- Understanding Path Control
- Implementing Path Control Using Offset Lists
- Implementing Path Control Using Cisco IOS IP SLAs
- Implementing Path Control Using Policy-Based Routing
- Advanced Path Control Tools
- Summary
- References
- Review Questions
This chapter is from the book
This chapter is from the book
This chapter is from the book
Implementing Path Control Using Policy-Based Routing
Chapter 4 describes route maps and how you can use them for route filtering. This section describes another use for route maps, with PBR. PBR enables the administrator to define a routing policy other than basic destination-based routing using the routing table. With PBR, route maps can be used to match source and destination addresses, protocol types, and end-user applications. When a match occurs, a set command can be used to define items, such as the interface or next-hop address to which the packet should be sent.
Using PBR to Control Path Selection
In modern high-performance internetworks, organizations need the freedom to implement packet forwarding and routing according to their own defined policies in a way that goes beyond traditional routing protocol concerns.
Routers normally forward packets to destination addresses based on information in their routing tables. By using PBR, introduced in Cisco IOS Release 11.0, you can implement policies that selectively cause packets to take different paths based on source address, protocol types, or application types. Therefore, PBR overrides the router's normal routing procedures.
PBR also provides a mechanism to mark packets with different types of service (ToS). This feature can be used in conjunction with Cisco IOS queuing techniques so that certain kinds of traffic can receive preferential service.
PBR provides an extremely powerful, simple, and flexible tool to implement solutions in cases where legal, contractual, or political constraints dictate that traffic be routed through specific paths. Benefits you can achieve by implementing PBR include the following:
- Source-based transit provider selection—ISPs and other organizations can use PBR to route traffic originating from different sets of users through different Internet connections across policy routers.
- QoS—Organizations can provide QoS to differentiated traffic by setting the ToS values in the IP packet headers in routers at the periphery of the network and then leveraging queuing mechanisms to prioritize traffic in the network's core or backbone. This setup improves network performance by eliminating the need to classify the traffic explicitly at each WAN interface in the network's core or backbone.
- Cost savings—Using PBR, an organization can direct the bulk traffic associated with a specific activity to use a higher-bandwidth, high-cost link for a short time and to continue basic connectivity over a lower-bandwidth, low-cost link for interactive traffic.
- Load sharing—In addition to the dynamic load-sharing capabilities offered by destination-based routing that the Cisco IOS Software has always supported, network managers can implement policies to distribute traffic among multiple paths based on the traffic characteristics.
Configuring PBR
Configuring PBR involves configuring a route map with match and set commands and then applying the route map to the interface.
When configuring PBR, it is important to note that PBR is applied to incoming packets. Enabling PBR causes the router to evaluate all packets incoming on the interface using a route map configured for that purpose.
The steps required to implement path control include the following:
- Choose the path control tool to use. Path control tools manipulate or bypass the IP routing table. For PBR, route-map commands are used.
- Implement the traffic-matching configuration, specifying which traffic will be manipulated; match commands are used within route maps.
- Define the action for the matched traffic, using set commands within route maps.
- Optionally, fast-switched PBR or Cisco Express Forwarding (CEF)-switched PBR can be enabled. Fast-switched PBR must be enabled manually. CEF-switched PBR is automatically enabled when CEF switching is enabled (which it is by default in recent IOS versions) and PBR is enabled.
- Apply the route map to incoming traffic or to traffic locally generated on the router.
- Verify path control results, using show commands.
You can configure the route map statements used for PBR as permit or deny. The following defines how these options work:
- If the statement is marked as deny, a packet meeting the match criteria is not policy-based routed. Instead, it is sent through the normal forwarding channels; in other words, destination-based routing is performed.
- Only if the statement is marked as permit and the packet meets all the match criteria are the set commands applied.
- If no match is found in the route map, the packet is not dropped; it is forwarded through the normal routing channel, which means that destination-based routing is performed.
- If you do not want to revert to normal forwarding but instead want to drop a packet that does not match the specified criteria, configure a set statement to route the packets to interface null 0 as the last entry in the route map.
PBR match Commands
IP standard or extended access lists can be used to establish PBR match criteria using the match ip address {access-list-number | name} [...access-list-number | name] | prefix-list prefix-list-name [..prefix-list-name] route map configuration command, as explained in Table 5-9. You can use a standard IP access list to specify match criteria for a packet's source address. You can use extended access lists to specify match criteria based on source and destination addresses, application, protocol type, and ToS.
Table 5-9. match ip address Command
|
Parameter |
Description |
|
access-list-number | name |
The number or name of a standard or extended access list to be used to test incoming packets. If multiple access lists are specified, matching any one results in a match. |
|
prefix-list prefix-list-name |
Specifies the name of a prefix list to be used to test packets. If multiple prefix lists are specified, matching any one results in a match. |
Use the match length min max route map configuration command, explained in Table 5-10, to establish criteria based on the packet length between specified minimum and maximum values. For example, a network administrator could use the match length as the criterion that distinguishes between interactive and file transfer traffic, because file transfer traffic usually has larger packet sizes.
Table 5-10. match length Command
|
Parameter |
Description |
|
min |
The packet's minimum Layer 3 length, inclusive, allowed for a match |
|
max |
The packet's maximum Layer 3 length, inclusive, allowed for a match |
PBR set Commands
If the match statements are satisfied, you can use one or more of the set statements described in this section to specify the criteria for forwarding packets through the router.
The router evaluates the first four set commands for PBR shown in this section in the order they are presented. As soon as a destination address or interface has been chosen, other set commands for changing the destination address or interface are ignored. Note, however, that some of these commands affect only packets for which there is an explicit route in the routing table, and others affect only packets for which there is no explicit route in the routing table.
By default, a packet that is not affected by any of the set commands in a route map statement it has matched is not policy routed and is forwarded normally; in other words, destination-based routing is performed.
set ip next-hop Command
The set ip next-hop ip-address [...ip-address] route map configuration command provides a list of IP addresses used to specify the adjacent next-hop router in the path toward the destination to which the packets should be forwarded. If more than one IP address is specified, the first IP address associated with a currently up and connected interface is used to route the packets. Table 5-11 explains the set ip next-hop command.
Table 5-11. set ip next-hop Command
|
Parameter |
Description |
|
ip-address |
The IP address of the next hop to which packets are output. It must be the address of an adjacent router. |
The set ip next-hop command affects all packet types and is always used if configured.
set interface Command
The set interface type number [... type number] route map configuration command provides a list of interfaces through which the packets can be routed. If more than one interface is specified, the first interface that is found to be up is used to forward the packets. Table 5-12 explains this command.
Table 5-12. set interface Command
|
Parameter |
Description |
|
type number |
The interface type and number to which packets are output |
If there is no explicit route for the destination address of the packet in the routing table (for example, if the packet is a broadcast or is destined for an unknown address), the set interface command has no effect and is ignored. A default route in the routing table is not considered an explicit route for an unknown destination address.
set ip default next-hop Command
The set ip default next-hop ip-address [...ip-address] route map configuration command provides a list of default next-hop IP addresses. If more than one IP address is specified, the first next hop specified that appears to be adjacent to the router is used. The optional specified IP addresses are tried in turn. Table 5-13 explains this command.
Table 5-13. set ip default next-hop Command
|
Parameter |
Description |
|
ip-address |
The IP address of the next hop to which packets are output. It must be the address of an adjacent router. |
A packet is routed to the next hop specified by the set ip default next-hop command only if there is no explicit route for the packet's destination address in the routing table. A default route in the routing table is not considered an explicit route for an unknown destination address.
set default interface Command
The set default interface type number [...type number] route map configuration command provides a list of default interfaces. If no explicit route is available to the destination address of the packet being considered for policy routing, it is routed to the first up interface in the list of specified default interfaces. Table 5-14 provides information about this command.
