Search This Blog

Friday, January 27, 2012

Policy-Based Route


Introduction*
Policy-based routing provides a tool for forwarding and routing data packets based on policies defined by network administrators. In effect, it is a way to have the policy override routing protocol decisions. Policy-based routing includes a mechanism for selectively applying policies based on access list, packet size or other criteria. The actions taken can include routing packets on user-defined routes, setting the precedence, type of service bits, etc.

Here is the following setup:


I have used OSPF with single area to advertise all links to all routers; each router has 155.1.x.x (where x is the number of the router) when R6 is also advertise his 4 loopbacks – 192.168.10.x to 192.168.40.0.

R2 routing table:
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     155.1.0.0/32 is subnetted, 6 subnets
O       155.1.6.6 [110/21] via 10.1.234.4, 00:02:18, FastEthernet0/1
                  [110/21] via 10.1.234.3, 00:02:18, FastEthernet0/1
O       155.1.5.5 [110/11] via 10.1.25.5, 00:02:18, Serial0/0
O       155.1.4.4 [110/11] via 10.1.234.4, 00:02:18, FastEthernet0/1
O       155.1.3.3 [110/11] via 10.1.234.3, 00:02:18, FastEthernet0/1
C       155.1.2.2 is directly connected, Loopback0
O       155.1.1.1 [110/11] via 10.1.12.1,
O    192.168.30.0/24 [110/21] via 10.1.234.4, 00:02:20, FastEthernet0/1
                     [110/21] via 10.1.234.3, 00:02:20, FastEthernet0/1
O    192.168.10.0/24 [110/21] via 10.1.234.4, 00:02:20, FastEthernet0/1
                     [110/21] via 10.1.234.3, 00:02:20, FastEthernet0/1
O    192.168.40.0/24 [110/21] via 10.1.234.4, 00:02:20, FastEthernet0/1
                     [110/21] via 10.1.234.3, 00:02:20, FastEthernet0/1
O    192.168.20.0/24 [110/21] via 10.1.234.4, 00:02:21, FastEthernet0/1
                     [110/21] via 10.1.234.3, 00:02:21, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C       10.1.12.0/24 is directly connected, FastEthernet0/0
O       10.1.6.0/24 [110/20] via 10.1.234.4, 00:02:21, FastEthernet0/1
                    [110/20] via 10.1.234.3, 00:02:21, FastEthernet0/1
C       10.1.25.0/24 is directly connected, Serial0/0
C       10.1.25.5/32 is directly connected, Serial0/0
O       10.1.56.0/24 [110/74] via 10.1.25.5, 00:02:21, Serial0/0
C       10.1.234.0/24 is directly connected, FastEthernet0/1

Now I have configured the following policy-based route on R2:
ip access-list extended NO-IP
!
access-list 10 permit 155.1.1.1
!
route-map PBR permit 10
 match ip address NO-IP
 set interface Serial0/0
!
route-map PBR permit 20
 match ip address 10
 set ip next-hop 10.1.234.3

Note the NO-IP extended ACL which is also configured on the first statement on the route-map PBR, configuring this policy on Fa0/0:
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0
ip policy route-map PBR
duplex auto
speed auto

Verify the configuration result on R1:
R1# traceroute 155.1.6.6 source lo0

Type escape sequence to abort.
Tracing the route to 155.1.6.6

  1 10.1.12.2 24 msec 40 msec 28 msec
  2 10.1.25.5 40 msec 36 msec 40 msec
  3 10.1.56.6 52 msec *  52 msec

Note that the trace goes through R5; This is a common mistake to think that only specific ACL will catch the packets, an empty ACL will also do.

Removing route-map statement 10 will fix this issue:
R2(config)#no route-map PBR permit 10

The result:
R1# traceroute 155.1.6.6 source lo0

Type escape sequence to abort.
Tracing the route to 155.1.6.6

  1 10.1.12.2 40 msec 28 msec 20 msec
  2 10.1.234.3 52 msec 40 msec 20 msec
  3 10.1.6.6 72 msec *  84 msec

For the next test I configure R5 as the next-hop and R4 as the default next-hop:
route-map PBR permit 20
 match ip address 10
 set ip next-hop 10.1.25.5
 set ip default next-hop 10.1.234.4

R1 will go through R5 as the PBR dictate:
R1# traceroute 155.1.6.6 source lo0

Type escape sequence to abort.
Tracing the route to 155.1.6.6

  1 10.1.12.2 32 msec 48 msec 20 msec
  2 10.1.25.5 52 msec 20 msec 16 msec
  3 10.1.56.6 56 msec *  60 msec

Now let’s shutdown interface s0/0 on R2, the result:
R1# traceroute 155.1.6.6 source lo0

Type escape sequence to abort.
Tracing the route to 155.1.6.6

  1 10.1.12.2 24 msec 40 msec 16 msec
  2 10.1.234.4 32 msec 56 msec 32 msec
  3 10.1.6.6 76 msec *  80 msec

Next-hop is R4 according to the policy. This can only be achieved by shutting down interface s0/0 on R2, which is the directly connected to R5, else R2 didn’t know that he can’t reach 10.1.25.5 and the policy had failed.

