Cisco Policy-based Routing

Previous page
Table of content
Next page

Policy-based routing was introduced to Cisco administrators in IOS release 11.0 and affords network load-sharing capacities and traffic shaping by letting you have granular control of the movement of network traffic through a router. For instance, you can generate a route map that sends high-bandwidth, high-priority traffic through a high-speed interface, while sending the rest of the network traffic through a lower-bandwidth interface. Policy-based routing can also enable you to flag packets with different TOS (type of service) values so that specific types of traffic can be given special treatment. ISPs, for example, deploy policy-based routing to control different Internet links over policy routers. Quality of service (QoS) mechanisms can configure precedence or TOS values in IP headers at borders to utilize queuing techniques for prioritizing traffic in the network backbone.

You can also force bulk traffic activities toward a higher-cost bandwidth link for a brief time period while allowing normal traffic to flow over the lower-cost bandwidth connection. Policy-based routing can also be used for load-sharing activities to better distribute network packets across several paths based on the patterns and attributes of the particular traffic. When enabled, policy-based routing works on inbound packets that are received on an interface.

The packets are passed through enhanced packet filters called route maps. Depending upon on the defined statements of the route maps, the packets are then routed to the suitable next hop. Each item in a route map statement has a mixture of match and set commands. The match commands determine the conditions to be met, and the set commands give details on how the packets will be routed after they meet the criteria set forth in the match clauses. For every grouping of match and set clauses in a route map entry, all the sequential match clauses must simultaneously be met by the packet for the set commands to be applicable . There can be many groups of match / set combinations in a complete route map statement. Route map statements can also be marked as permit or deny . An important concept to remember is that if the statement is flagged as deny , the packets that conform to the match criteria are simply sent back through the normal routing channels. This is what you know as typical destination-based routing. Only if the statement is marked as permit and the packets meet the match criteria are the set clauses applicable. Likewise, if the route map statement is flagged as permit and the packets do not meet the match criteria, the packets also proceed through the usual routing channel (or destination-based routing). Be aware that policy routing is designated only on the interface that receives the packets, as opposed to the interface that sends the packet.

Route maps employ either standard access lists to filter a packet's source address or extended access lists to filter a packet's source and destination address. An access list is a grouping of conditions that are maintained by Cisco routers to determine which traffic qualifies for filtering, rules, and other network services. Route maps can match on various criteria, including the source system, various running programs, protocol being used, and even the packet size.

The syntax for configuring your route map policy is 

 RouterA(config)#  route-map  map-tag [  permit  deny  ] [sequence number]

The map-tag parameter has a friendly name that defines its purpose. The permit and deny keywords determine whether the matched datagrams are permitted or denied for policy-based routing. If denied , they are destination routed. The sequence-number parameter is the value that signifies the position that new statements will have in the list of statements previously configured under the same map-tag name, and also determines the order of testing.

An advantage of route maps is that they can contain several route-map statements, and each statement can have multiple match conditions. This is also something that makes route maps different from access lists, even though the two mechanisms serve different functions. Each route-map statement is acknowledged by its sequence number and is processed from the top of the list down just like an access list.

The following represents the logic of a route map: 

 sequence 10 match a, b, c, match x set y sequence 20 match a Match b Match c Set y Set z

This can be interpreted as follows : 

 For sequence 10, EITHER a, OR b, OR c AND x MUST BE TRUE TO SET y For sequence 20, a, b, AND c, MUST BE TRUE TO SET y AND z.

The first match condition that is met for a route is applied, and there is an implicit deny at the end. The default setting of a route-map command is permit and has a sequence number of 10 unless otherwise configured. Another advantage of route maps is that the number sequencing enables you to delete and insert certain statements as necessary in the route map.

The two main components of a route map are the match and set clauses. The syntax of these commands is as follows: 

 RouterA(config-route-map)#  match  {condition} RouterA(config-route-map)#  set  {condition}

The match clause usually leverages an access list, or access lists, to do packet testing. What the packet tests do depends on how the access list is applied. For example, when applied to the interface via the access- group command, traffic is filtered as defined in the access list. Access lists can packet-test network traffic based on such factors as IP address, running applications, TCP ports, and packet length.