Table 5-14. set default interface Command
|
Parameter |
Description |
|
type number |
The interface type and number to which packets are output. |
A packet is routed to the next hop specified by the set default interface command only if there is no explicit route for the packet's destination address in the routing table. A default route in the routing table is not considered an explicit route for an unknown destination address.
PBR also provides a mechanism to mark packets using the set ip tos and set ip precedence commands, as shown in the next two sections.
set ip tos Command
The set ip tos [number | name] route map configuration command is used to set some of the bits in the IP ToS field in the IP packet. The ToS field in the IP header is 8 bits long, with 5 bits for setting the class of service (CoS) and 3 bits for the IP precedence. The CoS bits are used to set the delay, throughput, reliability, and cost.
The set ip tos command is used to set the 5 CoS bits. Values 0 through 15 are used (one of the bits is reserved). Table 5-15 provides the names and numbers of the defined ToS values used in this command.
Table 5-15. set ip tos Command
|
Parameter number | name |
Description |
|
0 | normal |
Sets the normal ToS |
|
1 | min-monetary-cost |
Sets the min-monetary-cost ToS |
|
2 | max-reliability |
Sets the max reliable ToS |
|
4 | max-throughput |
Sets the max throughput ToS |
|
8 | min-delay |
Sets the min delay ToS |
set ip precedence Command
The set ip precedence [number | name] route map configuration command enables you to set the 3 IP precedence bits in the IP packet header. With 3 bits, you have eight possible values for the IP precedence; values 0 through 7 are defined. This command is used when implementing QoS and can be used by other QoS services, such as weighted fair queuing (WFQ) and weighted random early detection (WRED). Table 5-16 provides the names and numbers of the defined IP precedence values used in this command.
Table 5-16. set ip precedence Command
|
Parameter number | name |
Description |
|
0 | routine |
Sets the routine precedence |
|
1 | priority |
Sets the priority precedence |
|
2 | immediate |
Sets the immediate precedence |
|
3 | flash |
Sets the Flash precedence |
|
4 | flash-override |
Sets the Flash override precedence |
|
5 | critical |
Sets the critical precedence |
|
6 | internet |
Sets the internetwork control precedence |
|
7 | network |
Sets the network control precedence |
You can use the set commands in conjunction with each other.
Configuring PBR on an Interface
To identify a route map to use for policy routing on an interface, use the ip policy route-map map-tag interface configuration command. Table 5-17 explains the parameter.
Table 5-17. ip policy route-map Command
|
Parameter |
Description |
|
map-tag |
The name of the route map to use for policy routing. It must match a map tag specified by a route-map command. |
Remember that policy-based routing is configured on the interface that receives the packets, not on the interface from which the packets are sent.
Packets originating on the router are not normally policy routed. Local policy routing enables packets originating on the router to take a route other than the obvious shortest path. To identify a route map to use for local policy routing, use the ip local policy route-map map-tag global configuration command. Table 5-18 explains the parameter. This command applies the specified route map to packets originating on the router.
Table 5-18. ip local policy route-map Command
|
Parameter |
Description |
|
map-tag |
The name of the route map to use for local policy routing. It must match a map tag specified by a route-map command. |
Since Cisco IOS Release 12.0, IP PBR can now be fast switched. Before this feature, policy routing could only be process switched, which meant that on most platforms, the switching rate was approximately 1000 to 10,000 packets per second. This was not fast enough for many applications. Users who need policy routing to occur at faster speeds can now implement policy routing without slowing down the router.
PBR must be configured before you configure fast-switched policy routing. Fast switching of policy routing is disabled by default. To enable it, use the ip route-cache policy interface configuration command.
Fast-switched PBR supports all the match commands and most of the set commands, except for the following restrictions:
- The set ip default next-hop and set default interface commands are not supported.