Now let’s do things a little bit more complicated, I have configured an IP SLA, with icmp echo type, and tracking objects toward R3 and R4 loopbacks:
ip sla monitor 3
 type echo protocol ipIcmpEcho 155.1.3.3
ip sla monitor schedule 3 life forever start-time now
ip sla monitor 4
 type echo protocol ipIcmpEcho 155.1.4.4
ip sla monitor schedule 4 life forever start-time now
!
track 3 rtr 3 reachability
!
track 4 rtr 4 reachability

Also changed the route-map to route traffic to each of these routers only if the router loopback is reachable:
route-map PBR permit 20
 match ip address 10
 set ip next-hop verify-availability 10.1.234.3 1 track 3
 set ip next-hop verify-availability 10.1.234.4 2 track 4

Verify-availability command makes sure that as long as the track object is true (up) it will commit the set command, else it will be ignored. In my example the first set is toward R3 10.1.234.3 IP only if R3 loopback is reachable, else it will go to the next-hop sequence in the list which is R4 IP 10.1.234.4.

Where all loopbacks are up:
R1# traceroute 155.1.6.6 source lo0           

Type escape sequence to abort.
Tracing the route to 155.1.6.6

  1 10.1.12.2 28 msec 36 msec 24 msec
  2 10.1.234.3 52 msec 44 msec 16 msec
  3 10.1.6.6 72 msec *  56 msec

Shutting down R3 loopback:
R2#
*Mar  1 01:41:59.951: %TRACKING-5-STATE: 3 rtr 3 reachability Up->Down

R1# traceroute 155.1.6.6 source lo0            

Type escape sequence to abort.
Tracing the route to 155.1.6.6

  1 10.1.12.2 68 msec 28 msec 24 msec
  2 10.1.234.4 28 msec 44 msec 24 msec
  3 10.1.6.6 76 msec *  76 msec

Bring it back up:
R2#
*Mar  1 01:44:54.951: %TRACKING-5-STATE: 3 rtr 3 reachability Down->Up

R1# traceroute 155.1.6.6 source lo0           

Type escape sequence to abort.
Tracing the route to 155.1.6.6

  1 10.1.12.2 60 msec 40 msec 20 msec
  2 10.1.234.3 40 msec 40 msec 36 msec
  3 10.1.6.6 80 msec *  56 msec

Policy-based route debugging
Use the command debug ip policy to debug policy-based route actions:
R2# debug ip policy
Policy routing debugging is on

The result:
R1# traceroute 155.1.6.6 source lo0           

R2#
*Mar  1 02:00:20.291: IP: s=155.1.1.1 (FastEthernet0/0), d=155.1.6.6, len 28, FIB policy match
*Mar  1 02:00:20.291: IP: s=155.1.1.1 (FastEthernet0/0), d=155.1.6.6, g=10.1.234.3, len 28, FIB policy routed

R1# traceroute 155.1.6.6

R2#
*Mar  1 02:00:55.047: IP: s=10.1.12.1 (FastEthernet0/0), d=155.1.6.6, len 28, FIB policy rejected(no match) - normal forwarding
*Mar  1 02:00:55.095: IP: s=10.1.12.1 (FastEthernet0/0), d=155.1.6.6, len 28, FIB policy rejected(no match) - normal forwarding

Policy-based route match and set*
Although there are many route-map matching options, here you can specify only length and/or ip address.
length matches the Level 3 length of the packet.
ip address matches the source or destination IP address that is permitted by one or more standard or extended access lists.

If you do not specify a match command, the route map applies to all packets.

You can specify any or all of the following:
precedence: Sets precedence value in the IP header. You can specify either the precedence number or name.
df: Sets the `Don't Fragment' (DF) bit in the ip header.
vrf: Sets the VPN Routing and Forwarding (VRF) instance.
next-hop: Sets next hop to which to route the packet.
next-hop recursive: Sets next hop to which to route the packet if the hop is to a router which is not adjacent.
interface: Sets output interface for the packet.
default next-hop: Sets next hop to which to route the packet if there is no explicit route for this destination.
default interface: Sets output interface for the packet if there is no explicit route for this destination.

The set interface command is supported only over point-to-point links;

Policy-based route and CEF*
Beginning in Cisco IOS Release 12.0, PBR is supported in the Cisco Express Forwarding (CEF) switching path. CEF-switched PBR has better performance than fast-switched PBR and, therefore, is the optimal way to perform PBR on a router.
No special configuration is required to enable CEF-switched PBR. It is on by default as soon as you enable CEF and PBR on the router.

*taken from Cisco site at: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)