Implementing Path Control Using Policy-Based Routing
Chapter 4 describes route maps and how you can use them for route filtering. This section describes another use for route maps, with PBR. PBR enables the administrator to define a routing policy other than basic destination-based routing using the routing table. With PBR, route maps can be used to match source and destination addresses, protocol types, and end-user applications. When a match occurs, a set command can be used to define items, such as the interface or next-hop address to which the packet should be sent.
Using PBR to Control Path Selection
In modern high-performance internetworks, organizations need the freedom to implement packet forwarding and routing according to their own defined policies in a way that goes beyond traditional routing protocol concerns.
Routers normally forward packets to destination addresses based on information in their routing tables. By using PBR, introduced in Cisco IOS Release 11.0, you can implement policies that selectively cause packets to take different paths based on source address, protocol types, or application types. Therefore, PBR overrides the router’s normal routing procedures.
PBR also provides a mechanism to mark packets with different types of service (ToS). This feature can be used in conjunction with Cisco IOS queuing techniques so that certain kinds of traffic can receive preferential service.
PBR provides an extremely powerful, simple, and flexible tool to implement solutions in cases where legal, contractual, or political constraints dictate that traffic be routed through specific paths. Benefits you can achieve by implementing PBR include the following:
-
Source-based transit provider selection— ISPs and other organizations can use PBR to route traffic originating from different sets of users through different Internet connections across policy routers.
-
QoS— Organizations can provide QoS to differentiated traffic by setting the ToS values in the IP packet headers in routers at the periphery of the network and then leveraging queuing mechanisms to prioritize traffic in the network’s core or backbone. This setup improves network performance by eliminating the need to classify the traffic explicitly at each WAN interface in the network’s core or backbone.
-
Cost savings— Using PBR, an organization can direct the bulk traffic associated with a specific activity to use a higher-bandwidth, high-cost link for a short time and to continue basic connectivity over a lower-bandwidth, low-cost link for interactive traffic.
-
Load sharing— In addition to the dynamic load-sharing capabilities offered by destination-based routing that the Cisco IOS Software has always supported, network managers can implement policies to distribute traffic among multiple paths based on the traffic characteristics.
Configuring PBR
Configuring PBR involves configuring a route map with match and set commands and then applying the route map to the interface.
When configuring PBR, it is important to note that PBR is applied to incoming packets. Enabling PBR causes the router to evaluate all packets incoming on the interface using a route map configured for that purpose.
The steps required to implement path control include the following:
-
Choose the path control tool to use. Path control tools manipulate or bypass the IP routing table. For PBR, route-map commands are used.
-
Implement the traffic-matching configuration, specifying which traffic will be manipulated; match commands are used within route maps.
-
Define the action for the matched traffic, using set commands within route maps.
-
Optionally, fast-switched PBR or Cisco Express Forwarding (CEF)-switched PBR can be enabled. Fast-switched PBR must be enabled manually. CEF-switched PBR is automatically enabled when CEF switching is enabled (which it is by default in recent IOS versions) and PBR is enabled.
-
Apply the route map to incoming traffic or to traffic locally generated on the router.
-
Verify path control results, using show commands.
You can configure the route map statements used for PBR as permit or deny. The following defines how these options work:
-
If the statement is marked as deny, a packet meeting the match criteria is not policybased routed. Instead, it is sent through the normal forwarding channels; in other words, destination-based routing is performed.
-
Only if the statement is marked as permit and the packet meets all the match criteria are the set commands applied.
-
If no match is found in the route map, the packet is not dropped; it is forwarded through the normal routing channel, which means that destination-based routing is performed.
-
If you do not want to revert to normal forwarding but instead want to drop a packet that does not match the specified criteria, configure a set statement to route the packets to interface null 0 as the last entry in the route map.
PBR match Commands
IP standard or extended access lists can be used to establish PBR match criteria using the match ip address {access-list-number | name} [...access-list-number | name] | prefix-list prefix-list-name [..prefix-list-name] route map configuration command, as explained in Table 5-9. You can use a standard IP access list to specify match criteria for a packet’s source address. You can use extended access lists to specify match criteria based on source and destination addresses, application, protocol type, and ToS.
Table 5-9: match ip address Command
Open table as spreadsheet | Parameter | Description |
| access-list-number | name | The number or name of a standard or extended access list to be used to test incoming packets. If multiple access lists are specified, matching any one results in a match. |
| prefix-list prefix-list-name | Specifies the name of a prefix list to be used to test packets. If multiple prefix lists are specified, matching any one results in a match. |
Use the match length min max route map configuration command, explained in Table 5-10, to establish criteria based on the packet length between specified minimum and maximum values. For example, a network administrator could use the match length as the criterion that distinguishes between interactive and file transfer traffic, because file transfer traffic usually has larger packet sizes.
Table 5-10: match length Command
Open table as spreadsheet | Parameter | Description |
| min | The packet’s minimum Layer 3 length, inclusive, allowed for a match |
| max | The packet’s maximum Layer 3 length, inclusive, allowed for a match |
PBR set Commands
If the match statements are satisfied, you can use one or more of the set statements described in this section to specify the criteria for forwarding packets through the router.
The router evaluates the first four set commands for PBR shown in this section in the order they are presented. As soon as a destination address or interface has been chosen, other set commands for changing the destination address or interface are ignored. Note, however, that some of these commands affect only packets for which there is an explicit route in the routing table, and others affect only packets for which there is no explicit route in the routing table.
By default, a packet that is not affected by any of the set commands in a route map statement it has matched is not policy routed and is forwarded normally; in other words, destination-based routing is performed.
set ip next-hop Command
The set ip next-hop ip-address [...ip-address] route map configuration command provides a list of IP addresses used to specify the adjacent next-hop router in the path toward the destination to which the packets should be forwarded. If more than one IP address is specified, the first IP address associated with a currently up and connected interface is used to route the packets. Table 5-11 explains the set ip next-hop command.
Table 5-11: set ip next-hop Command
Open table as spreadsheet | Parameter | Description |
| ip-address | The IP address of the next hop to which packets are output. It must be the address of an adjacent router. |
The set ip next-hop command affects all packet types and is always used if configured.
| Note | With the set ip next-hop command, the routing table is checked only to determine whether the next hop can be reached. It is not checked to determine whether there is an explicit route for the packet’s destination address. |
set interface Command
The set interface type number [... type number] route map configuration command provides a list of interfaces through which the packets can be routed. If more than one interface is specified, the first interface that is found to be up is used to forward the packets. Table 5-12 explains this command.
Table 5-12: set interface Command
Open table as spreadsheet | Parameter | Description |
| type number | The interface type and number to which packets are output |
If there is no explicit route for the destination address of the packet in the routing table (for example, if the packet is a broadcast or is destined for an unknown address), the set interface command has no effect and is ignored. A default route in the routing table is not considered an explicit route for an unknown destination address.
set ip default next-hop Command
The set ip default next-hop ip-address [...ip-address] route map configuration command provides a list of default next-hop IP addresses. If more than one IP address is specified, the first next hop specified that appears to be adjacent to the router is used. The optional specified IP addresses are tried in turn. Table 5-13 explains this command.
Table 5-13: set ip default next-hop Command
Open table as spreadsheet | Parameter | Description |
| ip-address | The IP address of the next hop to which packets are output. It must be the address of an adjacent router. |
A packet is routed to the next hop specified by the set ip default next-hop command only if there is no explicit route for the packet’s destination address in the routing table. A default route in the routing table is not considered an explicit route for an unknown destination address.
set default interface Command
The set default interface type number [...type number] route map configuration command provides a list of default interfaces. If no explicit route is available to the destination address of the packet being considered for policy routing, it is routed to the first up interface in the list of specified default interfaces. Table 5-14 provides information about this command.
Table 5-14: set default interface Command
Open table as spreadsheet | Parameter | Description |
| type number | The interface type and number to which packets are output. |
A packet is routed to the next hop specified by the set default interface command only if there is no explicit route for the packet’s destination address in the routing table. A default route in the routing table is not considered an explicit route for an unknown destination address.
PBR also provides a mechanism to mark packets using the set ip tos and set ip precedence commands, as shown in the next two sections.
set ip tos Command
The set ip tos [number | name] route map configuration command is used to set some of the bits in the IP ToS field in the IP packet. The ToS field in the IP header is 8 bits long, with 5 bits for setting the class of service (CoS) and 3 bits for the IP precedence. The CoS bits are used to set the delay, throughput, reliability, and cost.
