Foundation Topics | CCNP BSCI Exam Certification Guide (CCNP Self-Study, 642-801) (3rd Edition)

Understanding Route Maps

Route maps are the means by which sophisticated "if/then logic" can be applied to a router. Route maps are the programming tools that are used to control redistribution, to implement policy-based routing, to control NAT translation, and to implement BGP policy.

You can use route maps for the following purposes:

To control redistribution Route maps allow a higher level of sophistication than distribute lists. They do not simply block or include networks like a distribute list will when a match is found, but are capable of setting the metrics on the matching route.
To control and modify routing information Route maps are used to modify routing information by setting the metrics on the matching route.
To define policies in policy-based routing Route maps make decisions based on the destination address. Once a match is found in an access list, the action is that of inclusion or exclusion. Policy-based routing allows clear decisions to be implemented on more sophisticated criteria.
To add granularity in the configuration of Network Address Translation (NAT) Route maps define pools of public and private addressing in address translation. There are additional show commands available by which to monitor and manage the NAT implementation.
To implement BGP policy-based routing One of the main strengths of the routing protocol BGP is its ability to perform policy-based routing. Inherent in the protocol are attributes used to affect the path taken by traffic. These are often implemented using route maps: if this match is made, then apply this attribute. This is achieved by using the set command to change the attributes or metric of the BGP path. In very large networks, it is important to be able to determine traffic paths. This is because of both resource and security restraints. Route maps are the main method used by BGP to define BGP routing policy.

Route maps are very similar to access lists. They both perform if/then programming, in that they state criteria that is used to determine whether specific packets are to be permitted or denied . The main difference is that the route map has the additional capability of adding a set action to the match criterion. In an access list, the match criterion is implicit; in a route map, it is a keyword. This means that if a packet is matched to the criterion given in the route map, some action can be taken to change the packet, whereas access lists can simply permit or deny the matched packet.

Until recently, you could configure a router to route traffic and place some checks and controls on the router processes or interfaces to control overhead on both the router and the network. Now, it is possible to control the nature of traffic traversing your networks. The industry has not quite achieved the full benefits of traffic engineering, but route maps provide a means by which your networks can be managed with sophistication, allowing for stable, flexible networks to grow in both size and complexity.

The characteristics of route maps are summarized in the following list:

A route map has a list of criteria, stated with the match statement.
A route map can change packets or routes that are matched by using the set statement.
A collection of route map statements that have the same route map name are considered one route map.
The route map will stop as soon as a match is made, just like an access list does.
Within a route map, each route map statement is numbered with sequence numbers and, therefore, can be edited individually.
The sequence number is used to specify the order in which conditions are checked. Thus, if there are two statements in a route map named BESTEST, one with sequence 5 and the other with sequence 15, sequence 5 is checked first. If there is no match for the conditions in sequence 5, then sequence 15 will be checked.
Route maps can use IP standard or extended access lists to establish policy-based routing.

- A standard IP access list can be used to specify match criteria for the source address of a packet.

- Extended access lists can be used to specify match criteria based on source and destination addresses, application, protocol type, TOS, and precedence.
The match route map configuration commands are used to define the conditions to be checked.
The set route map configuration commands are used to define the actions to be followed if there is a match.
A route map can contain logical AND and logical OR Boolean operations.

Like an access list, there is an implicit deny any at the end of a route map. The consequences of this deny depend on how the route map is being used.

To understand this properly, you need to see exactly how route maps operate . The following list explains the process, or logic, by which route maps work:

The route map statements used for policy-based routing can be marked as permit or deny .
Only if the statement is marked as permit and the packet meets the match criteria will the set commands be applied.
The statements in a route map correspond to the lines of an access list. Specifying the match conditions in a route map is similar to specifying the source and destination addresses and masks in an access list.
The statements in the route map are compared to the route or packet to see if there is a match. The statements are examined in turn from the top, as in an access list.
The single match statement can contain multiple conditions. At least one condition in the match statement must be true. This is a logical OR.
A route map statement can contain multiple match statements. All match statements in the route map statement must be considered true for the route map statement to be considered matched. This is a logical AND.

Obviously, a simple network is easier to manage and troubleshoot. Using route maps adds complexity to network management and should be handled with caution. You will learn how to configure route maps in the section "Configuring Route Maps for Policy-Based Routing," later in this chapter.

Understanding Policy-Based Routing

Route maps are used in the configuration of policy-based routing, allowing the selection of criteria such as IP address, application, protocol, or size of packet. Once selected, the policy-based routing commands implement the policy on the selected routes.