- The set interface command is supported only over point-to-point links unless a route-cache entry exists using the same interface specified in the set interface command in the route map. Also, when process switching, the routing table is checked to determine whether the interface is on an appropriate path to the destination. The software does not make this check during fast switching. Instead, if the packet matches, the software blindly forwards the packet to the specified interface.
Verifying PBR
To display the route maps used for policy routing on the router's interfaces, use the show ip policy EXEC command.
To display configured route maps, use the show route-map [map-name] EXEC command, where map-name is an optional name of a specific route map.
Use the debug ip policy EXEC command to display IP policy routing packet activity. This command shows in detail what policy routing is doing. It displays information about whether a packet matches the criteria and, if so, the resulting routing information for the packet.
To discover the routes that the packets follow when traveling to their destination from the router, use the traceroute EXEC command. To change the default parameters and invoke an extended traceroute, enter the command without a destination argument. You are then stepped through a dialog to select the desired parameters.
To check host reachability and network connectivity, use the ping EXEC command. You can use the ping command's extended command mode to specify the supported header options by entering the command without any arguments.
PBR Examples
This section provides three examples of PBR.
Using PBR When Connecting Two ISPs
In Figure 5-11, Router A provides Internet access for a private enterprise and is connected to two different ISPs. This router is advertising a 0.0.0.0 default route into the enterprise network to avoid large routing tables.
)
Figure 5-11 Router A Is Connected to Two ISPs.
Therefore, when traffic from the enterprise networks 10.1.0.0 and 10.2.0.0 reaches Router A, it can go to either ISP A or ISP B. The company prefers to have ISP A and ISP B receive approximately equal amounts of traffic. PBR is implemented on Router A to shape, or load balance, traffic from Router A to each of the ISPs. All traffic sourced from the 10.1.0.0 subnet is forwarded to ISP A if there is no specific route to the destination in the routing table (the default route is not used). All traffic sourced from the 10.2.0.0 subnet is forwarded to ISP B if there is no specific route to the destination in the routing table.
Example 5-14 shows the configuration for Router A. Route map equal-access is configured.
Example 5-14. Configuration of Router A in Figure 5-11
RouterA(config)#access-list 1 permit 10.1.0.0 0.0.255.255 RouterA(config)#access-list 2 permit 10.2.0.0 0.0.255.255 RouterA(config)#route-map equal-access permit 10 RouterA(config-route-map)#match ip address 1 RouterA(config-route-map)#set ip default next-hop 192.168.6.6 RouterA(config-route-map)#route-map equal-access permit 20 RouterA(config-route-map)#match ip address 2 RouterA(config-route-map)#set ip default next-hop 172.16.7.7 RouterA(config-route-map)#route-map equal-access permit 30 RouterA(config-route-map)#set default interface null0 RouterA(config-route-map)#exit RouterA(config)#interface FastEthernet 0/0 RouterA(config-if)#ip address 10.1.1.1 255.255.255.0 RouterA(config-if)#ip policy route-map equal-access RouterA(config-if)#exit RouterA(config)#interface Serial 0/0/0 RouterA(config-if)#ip address 192.168.6.5 255.255.255.0 RouterA(config-if)#exit RouterA(config)#interface Serial 0/0/1 RouterA(config-if)#ip address 172.16.7.6 255.255.255.0
The ip policy route-map equal-access command is applied to the Fast Ethernet 0/0 interface, the incoming interface receiving the packets to be policy-routed.
Sequence number 10 in route map equal-access is used to match all packets sourced from any host in subnet 10.1.0.0. If there is a match, and if the router has no explicit route for the packet's destination, it is sent to next-hop address 192.168.6.6 (ISP A's router).
Sequence number 20 in route map equal-access is used to match all packets sourced from any host in subnet 10.2.0.0. If there is a match, and if the router has no explicit route for the packet's destination, it is sent to next-hop address 172.16.7.7 (ISP B's router).