The set ip tos command is used to set the 5 CoS bits. Values 0 through 15 are used (one of the bits is reserved). Table 5-15 provides the names and numbers of the defined ToS values used in this command.
Table 5-15: set ip tos Command
Open table as spreadsheet | Parameter number | name | Description |
| 0 | normal | Sets the normal ToS |
| 1 | min-monetary-cost | Sets the min-monetary-cost ToS |
| 2 | max-reliability | Sets the max reliable ToS |
| 4 | max-throughput | Sets the max throughput ToS |
| 8 | min-delay | Sets the min delay ToS |
set ip precedence Command
The set ip precedence [number | name] route map configuration command enables you to set the 3 IP precedence bits in the IP packet header. With 3 bits, you have eight possible values for the IP precedence; values 0 through 7 are defined. This command is used when implementing QoS and can be used by other QoS services, such as weighted fair queuing (WFQ) and weighted random early detection (WRED). Table 5-16 provides the names and numbers of the defined IP precedence values used in this command.
Table 5-16: set ip precedence Command
Open table as spreadsheet | Parameter number | name | Description |
| 0 | routine | Sets the routine precedence |
| 1 | priority | Sets the priority precedence |
| 2 | immediate | Sets the immediate precedence |
| 3 | flash | Sets the Flash precedence |
| 4 | flash-override | Sets the Flash override precedence |
| 5 | critical | Sets the critical precedence |
| 6 | internet | Sets the internetwork control precedence |
| 7 | network | Sets the network control precedence |
You can use the set commands in conjunction with each other.
Configuring PBR on an Interface
To identify a route map to use for policy routing on an interface, use the ip policy route-map map-tag interface configuration command. Table 5-17 explains the parameter.
Table 5-17: ip policy route-map Command
Open table as spreadsheet | Parameter | Description |
| map-tag | The name of the route map to use for policy routing. It must match a map tag specified by a route-map command. |
Remember that policy-based routing is configured on the interface that receives the packets, not on the interface from which the packets are sent.
Packets originating on the router are not normally policy routed. Local policy routing enables packets originating on the router to take a route other than the obvious shortest path. To identify a route map to use for local policy routing, use the ip local policy route-map map-tag global configuration command. Table 5-18 explains the parameter. This command applies the specified route map to packets originating on the router.
Table 5-18: ip local policy route-map Command
Open table as spreadsheet | Parameter | Description |
| map-tag | The name of the route map to use for local policy routing. It must match a map tag specified by a route-map command. |
Since Cisco IOS Release 12.0, IP PBR can now be fast switched. Before this feature, policy routing could only be process switched, which meant that on most platforms, the switching rate was approximately 1000 to 10,000 packets per second. This was not fast enough for many applications. Users who need policy routing to occur at faster speeds can now implement policy routing without slowing down the router.
PBR must be configured before you configure fast-switched policy routing. Fast switching of policy routing is disabled by default. To enable it, use the ip route-cache policy interface configuration command.
Fast-switched PBR supports all the match commands and most of the set commands, except for the following restrictions:
-
The set ip default next-hop and set default interface commands are not supported.
-
The set interface command is supported only over point-to-point links unless a route-cache entry exists using the same interface specified in the set interface command in the route map. Also, when process switching, the routing table is checked to determine whether the interface is on an appropriate path to the destination. The software does not make this check during fast switching. Instead, if the packet matches, the software blindly forwards the packet to the specified interface.
| Note | The ip route-cache policy command is strictly for fast-switched PBR, and therefore, not required for a CEF-switched PBR. |
Verifying PBR
To display the route maps used for policy routing on the router’s interfaces, use the show ip policy EXEC command.
To display configured route maps, use the show route-map [map-name] EXEC command, where map-name is an optional name of a specific route map.
Use the debug ip policy EXEC command to display IP policy routing packet activity. This command shows in detail what policy routing is doing. It displays information about whether a packet matches the criteria and, if so, the resulting routing information for the packet.
| Note | Because the debug ip policy command generates a significant amount of output, use it only when traffic on the IP network is low, so that other activity on the system is not adversely affected. |
To discover the routes that the packets follow when traveling to their destination from the router, use the traceroute EXEC command. To change the default parameters and invoke an extended traceroute, enter the command without a destination argument. You are then stepped through a dialog to select the desired parameters.
