Best path selection:
RFC1583 – best path based solely on cost.
RFC2328 – Intra-area paths that use non-backbone areas are always the most preferred.
Can lead to the loops:
https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/117824-config-ospf-00.html
Summary metric:
RFC1583 – lowest metric of the componet routes
RFC2328 – highest metric of the components.
A new area configuration parameter, NSSATranslatorRole, is defined in Appendix D. It specifies whether or not an NSSA router will unconditionally translate Type-7 LSAs to Type-5 LSAs when acting as an NSSA border router.
When this is the case, the router ID of the OSPF router acting as the Autonomous System Boundary Router (ASBR) for the redistributed BGP routes must also be the router ID of the advertising IBGP speaker for the same prefix. The route reflector cluster list should match the two previously mentioned router IDs as well.
uRPF does have additional features. The first one is uRPF exemptions and violation logging. With this feature, you may specify a standard or extended access-list as follows:
ip verify unicast source reachable-via [rx|any] <ACL-NUM>The uRPF feature consults this access-list for packets violating the uRPF condition. If the ACL permits a packet, it is allowed to pass through. If the ACL denies the packet, the router drops it. You may use the log keyword to log the packets allowed or denied by the uRPF access-list.
Is an evil! But 😉
Formula (Really Madly Hate! 😉
max-penalty = reuse-limit * 2 (max-suppress-time / half-life )
Command:
bgp dampening half-life reuse-limit suppress-limit maximum-suppress-time
Defaults:
The default penalty increase for a route flap is 1000. If the route attributes are the only change, the penalty increase is 500. This value is hard-coded.
The penalty on the route is reduced every 5 seconds.
The router checks for prefixes to unsuppress every 10 seconds.
bgp dampening 15 750 2000 60 (max penalty = 6000)
IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers.
DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration.
IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we’d call this feature DHCP Snooping and Dynamic ARP Inspection).
IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s).
IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes.
Configuration:
Access-lists
CAT2(config)# ipv6 access-list ACCESS_PORT CAT2(config-ipv6-acl)# remark Block all traffic DHCP server -> client CAT2(config-ipv6-acl)# deny udp any eq 547 any eq 546 CAT2(config-ipv6-acl)# remark Block Router Advertisements CAT2(config-ipv6-acl)# deny icmp any any router-advertisement CAT2(config-ipv6-acl)# permit any any CAT2(config-ipv6-acl)# ! CAT2(config-ipv6-acl)# interface gigabitethernet 1/0/1 CAT2(config-if)# switchport CAT2(config-if)# ipv6 traffic-filter ACCESS_PORT in
RA Guard
Switch(config)# ipv6 nd raguard policy POLICY-NAME
! Defines the RA Guard policy name
Switch(config-ra-guard)# device-role {host | router}
Switch(config)# interface INTERFACE
Switch(config-if)# ipv6 nd raguard attach-policy POLICY-NAME
DHCPv6 Guard
CAT1(config)# ipv6 access-list acl1 CAT1(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any CAT1(config-ipv6-acl)# ipv6 prefix-list abc permit 2001:0DB8::/64 le 128 CAT1(config-ipv6-acl)# ipv6 prefix-list abc permit 2001:0DB8::/64 le 128 CAT1(config)# ipv6 dhcp guard policy pol1 CAT1(config-dhcp-guard)# device-role server CAT1(config-dhcp-guard)# match server access-list acl1 CAT1(config-dhcp-guard)# match reply prefix-list abc CAT1(config-dhcp-guard)# preference min 0 CAT1(config-dhcp-guard)# preference max 255 CAT1(config-dhcp-guard)# trusted-port CAT1(config-dhcp-guard)# interface GigabitEthernet 1/0/1 CAT1(config-if)# switchport CAT1(config-if)# ipv6 dhcp guard attach-policy pol1 vlan add 1 CAT1# show ipv6 dhcp guard policy pol1
Confederations
LPref, MED and next-hop are kept across sub-AS eBGP!
network 1.0.0.0/24 backup – set distance 200
MED, Local-pref, NLRI are sent as TLVs.
When an IGP (in this example OSPF) route is redistributed in to BGP it is considered locally generated by BGP and gets assigned a weight of 32768.