Policy-based routes and static routes have a lot in common. However, static routes forward packets based on the destination network address, whereas a policy route forwards packets based on the source address. If access lists are used with the route map, the parameters in an extended access list can be used to route traffic based on such criteria as the destination address, length, IP protocol field, precedence, or port numbers. This gives a greater granularity and scope to the criteria by which the next -hop router is decided.

The rules that define policy-based routing are as follows :

Traffic can be directed on either the source address or both the source and destination addresses.
Policy-based routing affects only the routing of the router on which it is configured in determining the next hop in the path to the destination.
Policy-based routing does not affect the destination of the packet, but it can affect the path that is taken, by setting the next hop, for example.
Policy-based routing does not allow traffic sent into another autonomous system to take a different path from the one that would have been chosen by that autonomous system.
It is possible to influence only how traffic will get to a neighboring router.
As policy-based routing examines the source address, it is configured on the inbound interface.
If there is no match made, the packet is denied policy-based routing and routed normally by destination.
The use of route maps for policy-based routing is a little different than other applications of route maps. When used for policy-based routing, if a packet does not match the criteria specified in the route map or a matched route map statement specifies deny , then the packet is not dropped. It is sent to the routing process and routed normally, by destination, as if it had never encountered a route map. If your intention is to drop packets that do not match the criteria, it is necessary to use the set command to route packets to the null interface as the last entry in the route map.

Route maps were introduced in Cisco IOS Software Release 11.0, allowing policies that defined different paths for different packets based on specified criteria.

Policy-based routing also provides a mechanism to mark packets with different types of service (ToS). This feature can be used in conjunction with Cisco IOS queuing techniques so that certain kinds of traffic receive preferential service.

Instead of routing by the destination address, policy-based routing allows you to determine and implement routing policies to allow or deny paths based on the following:

The identity of a particular end system
The application being run
The protocol in use
The size of packets

The ability to program the path your network traffic takes adds sophistication to the routing process and the network as a whole. However, it is important to understand the benefits and disadvantages of policy-based routing, as discussed in the next sections.

Benefits of Policy-Based Routing

The benefits of implementing policy-based routing in networks include the following:

Source-based transit provider selection ISPs in particular use policy-based routing to make routing decisions based on the source address. This allows traffic belonging to different customers to be routed through different Internet connections, across the policy routers in accordance with whatever company policy needs to be adhered to.
Quality of service (QoS) By setting the precedence or type of service (TOS) values in the IP packet headers in routers at the edge of the network, organizations can provide QoS. In this way, the traffic can be differentiated, and queuing mechanisms can be implemented to prioritize traffic based on the QoS in the core or backbone of the network. This improves network performance because the configuration is done only at the edge of the network.
Cost savings The bulk traffic generated by a specific activity can be diverted to use a higher-bandwidth, high-cost link for a short time. Meanwhile, interactive traffic is provided basic connectivity over a lower-bandwidth, low-cost link. For example, a dial-on-demand ISDN line might be raised in response to traffic to a finance server for file transfers selected by policy-based routing.
Load balancing This allows the implementation of policies to distribute traffic among multiple paths based on the traffic characteristics. This does not detract from the dynamic load-sharing capabilities offered by destination-based routing that the Cisco IOS software has always supported.

Disadvantages of Policy-Based Routing

Consider the following disadvantages before deciding to implement policy-based routing:

A backup path should be in place in case the defined next-hop router goes down. If there is no alternative defined, policy-based routing uses the IP routing table.
Additional CPU is required to examine every source address to effect the defined policy.
Extra configuration is required.
The possibility exists that other traffic will be disrupted.

Now that you understand the features of route maps and policy-based routing, the next section explains how these technologies operate together.

The Operation of Route Maps and Policy-Based Routing

As explained in the section "Understanding Route Maps," access lists work on a simple permit and deny basis, whereas route maps can alter the characteristics of the packet or its path. For example, an access list could state something similar to this logic: If the cupcake is lemon flavored, keep it, but if it is not lemon flavored, throw it away.

Along the same lines, a route map could specify logic such as this: If it is a lemon-flavored cupcake, ice it with lemon butter frosting. If it has walnuts, then ice it with melted chocolate. If it has neither a lemon flavor nor walnuts, leave it alone. The route map is obviously more powerful than the access list because it can change the entity.