To check host reachability and network connectivity, use the ping EXEC command. You can use the ping command’s extended command mode to specify the supported header options by entering the command without any arguments.
PBR Examples
This section provides three examples of PBR.
Using PBR When Connecting Two ISPs
In Figure 5-11, Router A provides Internet access for a private enterprise and is connected to two different ISPs. This router is advertising a 0.0.0.0 default route into the enterprise network to avoid large routing tables.
Therefore, when traffic from the enterprise networks 10.1.0.0 and 10.2.0.0 reaches Router A, it can go to either ISP A or ISP B. The company prefers to have ISP A and ISP B receive approximately equal amounts of traffic. PBR is implemented on Router A to shape, or load balance, traffic from Router A to each of the ISPs. All traffic sourced from the 10.1.0.0 subnet is forwarded to ISP A if there is no specific route to the destination in the routing table (the default route is not used). All traffic sourced from the 10.2.0.0 subnet is forwarded to ISP B if there is no specific route to the destination in the routing table.
| Caution | Remember, this policy provides for an outbound traffic policy from the enterprise to its ISPs only. It does not determine the inbound traffic policy for Router A. It is possible that traffic from 10.1.0.0 going out to ISP A will receive responses through ISP B. |
Example 5-14 shows the configuration for Router A. Route map equal-access is configured.
Example 5-14: Configuration of Router A in Figure 5-11
RouterA(config)#access-list 1 permit 10.1.0.0 0.0.255.255
RouterA(config)#access-list 2 permit 10.2.0.0 0.0.255.255
RouterA(config)#route-map equal-access permit 10
RouterA(config-route-map)#match ip address 1
RouterA(config-route-map)#set ip default next-hop 192.168.6.6
RouterA(config-route-map)#route-map equal-access permit 20
RouterA(config-route-map)#match ip address 2
RouterA(config-route-map)#set ip default next-hop 172.16.7.7
RouterA(config-route-map)#route-map equal-access permit 30
RouterA(config-route-map)#set default interface null0
RouterA(config-route-map)#exit
RouterA(config)#interface FastEthernet 0/0
RouterA(config-if)#ip address 10.1.1.1 255.255.255.0
RouterA(config-if)#ip policy route-map equal-access
RouterA(config-if)#exit
RouterA(config)#interface Serial 0/0/0
RouterA(config-if)#ip address 192.168.6.5 255.255.255.0
RouterA(config-if)#exit
RouterA(config)#interface Serial 0/0/1
RouterA(config-if)#ip address 172.16.7.6 255.255.255.0
The ip policy route-map equal-access command is applied to the Fast Ethernet 0/0 interface, the incoming interface receiving the packets to be policy-routed.
Sequence number 10 in route map equal-access is used to match all packets sourced from any host in subnet 10.1.0.0. If there is a match, and if the router has no explicit route for the packet’s destination, it is sent to next-hop address 192.168.6.6 (ISP A’s router).
Sequence number 20 in route map equal-access is used to match all packets sourced from any host in subnet 10.2.0.0. If there is a match, and if the router has no explicit route for the packet’s destination, it is sent to next-hop address 172.16.7.7 (ISP B’s router).
Sequence number 30 in route map equal-access is used to drop all traffic not sourced from subnet 10.1.0.0 or 10.2.0.0. The null 0 interface is a route to nowhere; traffic is dropped.
The outputs shown in Examples 5-15, 5-16, and 5-17 are from Router A in Figure 5-11. Example 5-15 provides an example of show ip policy command output, indicating that the route map called equal-access is used for PBR on the router’s Fast Ethernet 0/0 interface.
Example 5-15: show ip policy on Router A in Figure 5-11
RouterA#show ip policy
Interface Route map
FastEthernet0/0 equal-access
Example 5-16 provides an example of show route-map command output, indicating that three packets have matched sequence 10 of the equal-access route map.