Best Path Selection
AIGP – optiona notransitive 8 octet. If AIGP is configured AND the bgp bestpath aigp ignore command is not configured, the decision process considers the AIGP metric.
An AS_SET counts as 1, no matter how many ASs are in the set.
AIGP after Local Preference. AIGP metric reflects IGP cost. Lowest wins.
BGP prefers the path with the AIGP attribute by default.
Timers
The default BGP ConnectRetry timer is 120 seconds. Only after this time passes does the BGP process check to see if the passive TCP session is established. If the passive TCP session is not established, then the BGP process starts a new active TCP attempt to connect to the remote BGP speaker. During this idle 120 seconds of the ConnectRetry timer, the remote BGP peer can establish a BGP session to it. Presently, the Cisco IOS ConnectRetry timer cannot be changed from its default of 120 seconds.
Communities
Internet == 0:0 == match all; no such community in RFC
Redistribute & MED
— If the injected BGP route, using the network or redistribute command, is
from an IGP, the BGP MED is derived from the IGP metric.
— If the injected BGP route (using the network or redistribute command) is
from a connected route, the BGP MED is set to 0.
— If the route is injected by the aggregate-address command, MED is not set.
BGP GR
Capability 64
For IPv4, the end-of-RIB marker is a BGP Update message with no reachable NLRI and
empty withdrawn NLRI. Additional address families indicate the end-of-RIB with a BGP
Update containing only the MP_UNREACH_NLRI attribute with no withdrawn routes for
that AFI/SAFI.
Restart Time indicates how long a peer of the restarting router should maintain prefix
information received from the restarting router. The restart time should be less than the holdtime for the BGP peer.
The reception of a BGP-GR capability with no AFI/SAFI information indicates that the sending peer supports the end-of-RIB marker and can support peers that can maintain forwarding state and that want to utilize BGP-GR. The reception of a BGP-GR capability with AFI/SAFI information indicates that the sending peer wants to perform BGP-GR for the included AFI/SAFIs.
Mark all prefixes as stale.
After restart:
The receiving BGP router sends the BGP-GR capability to the restarting BGP router, with
the Restart State set to 0, unless the receiving BGP router also is reset. The receiving BGP
router receives a BGP-GR capability from the restarting BGP router with a Restart State of 1.
This triggers the receiving BGP router to send the initial routing update, followed by the
end-of-RIB marker.
Mandatory authentication – key-chains!
Master Controller (MC) and Border router (BR).
A single MC can support up to ten individual border routers
or up to 20 managed exit interfaces (external interfaces).
• Passive monitoring: Measuring the performance metrics of interesting prefixes while the traffic is flowing through the device using NetFlow technology
• Active monitoring: Creating a stream of synthetic traffic replicating the interesting traffic classes as closely as possible to measure the performance metrics of the synthetic traffic; uses Cisco integrated IP SLAs technology
• Both active and passive monitoring: Combining both active and passive monitoring to generate a more complete picture of traffic flows within the network
| IGP | Default Metric | Default (and Possible) Metric Types |
| RIP | — | — |
| EIGRP | — | External |
| OSPF | 20/1 | E2 (E1 or E2) |
| IS-IS | 0 | L1 (L1, L2, L1/L2, or external) |
distance { distance-value neigh-ip-address { wildcard-mask } [ ip-standard-list ]
[ ip-extended-list ]
distance distance
distance eigrp internal-distance external-distance
distance ospf {[ intra-area dist1 ] [ inter-area dist2 ] [ external dist3 ]}
distance bgp external internal local
| RIP | EIGRP | OSPF | |
| redistribute static | Yes | Yes | No |
| default-information originate | Yes | No | Yes |
| ip default-network | Yes | Yes | No |
| Summary routes | No | Yes | No |
If a static route to 0.0.0.0/0 is in the local routing table, the default-information originate command does NOT cause RIP to inject a default. Redistribute static should be used in that case.
Cisco documentation advises against using route summarization to create a default route.
Change the cost of the default route advertised into a stub or NSSA area.
area 1 default-cost 123
Type7 to Type5 by ABR with highest RID.
Forwarding-address not ZERO in Type7 and Type7 to Type5. Recurse to Type3 and not Type4.
The ABR connected to the NSSA takes the type 7 LSAs and converts them into type 5 LSAs, which makes it an ASBR as well. Therefore this ABR doesn’t generate a type 4 LSAs for itself. The type 4 LSA is rather generated by the other ABRs connected to other areas.
Per the NSSA area RFC, the use of FA is mandatory with these LSAs. The reason is that there is only one 7-to-5 translating ABR and this might result in suboptimal routing without the use of FA.
FA SHOULD be reachable via OSPF.
(config-router)#area 2 nssa translate type7 ? always Always translate LSAs on this ABR suppress-fa Suppress forwarding address in translated LSAs
area 1 nssa default-information-originate – generates Type7 default with metric 1
default-information originate [always] – generates Type5 default with metric 1
Optional subnets. Metric 1 for BGP, 20 for others.
default-metric Set metric of redistributed routes
sh ip ospf delete show ip ospf maxage-list
K1 trough K5. By default K1 and K3 == 1; all others – 0 (only BW and Delay re taken into account).
Scaled Bandwidth = 10^7/minimum interface bandwidth (in kilobits per second) * 256
Delay is in tens of microseconds * 256. hexadecimal FFFFFFFF (decimal 4294967295) – unreachable.
Reliability is given as a fraction of 255. That is, 255 is 100 percent reliability or a perfectly stable link.
Load is given as a fraction of 255. A load of 255 indicates a completely saturated link.
BW is now Throughput * 65536
DLY is now Latency * 65536
ExtM are the extended metrics (Jitter, Energy, and Quiescent Energy).
RIB is capable of handling only 32-bit metrics. Default is to scale * 1/128
metric rib-scale [1-255]
Encapsulated directly to IP with proto number 88;
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Header Version | Opcode | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgement number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Virtual Router ID | Autonomous system number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Flags – 32-bit field indicating specific flags: 0x1 = Init (used during initial adjacency buildup), 0x2 = Conditional Receive (used by RTP to allow this message to be received only by a subset of receivers), 0x4 = Restart (indicates that a router has restarted), 0x8 = End-of-Table (indicates that the transmission of the entire EIGRP database is complete).
Opcode – 4 bit field. 1 = Update, 3 = Query, 4 = Reply, 5 = Hello/Ack, 10 = SIA Query, 11 = SIA Reply.
Virtual router ID – 0x1 = Unicast Address Family, 0x2 = Multicast Address Family, 0x8000 = Unicast Service Address Family
TLVs:
0x0001 EIGRP Parameters (General TLV Types)
0x0002 Authentication Type (General TLV Types)
0x0003 Sequence (General TLV Types)
0x0004 Software Version (General TLV Types)
0x0005 Next Multicast Sequence (General TLV Types)
0x0102 IPv4 Internal Routes (IP-Specific TLV Types)
0x0103 IPv4 External Routes (IP-Specific TLV Types)
0x0402 IPv6 Internal Routes (IP-Specific TLV Types)
0x0403 IPv6 External Routes (IP-Specific TLV Types)
0x0602 Multi Protocol Internal Routes (AFI-Specific TLV Types)
0x0603 Multi Protocol External Routes (AFI-Specific TLV Types)
224.0.0.10 in IPv4, and FF02::A in IPv6. 5 seconds; 60 seconds for NBMA with the bandwidth setting of 1544 kbps and less;
always unicasted to the sender of the acknowledged packet. Hello packet with an empty body (that is, no TLVs) and having a non-zero Acknowledgment number field.
Involve neighbors in the task of searching for the best route toward a destination. ACK does not constitute a response to the Query message, only an acknowledgment that the Query has been received. Multicast on multiaccess, unicast on point-to-point and static neighbors; unicast to unresponsive neighbor.
Response to Query. Always unicasted to the originator.
If the neighbor is reachable and is still engaged in the diffusing computation for the destination specified in the SIA-Query, it will immediately respond with an SIA-Reply packet. As a result, the timer that governs the maximum time a diffusing computation is allowed to run is reset, giving the computation extra time to finish. Both are unicast.
Update, Query, Reply, SIA-Query, and SIA-Reply packets are also called reliable packets.
Next Multicast Sequence TLV contains the upcoming sequence number of the next reliable multicasted message. The Sequence TLV contains a list of all lagging neighbors by their IP address. A neighbor receiving this Sequenced Hello packet and not finding itself in the Sequence TLV will know that it is expected to receive the upcoming multicast packet, and will put itself into a so-called Conditional Receive mode (CR-mode). Sending router will send the next multicast packet with the CR flag set in its Flags field. Routers in CR-mode will process this packet as usual and then exit the CR-mode; routers not in CR-mode will ignore it.
multicast flow timer – time to wait for ACK
retransmission timeout (RTO) – time between the sub- sequent unicasts. Typically 6 times the SRTT. Min 100ms, max 5000 ms.
smooth round-trip time (SRTT) – average elapsed time, measured in milliseconds, between the transmission of a reliable packet to the neighbor and the receipt of an acknowledgment
If a reliable packet is not acknowledged before 16 retransmissions and the Hold Timer duration has passed, re-initialize the neighbor.
Parameters to match:
Timers (do not need to match):
Hello – 5 seconds; 60 seconds for NBMA with the bandwidth setting of 1544 kbps and less;
Hold – 15 or 180 seconds, depending on the interface type. Changing Hello does NOT result recalculation of Hold.
Process:
add image from page 377 here.
Feasible Successors – neighbors that pass the FC.
Successors – neighbors that report the least CD.
Local & diffusing computations.
After a failure:
1. Choose the neighbor that provides the least CD.
2. If it meets FC – start using it right away; if it does not – put route into Active .
Stuck-In-Active – torn down all neighbors that did not reply. Consider that they responded with an infinite metric.
Active timer – 3 min; 1 – 65535.
(config-router)#timers active-time
If a neighbor does not respond to a Query message with its Reply within half of the Active timer time, the router will send the neighbor a SIA-Query message. Wait for SIA-Reply within the next half of the Active timer. Receiving an SIA-Reply allows the Active timer to be reset. Three SIA-Queries can be sent, each after half of the Active timer.
Starting from 15.0(1)M.
Multiple processes named and classic mix.
All EIGRP-related commands outside the named mode (such as per-interface commands) will be ignored if configured.
4 Byte. Manually or highest IP of Lo.
Can be different for each AF.
External routes tagged by RID. Dropped if own RID received.
Recent IOSs tag internal routes also.
0.0.0.0 and 255.255.255.255 disallowed.
(config-router)#eigrp router-id
variance multiplier
or
topology base variance multiplier
Defines how many times worse than the best path a route through a Feasible Successor can be.
Since IOS 15.3.2(T)
Must be installed in touting table (maximum-path , metric ).
Split Horizon must be deactivated on the multipoint tunnel interface (DMVPN).
Only in named mode. Range 1 – 4.
R1-Hub(config)# router eigrp CCIE R1-Hub(config-router)# address-family ipv4 unicast autonomous-system 1 R1-Hub(config-router-af)# topology base R1-Hub(config-router-af-topology)# variance 1 R1-Hub(config-router-af-topology)# maximum-paths 6 R1-Hub(config-router-af-topology)# exit R1-Hub(config-router-af)# af-interface Tunnel0 R1-Hub(config-router-af-interface)# no split-horizon R1-Hub(config-router-af-interface)# no next-hop-self R1-Hub(config-router-af-interface)# add-paths 4
The Variance (Unequal Cost Load Balancing) and Add-Path features are not compatible with each other.
no next-hop-self no-ecmp-mode is recommended with the Add-Path feature if the hub uses multiple tunnel interfaces to reach the spoke sites (avoid setting NHS when the route is reachable via other tunnel if any of these routes’ Successors can be reached over the interface on which the route is going to be readvertised).
224.0.0.9 UDP port 520
No hello, RIPv2 relies on the regular full routing updates instead
Update interval 30 seconds
Full updates each interval. For on-demand circuits, allows RIPv2 to
send full updates once, and then remain silent until changes occur, per
RFC 2091
When route changes – triggered update.
Auth: plain-text + MD5
Route tags
Next-hop field
Timers:
Update 30 s
Invalid after timer per route default 180 s
Holddown timer begins after a route has been declared invalid; default 180 s. The router starts advertising that route as unreachable, does not accept any updated information, and does not modify the routing table entry for that route.
Flushed after timer per route default 240 seconds; If the updates about the route from its next hop cease to be received and the Flushed after timer reaches its limit, the router removes the route from the routing table entirely.
The default timer setting actually does not allow the Holddown timer to completely expire. As a result, the effective Holddown period is only 60 seconds.
router rip timers basic update invalid holddown flush
The RIP packet format is:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+---------------+---------------+-------------------------------+
| |
~ RIP Entry (20) ~
| |
+---------------+---------------+---------------+---------------+
RIP Entry :
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| address family identifier (2) | route tag (2) |
+-------------------------------+-------------------------------+
| IPv4 address (4) |
+---------------------------------------------------------------+
| Subnet Mask (4) |
+---------------------------------------------------------------+
| Next-hop addr (4) |
+---------------------------------------------------------------+
| metric (4) |
+---------------------------------------------------------------+
A RIP message consists of a 4B-long header containing the command field (set to 1 for
Request, 2 for Response) and the version field (2 for RIPv2). The remaining two octets
are unused. The remainder of the message consists of routing entries, with each routing
entry occupying 20 octets in total. At most 25 routing entries can be placed into a single
RIP message. Each routing entry contains the address family identifier identifying the
format of the address information carried in the routing entry (only the value 2, IPv4—
also known as AF_INET—is commonly supported), route tag, and the route itself—its
address, netmask, recommended next hop, and metric.
A Request message is used to ask a neighbor to send a partial or a full RIP update immediately,
rather than waiting for the Update timer to expire, speeding the convergence. A
full RIP update is requested by a Request message containing exactly one routing entry
with the address family ID set to 0 and metric set to 16. Otherwise, if a Request message
lists one or more particular networks, only the update on these networks is requested.
RIPv2 increments the metric when sending updates; RIPng and EIGRP increment metrics when receiving updates.
RIPv2 uses autosummarization at classful network boundaries by default.
Cisco IOS enables the RIPv2 (and EIGRP) authentication process on a per-interface basis
interface Fa0/1
ip rip authentication key-chain name
ip rip authentication mode { text | md5 }
When authentication is enabled, the maximum number of prefixes that can be advertised
in a RIPv2 message is reduced by 1 to a value of 24. The first route entry in each RIPv2
message would be carrying 20 bytes of authentication data.
FF02::9 UDP port 521
No multiproto capability, so no address-family field.
Version field set to 1
Packet format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| command (1) | version (1) | must be zero (2) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Route Table Entry 1 (20) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ ... ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Route Table Entry N (20) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Route Table Entry:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ IPv6 prefix (16) ~
| |
+---------------------------------------------------------------+
| route tag (2) | prefix len (1)| metric (1) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The number of route entries in a RIPng message is limited only by the IPv6 MTU on the link, and the protocol itself poses no limitations on their count.
A next-hop RTE is identified by 0xFF in the metric field. The IPv6 prefix field contains the IPv6 address of the next-hop. The route-tag and prefix-len fields are set to 0.
| Inside-to-Outside | Outside-to-Inside |
|---|---|
|
|
Note that the process is merely the same. But for inside process the NAT is performed after routing. As for outside the NAT if performed before routing. Which seems pretty logical 😉
For inbound updates the order of preference is:
1. route-map
2. filter-list
3. prefix-list, distribute-list
For outbound updates the order of preference is:
1. filter-list
2. route-map | unsuppress-map
3. advertise-map (conditional-advertisement)
4. prefix-list|distribute-list
5. ORF prefix-list (a prefix-list the neighbor sends us)
| Name | Location of Host | IP Address Space in Which Address Exists |
|---|---|---|
| Inside local | Inside the network | Part of the enterprise IP address space – private IP |
| Inside global | Inside the network | Part of the public IP address space |
| Outside local | In the public Inet | Part of the enterprise IP address space – private IP |
| Outside global | In the public Inet | Part of the public IP address space |
These are key terms to help you understand static NAT:
GRE
IPinIP
Directions:
set ip|ipv6 default next-hop|interface – attempts to route based on the routing table, and only if no match is found in the routing table, the packet will be handled by PBR