Now to show the additional complexity of route maps, add a logical AND and a logical OR. For example, if the cupcake is lemon-flavored AND it contains poppy seeds, ice it with lemon butter frosting. If it has walnuts OR it was baked today, then ice it with melted chocolate. If it does not have a lemon flavor, poppy seeds , or walnuts, leave it alone.

The route map would look something like Example 18-1.

Example 18-1. Route Map Logic

  route-map cupcakes permit 10   match lemon flavored   match poppy seed   set add lemon butter frosting   route-map cupcakes permit 15   match walnuts baked today   set melted chocolate frosting   set melted chocolate frosting   route-map cupcakes permit 20

For the mathematicians among you, this could be written as follows:

If {( a and b ) match} then set c

Else

If {( x or y ) match} then set z

Else

Set nothing

Route maps are used by policy-based routing to select the packets that policy-based routing wishes to effect.

Policy-based routing is applied to incoming packets or packets generated by the router, if configured to do so. When a packet is received on an interface with policy-based routing enabled, it goes through this procedure:

If there is a match and the action is to permit the route, then the packet is policy-routed in accordance to the set command.
If there is a match and the action is to deny the packet, then the packet is not policy-routed but is passed back to the forwarding engine for dynamic routing.
If there is no match and there is no configuration for what to do in this event, the default is to deny the packet, which would return it to the routing process for normal routing.
To block packets that find no match, you need to prevent them from being returned to normal forwarding. Normal routing is prevented by specifying a set statement to route the packets to interface null 0 as the last entry in the route map. This will route the packets to nowhere, effectively dropping them.

Configuring Route Maps for Policy-Based Routing

This section deals with the implementation and configuration of route maps and policy-based routing. Make sure to check the Cisco documentation set for your software version before configuring a live network.

The route-map command is shown here:

 Router(config)#  route-map   map-tag  [{  permit   deny  }  sequence-number  ]

Table 18-2 describes the syntax options available for the route-map command.

Table 18-2. The route-map Command Options

Command

Description

map-tag

This is the name of the route map. This name is used to reference the route map when using the ip policy route-map interface configuration command.

permit deny

(Optional) If the match criteria are met for this route map and permit is specified, the packet is forwarded as defined by the set actions.

If the match criteria are not met and permit is specified, the next route map with the same map tag is tested .

If there are no match criteria specified, but the packets are permitted, then all packets are set as specified.

If there is no set statement, but the packets are permitted, then all packets that match the criteria are permitted.

If a packet passes none of the match criteria for the set of route maps sharing the same name, it is sent to the normal routing process to be routed by destination.

(Optional) If the match criteria are met for the route map and deny is specified, the packet is sent to the normal routing process, and no further route maps sharing the same map tag name will be examined.

sequence-number

(Optional) The sequence number indicates the position that a new route map will have in the list of route map statements already configured with the same name.

The following commands are summarized here into groups: the match commands that can be configured for policy-based routing, and the set commands that can be applied if the packet matches the criteria stated.

The match Commands for Policy-Based Routing with Route Maps

The match commands used in policy-based routing are summarized in Table 18-3. These match commands are used to determine whether the packet is to be policy-routed, as opposed to being forwarded simply by destination. If it is to be policy-routed, the packet is sent down a different path, typically one less traveled.

Table 18-3. The match Commands Used in Policy-Based Routing

Command

Description

match ip address

[ access-list-number name ]

[... access-list-number name ]

This states the number or name of a standard or extended access list that will be used to examine incoming packets. A standard IP access list is used to match criteria for the source address of the packet. An extended IP access list is used to specify criteria based on source and destination, application, protocol type, TOS, and precedence. If multiple access lists are specified, matching any one will result in a match.

match length min max

This command is used to define the criteria based on the Layer 3 length of the packet.

The min parameter states the minimum inclusive length of the packet allowed for a match.

The max parameter states the maximum inclusive length of the packet allowed for a match.

In this way, interactive traffic that is time-sensitive, such as SNA traffic tunneled in IP, can be sent on a dedicated route. Interactive traffic uses small packets, so the links could be dedicated by packet size, allowing file transfers using large packets to use a separate link so that the terminal sessions are not starved of resources.

The set Commands for Policy-Based Routing with Route Maps

The set commands used in policy-based routing are summarized in Table 18-4. These set commands are used after the match criteria has been satisfied. Whereas the match parameter determines whether the packet will be policy-routed, the set parameter determines how the packet is to be policy-routed.

Table 18-4. The set Commands Used in Policy-Based Routing

Command	Description
set default interface type number [ ...type number ]	If the routing table has no explicit route for the destination network of the packet, this set provides a list of default outbound interfaces. The packet being considered for policy-based routing is routed to the available outbound interface in the list of specified default interfaces.
set interface type number [ ...type number ]	If there is a route for the destination network of the packet in the routing table, this set provides a list of outgoing interfaces through which to route the packets. If more than one interface is specified, then the first functional outgoing interface is used. This command has no effect and is ignored if the packet is a broadcast or is destined to an unknown address. This is because no explicit route for the destination of the packet is found in the routing table.
set ip default next-hop ip-address [ ...ip-address ]	If the routing table has no explicit route for the destination network of the packet, this set provides a list of default next-hop routers. The packet being considered for policy-based routing is routed to the available next hop in the list. This must be the address of an adjacent router.
set ip next hop ip-address [ ...ip-address ]	This set provides a list of next-hop routers to which to forward the packet. If more than one next hop is specified, then the first available next-hop router is used. This must be the address of an adjacent router, and there must be an entry for the destination network of the packet in the routing table.
set ip precedence precedence	This is used to set the precedence bits in the Type of Service field of the IP header of the matched packet. This determines the IP precedence in the IP packets.
set ip tos type-of-service	This is used to set the IP ToS value in the Type of Service field of the IP header.

The set commands can be used in conjunction with each other.

Once configured, the route map must be called into service. Until it is called, it has no power. The command used to recruit the services of the route map to an incoming interface follows:

 Router(config-if)#  ip policy route-map   map-tag

map-tag is the name of the route map to use for policy-based routing. This must match a map tag specified by a route-map command.

Policy-based routing is configured on the incoming interface that receives the packets and performs policy-based routing on incoming packets, determining the path of the packet to the destination.

With the appropriate configuration, you can apply policy-based routing on packets generated by the router. The command is configured globally, using the following syntax:

 Router(config)#  ip local policy route-map

Example 18-2 shows a sample configuration.

Example 18-2. Calling a Route Map into Service

 Router(config)#  interface serial 0  Router(config-if)#  ip policy route-map soupspoon  ! Router(config)#  route-map soupspoon permit 10  Router(config-route-map)#  match ip address 1  Router(config-route-map)#  set ip next-hop 191.5.6.11  Router(config)#  access-list 1 permit 201.14.222.18

There are many things to be aware of when configuring a router that is directing the network traffic. When configuring policy-based routing or route maps, pay very careful attention to the logic and rules by which they operate.

CAUTION

When editing a route map statement with the no version of the existing command line, if you forget to type in the sequence number, you will delete the entire route map.

Configuring Fast Switching with Policy-Based Routing

Speed through the network is influenced by the capability of the network devices to process traffic. Cisco is continually striving to enhance the features of its products, while at the same time reducing the resources consumed and the time it takes to provide those features.

Cisco made a major achievement in Cisco IOS Software Release 11.2F. In this version of IOS, IP policy-based routing is fast-switched. The previous versions' process-switch policy-routed traffic, allowing for an output of approximately 1000 to 10,000 packets per second, resulted in application timeouts.

Fast switching of policy-based routing is disabled by default. You must configure it manually. To do so, complete the following steps:

Step 1. Configure policy-based routing before you configure fast-switched policy-based routing.

Step 2. When policy-based routing is configured, turn on the fast switching with this interface command:

 Router(config-if)#  ip route-cache policy

Fast-switched policy-based routing supports all of the match commands and most of the set commands, except for the following restrictions:

The set ip default command is not supported.
The set interface command is supported only over point-to-point links, unless a route-cache entry exists using the same interface specified in the set interface command in the route map. The route cache is the portion of memory assigned to the product of routing decisions. In addition, when process switching, the routing table is consulted to determine a path to the destination. During fast switching, the software does not make this check because fast switching is a cache of the process switch lookup. Instead, if the packet matches, the software blindly forwards the packet to the specified interface. This is a similar situation to the one described in reference to load balancing earlier in the section "Benefits of Policy-Based Routing."

This next section expands the discussion of route maps to include redistribution.

Configuring Route Maps for Redistribution

Although the filtering discussed in Chapter 17, "Implementing Redistribution and Controlling Routing Updates," is perfectly adequate for simply denying or permitting routes from entering another routing process, route maps can do more. Their strength lies in their ability to change the route in some way. A common manipulation of the route using route maps is to change the metric. As you saw in Chapter 17, changing the metric is necessary so that the receiving routing protocol can forward the route using a metric that it understands.