Sequence number 30 in route map equal-access is used to drop all traffic not sourced from subnet 10.1.0.0 or 10.2.0.0. The null 0 interface is a route to nowhere; traffic is dropped.
The outputs shown in Examples 5-15, 5-16, and 5-17 are from Router A in Figure 5-11. Example 5-15 provides an example of show ip policy command output, indicating that the route map called equal-access is used for PBR on the router's Fast Ethernet 0/0 interface.
Example 5-15. show ip policy on Router A in Figure 5-11
RouterA#show ip policy Interface Route map FastEthernet0/0 equal-access
Example 5-16 provides an example of show route-map command output, indicating that three packets have matched sequence 10 of the equal-access route map.
Example 5-16. show route-map on Router A in Figure 5-11
RouterA#show route-map
route-map equal-access, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip default next-hop 192.168.6.6
Policy routing matches: 3 packets, 168 bytes
route-map equal-access, permit, sequence 20
Match clauses:
ip address (access-lists): 2
Set clauses:
ip default next-hop 172.16.7.7
route-map equal-access, permit, sequence 30
Set clauses:
default interface null0
Example 5-17 provides an example of the debug ip policy command output. The output indicates that a packet from 10.1.1.1 destined for 172.19.1.1 has been received on interface Fast Ethernet 0/0 and that it is policy-routed on Serial 0/0/0 to next hop 192.168.6.6 (because the source address of 10.1.1.1 matches line 10 of route map equal-access).
Example 5-17. debug ip policy on Router A in Figure 5-11
RouterA#debug ip policy Policy routing debugging is on 11:51:25: IP:s=10.1.1.1(FastEthernet0/0), d=172.19.1.1, len 100,policy match11:51:25: IP: route map equal-access, item 10, permit11:51:25: IP: s=10.1.1.1 (FastEthernet0/0), d=172.19.1.1 (Serial0/0/0), len 100,policy routed11:51:25: IP: FastEthernet0/0/0 to Serial0/0/0 192.168.6.6
Using PBR Based on Source Address
In Figure 5-12, Router A has a policy that packets with a source address of 192.168.2.1 (on the other side of Router B) should go out to Router C's interface Serial 0/0/1, 172.17.1.2 (via Router A's S0/0/1 interface). All other packets should be routed according to their destination address. Example 5-18 shows the relevant part of the configuration for Router A.
)
Figure 5-12 Router A Has a Policy That Packets from 192.168.2.1 Go to Router C's Interface S0/0/1.
Example 5-18. Configuration of Router A in Figure 5-12
RouterA(config)#interface Serial0/0/2 RouterA(config-if)#ip address 172.16.1.2 255.255.255.0 RouterA(config-if)#ip policy route-map test RouterA(config-if)#route-map test permit 10 RouterA(config-route-map)#match ip address 1 RouterA(config-route-map)#set ip next-hop 172.17.1.2 RouterA(config-route-map)#exit RouterA(config)#access-list 1 permit 192.168.2.1 0.0.0.0
Router A's Serial 0/0/2 interface, where packets from 192.168.2.1 go into Router A, is configured to do policy routing with the ip policy route-map command. The route map test is used for this policy routing. It tests the IP addresses in packets against access list 1 to determine which packets will be policy-routed.
Access list 1 specifies that packets with a source address of 192.168.2.1 are policy routed. Packets that match access list 1 are sent to the next-hop address 172.17.1.2, which is Router C's Serial 0/0/1 interface. All other packets are forwarded normally, according to their destination address. (Recall that access lists have an implicit deny any at the end, so no other packets are permitted by access list 1.)
The outputs shown in Examples 5-19, 5-20, and 5-21 are from Router A in Figure 5-12. Example 5-19 provides an example of the show ip policy command output. It indicates that the route map called test is used for policy routing on the router's interface Serial 0/0/2.