The set clause actually establishes the destination of traffic that meets the match clause(s) criteria. Particularly, the route-map configuration command set-interface specifies the output interface for the packet and set-ip-next-hop designates the next hop through which to route the packet.

In Figure 10.1 and Listing 10.1, we have applied policy-based routing on RouterA so that packets that come from 192.168.101.1 should be forwarded to RouterC on address 172.18.1.2. The ip policy route-map command was configured on interface Serial 1 of RouterA, which receives packets from 192.168.101.1. The route map tests the IP addresses in the packets against access list 2 to decide which packets will have policy-based routing applied to them. Access list 2 determines that packets from 192.168.101.1 will be policy-based routed and matching packets will be forwarded to the next-hop address of 172.18.1.2 on RouterC. The other packets will be destination routed as usual, unless other access lists are applied on the interface.

Listing 10.1 Sample Configuration of a Route Map on RouterA 
 RouterA(config)# int S1 RouterA(config-if)# ip address 172.17.1.2 255.255.255.0 RouterA(config-if)# ip policy route-map sample RouterA(config)# route-map sample permit 10 RouterA(config-route-map)# match ip address 2 RouterA(config-route-map)# set ip next-hop 172.18.1.2 RouterA(config-route-map)# exit RouterA(config)# access-list 2 permit 192.168.101.1 0.0.0.0
Figure 10.1. Applying policy-based routing on RouterA to direct packets from RouterB to 172.18.1.2 on RouterC.

As we have established, a route map can have several match and set statements. You first use the match ip address command to create your standard or extended access lists to be implemented to establish the matching policy.

The match ip address Command

Here is the syntax of the match ip address command: 

 RouterA(config-route-map)#  match ip address  {access-list-number  name} [...access-list-number  name]

The access-list-number name parameter is the name or number of the standard or extended access list used to test inbound packets. Policy-based routing is always configured on a router's inbound interface, and therefore analyzes incoming packets only. This is critical because the purpose of policy-based routing is to have control over the path of any particular datagram. To do this, packets must be "tagged" (or permitted) for policy routing before they are route processed.

The match length Command

You can also use the route-map configuration command match length to create filtering rules based on the length of the packet. Filtering is the process of allowing only certain types of traffic to pass through a router. For example, you could use this as part of a policy for distinguishing between email or messaging traffic and the larger- sized file transfer packets. The syntax for the match length command is 

 RouterA(config-route-map)#  match length   min max

The min parameter designates the minimum IP datagram length of the packet and the max value matches against the maximum Network layer packet length (in hex).

The set ip default next-hop Command

A default route is a route that is used when the router has no explicit path to a destination network listed in its IP routing table. When configuring policy-based routing through route maps, an administrator can use standard or extended access lists and match statements to establish the conditions that IP traffic must meet to determine whether matched datagrams are policy routed or destination routed (the default). The set statement is used to specify the destination of traffic that meets the criteria of the route map's match statements.

The set ip next-hop route map configuration command offers a list of IP addresses that designate the adjacent next-hop router on the way to the packet destination. The syntax would be: 

 RouterA(config-route-map)#  set ip next-hop  ip-address [...ip-address]

You could use the route-map configuration command set ip default next-hop 172.16.32.1 to designate that traffic be forwarded to router 172.16.32.1 in case the local router does not have an explicit entry for the route in its IP routing table, like so: 

 RouterA(config-route-map)# set ip default next-hop 172.16.32.1

You could also specify a list of several default addresses so that the first adjacent next-hop is used and then the others are attempted in order.

The set default interface Command

This route-map configuration command presents a list of default interfaces that can be used when no explicit route exists for the destination address of the reviewed packet. This set command routes to the next hop only when there is no specified route for the packet destination address in the routing table. The set default interface command has the following syntax: 

 RouterA(config-route-map)#  set default interface  type number  [...type number]

The type number parameter is the interface type (serial) and number (0/0, for example) where the packets are being sent.