The following commands are summarized here into groups: the match commands that can be configured for redistribution, and the set commands that can be applied if the route matches the criteria stated.

The match Commands for Redistribution with Route Maps

The match commands used in redistribution are summarized in Table 18-5. These match commands are used to determine whether the route is to be redistributed.

Table 18-5. The match Commands Used in Redistribution

Command	Description
match interface (IP)	Distributes any routes that have their next hop out one of the interfaces specified.
match ip address [ access-list-number name ] [... access-list-number name ]	This is the same command as used in policy-based route maps and serves the same function as described in Table 18-3. The command states the number or name of a standard or extended access list that will be used to examine incoming packets.
match ip next-hop	Redistributes any routes that have a next hop router address passed by one of the access lists specified.
match ip route-source	Redistributes routes that have been advertised by routers and access servers at the address specified by the access lists.
match metric	Redistributes routes with the metric specified.
match route-type (IP)	Redistributes routes of the specified type.
match tag	Redistributes routes in the routing table that match the specified tags.

NOTE

If a route is not matched, it is not redistributed.

The set Commands for Redistributing with Route Maps

The following set commands are used after the match criteria have been satisfied. Whereas the match parameter determines whether the route will be redistributed, the set parameter determines how the route is to be redistributed.

The set command is as follows:

 Router(config-route-map)#  set  {  criteria  }

The set commands used in redistribution are summarized in Table 18-6.

Table 18-6. The set Commands Used in Redistribution

Command	Description
set level { level-1 level-2 level-1-2 stub-area backbone }	Used by IS-IS to determine the level of router to which the process should import routes. Also used by OSPF to state the type of area router to which routes should be imported.
set metric (BGP, OSPF, RIP)	Sets the metric value for a routing protocol.
set metric-type { internal external type-1 type-2 }	Sets the metric type for the destination routing protocol.
set tag tag-value	Sets a tag value of the destination routing protocol.

Once configured, the route map must be called into service. Until it is called, it has no power. The command used to recruit the services of the route map for redistribution is the redistribution command itself. Once configured, redistribution sends routes to the route map.

 Router(config-router)#  redistribute   protocol  [  process-id  ] [  route-map   map-tag]

map-tag is the name of the route map to use for redistribution. This must match a map tag specified by a route-map command.

Example 18-3 is very simple, but it clearly illustrates the functionality of the route map. Study the example in reference to Figure 18-1.

Figure 18-1. Route Map to Distribute RIPv2 into OSPF

graphics/18fig01.gif

This route map examines all updates from RIP and redistributes those RIP routes with a hop count equal to 3 into OSPF. These routes will be redistributed into OSPF as external link-state advertisements (LSAs) with a metric cost of 6, a metric type of Type 1, and a tag equal to 1.

The tag is useful for tracking routes during redistribution, when the routes change from one routing domain to another, for example, from RIPv2 to OSPF. The routes are tagged at the point at which they are redistributed into another protocol. Although the routing protocols do not use the tags, they are passed between the different domains during redistribution.

Example 18-3. Route Map to Distribute RIPv2 into OSPF

 Router(config)#  router ospf 25  Router(config-router)#  redistribute rip route-map rip-routes  Router(config)#  route-map rip-routes permit 10  Router(config-route-map)#  match metric 3  Router(config-route-map)#  set metric 6  Router(config-route-map)#  set metric-type type-1  Router(config-route-map)#  set tag 1

Monitoring the Configuration of Route Maps, Policy-Based Routing, and Redistribution

Most of the appropriate commands in tracking route maps are the same as those shown in Chapter 17. The commands used to test connectivity throughout the network include the following:

show ip protocol
show ip route
show ip route routing-protocol
show ip eigrp neighbors
show ip ospf database

In addition to these commands, trace and extended ping are also very useful. ping is particularly useful in policy-based routing where packets are routed based on packet length.

To monitor the policy-based-routing configuration, use the following EXEC commands described in Table 18-7.

Table 18-7. Commands to Monitor Policy-Based Routing

Command	Description
show ip policy	Displays the route maps used for policy-based routing on the router's interfaces.
show route-map	Displays configured route maps.
debug ip policy	Displays IP policy-based-routing packet activity. This command helps you to determine what policy-based routing is doing. It displays information about whether a packet matches the criteria and, if so, the resulting routing information for the packet.

CAUTION

Because the debug ip policy command generates a significant amount of output, use it only when traffic on the IP network is low so that other activity on the system is not adversely affected. This is true of all debug commands.