Example 5-19. show ip policy Output on Router A in Figure 5-12
RouterA#show ip policy Interface Route map Serial0/0/2 test
The show route-map command, shown in Example 5-20, indicates that three packets have matched sequence 10 of the test route map.
Example 5-20. show route-map Output on Router A in Figure 5-12
RouterA#show route-map
route-map test, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip next-hop 172.17.1.2
Policy routing matches: 3 packets, 168 bytes
Example 5-21 provides an example of the output of the debug ip policy command. The output indicates that a packet from 172.16.1.1 destined for 192.168.1.1 was received on interface Serial 0/0/2 and that it was rejected by the policy on that interface. The packet is routed normally (by destination). Another packet, from 192.168.2.1 destined for 192.168.1.1, was later received on the same interface, Serial 0/0/2. This packet matched the policy on that interface and therefore was policy routed and sent out interface Serial 0/0/1 to 172.17.1.2.
Example 5-21. Example of debug ip policy on Router A in Figure 5-12
RouterA#debug ip policy Policy routing debugging is on ... 11:50:51: IP:s=172.16.1.1(Serial0/0/2), d=192.168.1.1 (Serial0/0/3), len 100,policy rejected — normal forwarding... 11:51:25: IP:s=192.168.2.1(Serial0/0/2), d=192.168.1.1, len 100,policy match11:51:25: IP: route map test, item 10, permit11:51:25: IP: s=192.168.2.1 (Serial0/0/2), d=192.168.1.1 (Serial0/0/1), len 100,policy routed11:51:25: IP: Serial0/0/2 to Serial0/0/1 172.17.1.2
Alternative Solution IP SLAs Configuration Example Using PBR
This section presents an alternative solution to the configuration of the R3 router in Figure 5-10 given earlier in this chapter in the "Examples of Path Control Using Cisco IOS IP SLAs" section. A partial configuration is shown in Example 5-22, providing just the configuration for reachability to the R1 router. Explanatory comments are provided within the configuration. (Configuration for reachability to the R2 router would be similar.) Using PBR allows the configuration to be very granular, to support other options. In this example, PBR points to a next-hop address that is tracked via Cisco IOS IP SLAs.
){kind=link}
Example 5-22. Partial Alternative Configuration for Router R3 in Figure 5-10
!Configure the object to be tracked; object 1 will be up if the router
!can ping 10.0.8.1
ip sla 99
icmp-echo 10.0.8.1
frequency 10
timeout 5000
ip sla schedule 99 start-time now life forever
!
track 1 rtr 99 reachability
!
!Enable policy routing using route map IP-SLA
interface FastEthernet 0/0
ip address 10.2.8.1 255.255.255.0
ip policy route-map IP-SLA
!
!Configure a route-map to set the next-hop to 192.168.2.1 (R1) if
! object 1 is up. If object 1 is down, then policy routing fails
! and unicast routing will route the packet.
route-map IP-SLA
set ip next-hop verify-availability 192.168.2.1 10 track 1
This configuration uses the set ip next-hop verify-availability [next-hop-address sequence track object] route-map configuration command to configure policy routing to verify the reachability of the next hop of a route map before the router performs policy routing to that next hop. Table 5-19 explains the parameters of this command.
Table 5-19. set ip next-hop verify-availability Command
|
Parameter |
Description |
|
next-hop-address |
(Optional) IP address of the next hop to which packets will be forwarded. |
|
sequence |
(Optional) Sequence of next hops. The acceptable range is from 1 to 65535. |
|
track |
(Optional) The tracking method is track. |
|
object |
(Optional) Object number that the tracking subsystem is tracking. The acceptable range is from 1 to 500. |
Because of the use of route maps, this type of configuration allows you more granularity to define, via access lists or prefix lists, which traffic classes will be subject to changes based on the results of the object tracking. For example routes for voice, mission-critical data, and other traffic types could be changed.