The set ip tos Command

This route-map configuration command configures the 8-bit IP TOS (type of service) field in the IP header. Five bits are used to set the class of service (COS) value, which is accomplished through the set ip tos command. Here is the syntax: 

 RouterA(config-route-map)#  set ip tos  [  number   name  ]

The number parameter can be a service value from 0 to 15. The name parameter is used instead to set the services of minimum delay [ min-delay (8)] , maximum throughput [ max-throughput (4)] , maximum reliability [ max-reliability (2)] , cost [ min- monetary -cost (1)] , and the [ normal (0)] parameters.

The set ip precedence Command

This command is used to set the other three bits of the IP TOS value. These IP precedence bits are used to control QoS services such as weighted fair queuing and weighted random early detection. The syntax of this route-map configuration command is as follows: 

 RouterA(config-route-map)#  set ip precedence  [  number   name  ]

The number parameter can be a precedence value from 0 to 7 (3 bits) that corresponds to name parameter values in Table 10.1. The name parameter can be used instead as shown in Table 10.1.

Table 10.1. set ip precedence Name Parameter Values

Command Parameter

Description

critical

Set the critical precedence (5)

flash

Set the flash precedence (3)

Flash-override

Set the flash override precedence (4)

immediate

Set the immediate precedence (2)

Internet

Set the internetwork control precedence (6)

network

Set the network control precedence (7)

priority

Set the priority precedence (1)

routine

Set the routine precedence (0)

The ip policy route-map Command

Finally, when you want to designate a route map to be used for policy-based routing on a certain interface, you will use the interface configuration command ip policy route-map with the following syntax: 

 RouterA(config-if)#  ip policy route-map  map-tag

The map-tag parameter represents the identifier for the route map that is being used for routing policy. This value must match up to a map tag designated by the accompanying route-map command mentioned earlier.

The ip route-cache policy Command

The ip route-cache policy interface configuration command is implemented to allow fast switching for policy-based routing. Fast-switching policy-based routing was introduced in IOS Release 11.2F. Switching refers to a router's capability to receive packets in from an inbound interface and send (switch) them out via an exit interface. Fast switching accelerates the speed at which policy-based routing functions because it caches and reuses exit interface information for policy-routed packets instead of repeatedly performing lookups. The switching method that was previously used, which fully processed every packet before sending it out, is called process switching . Process switching is much slower and more CPU- intensive than fast switching. For fast switching to be implemented, policy-based routing that uses route maps must already be configured on the router. The fast-switching feature is disabled by default on Cisco routers. The ip route-cache policy command, with the following syntax, must be used on each entry interface that will participate in policy-based routing: 

 RouterA(config-if)#  ip route-cache policy

Verifying Policy-Based Routing

After you have configured your route maps, you should test the configuration of policy routing on the router's interfaces by using the EXEC command show route-map . The syntax is a follows: 

 RouterA#  show route-map  [  map-name  ]

The map-name parameter is an optional parameter that can be used if you want to see a certain route map. If the show route-map command is used without the map-name parameter, the command lists information regarding all route maps that are configured on the router. Here is a snippet of what the output could look like: 

 RouterA# show route-map route-map policy, permit, sequence 10   Match clauses:     ip address (access-lists): 123   Set clauses:     ip next-hop 172.16.1.1   Policy routing matches: 3 packets, 163 bytes

The show ip policy EXEC-mode command enables you to succinctly view all route maps that are configured on a router. It also displays the interfaces to which they are assigned. The show ip policy command has no optional parameters. You must use the EXEC-mode command show route-map [map-name] , explained earlier, if you want to view specific contents of a configured route map. The following snippet shows a sample output from the show ip policy command: 

 RouterA# show ip policy Interface       Route map Serial0         policy

The debug ip policy EXEC command is useful for showing policy routing packet activities on the router. It shows you whether the packet matches the criteria and the effect it is having on the packet. Again, any debugging commands should be used only in off-peak hours and very sparingly because of excessive router overhead. Here is the syntax for this command: 

 RouterA# debug ip policy

Previous page
Table of content
Next page
Cisco BSCI Exam Cram 2 (Exam Cram 642-801)
CCNP BSCI Exam Cram 2 (Exam Cram 642-801)
ISBN: 0789730170
EAN: 2147483647
Year: 2003
Pages: 170
Authors: Michael J. Shannon, Ed Tittel
BUY ON AMAZON
Postfix: The Definitive Guide
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Special Edition Using FileMaker 8
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy