.

 

Switch#delete flash:/me360x-universalk9-mz.789-2.S1
Delete filename [me360x-universalk9-mz.789-2.S1]?
Delete flash:/me360x-universalk9-mz.789-2.S1? [confirm]
%Error deleting flash:/me360x-universalk9-mz.789-2.S1 (Is a directory)

Switch#delete ?
  /force      Force delete
  /recursive  Recursive delete
  flash:      File to be deleted
  nvram:      File to be deleted

Switch#delete /recursive flash:me360x-universalk9-mz.789-2.S1      // USE /force TO SKIP CONFIRM
Delete filename [me360x-universalk9-mz.789-2.S1]?
Examine files in directory flash:/me360x-universalk9-mz.789-2.S1? [confirm]
Examine files in directory flash:/me360x-universalk9-mz.789-2.S1/html? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/html/foo.html? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/html? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/me360x-mfpga.bit? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/me360x-universalk9-mz.789-2.S1.bin? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/controlfpga.bin? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/info? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/psoc.dld? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1? [confirm]


Switch#dir
Directory of flash:/

    2  -rwx       12196  Jul 20 2018 09:21:37 +00:00  vlan.dat
    3  -rwx        2251  Feb 25 2013 15:28:47 +00:00  FOC1637V0NF_20130225072612345.lic
    4  -rwx    24390193   Mar 5 2013 10:53:32 +00:00  me360x-universalk9-mz.456-1.S1.bin
    5  -rwx        4774  Feb 25 2013 13:38:53 +00:00  config.old
   14  -rwx        2072   Oct 2 2018 10:51:46 +00:00  multiple-fs
   15  -rwx       22731   Oct 2 2018 10:51:46 +00:00  config.text
   16  -rwx        3786   Oct 2 2018 10:51:46 +00:00  private-config.text

57931776 bytes total (33289728 bytes free)