Example 5-16: show route-map on Router A in Figure 5-11
RouterA#show route-map
route-map equal-access, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip default next-hop 192.168.6.6
Policy routing matches: 3 packets, 168 bytes
route-map equal-access, permit, sequence 20
Match clauses:
ip address (access-lists): 2
Set clauses:
ip default next-hop 172.16.7.7
route-map equal-access, permit, sequence 30
Set clauses:
default interface null0
Example 5-17 provides an example of the debug ip policy command output. The output indicates that a packet from 10.1.1.1 destined for 172.19.1.1 has been received on interface Fast Ethernet 0/0 and that it is policy-routed on Serial 0/0/0 to next hop 192.168.6.6 (because the source address of 10.1.1.1 matches line 10 of route map equal-access).
Example 5-17: debug ip policy on Router A in Figure 5-11
RouterA#debug ip policy
Policy routing debugging is on
11:51:25: IP: s=10.1.1.1 (FastEthernet0/0), d=172.19.1.1, len 100, policy match
11:51:25: IP: route map equal-access, item 10, permit
11:51:25: IP: s=10.1.1.1 (FastEthernet0/0), d=172.19.1.1 (Serial0/0/0), len 100,
policy routed
11:51:25: IP: FastEthernet0/0/0 to Serial0/0/0 192.168.6.6
| Note | The show logging command shows the logging buffer, including the output of the debug command. |
Using PBR Based on Source Address
In Figure 5-12, Router A has a policy that packets with a source address of 192.168.2.1 (on the other side of Router B) should go out to Router C’s interface Serial 0/0/1, 172.17.1.2 (via Router A’s S0/0/1 interface). All other packets should be routed according to their destination address. Example 5-18 shows the relevant part of the configuration for Router A.
Example 5-18: Configuration of Router A in Figure 5-12
RouterA(config)#interface Serial0/0/2
RouterA(config-if)#ip address 172.16.1.2 255.255.255.0
RouterA(config-if)#ip policy route-map test
RouterA(config-if)#route-map test permit 10
RouterA(config-route-map)#match ip address 1
RouterA(config-route-map)#set ip next-hop 172.17.1.2
RouterA(config-route-map)#exit
RouterA(config)#access-list 1 permit 192.168.2.1 0.0.0.0
Router A’s Serial 0/0/2 interface, where packets from 192.168.2.1 go into Router A, is configured to do policy routing with the ip policy route-map command. The route map test is used for this policy routing. It tests the IP addresses in packets against access list 1 to determine which packets will be policy-routed.
Access list 1 specifies that packets with a source address of 192.168.2.1 are policy routed. Packets that match access list 1 are sent to the next-hop address 172.17.1.2, which is Router C’s Serial 0/0/1 interface. All other packets are forwarded normally, according to their destination address. (Recall that access lists have an implicit deny any at the end, so no other packets are permitted by access list 1.)
The outputs shown in Examples 5-19, 5-20, and 5-21 are from Router A in Figure 5-12. Example 5-19 provides an example of the show ip policy command output. It indicates that the route map called test is used for policy routing on the router’s interface Serial 0/0/2.
Example 5-19: show ip policy Output on Router A in Figure 5-12
RouterA#show ip policy
Interface Route map
Serial0/0/2 test
The show route-map command, shown in Example 5-20, indicates that three packets have matched sequence 10 of the test route map.
Example 5-20: show route-map Output on Router A in Figure 5-12
RouterA#show route-map
route-map test, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip next-hop 172.17.1.2
Policy routing matches: 3 packets, 168 bytes
Example 5-21 provides an example of the output of the debug ip policy command. The output indicates that a packet from 172.16.1.1 destined for 192.168.1.1 was received on interface Serial 0/0/2 and that it was rejected by the policy on that interface. The packet is routed normally (by destination). Another packet, from 192.168.2.1 destined for 192.168.1.1, was later received on the same interface, Serial 0/0/2. This packet matched the policy on that interface and therefore was policy routed and sent out interface Serial 0/0/1 to 172.17.1.2.
Example 5-21: Example of debug ip policy on Router A in Figure 5-12
RouterA#debug ip policy
Policy routing debugging is on
...
11:50:51: IP: s=172.16.1.1 (Serial0/0/2), d=192.168.1.1 (Serial0/0/3), len 100,
policy rejected — normal forwarding
...
11:51:25: IP: s=192.168.2.1 (Serial0/0/2), d=192.168.1.1, len 100, policy match
11:51:25: IP: route map test, item 10, permit
11:51:25: IP: s=192.168.2.1 (Serial0/0/2), d=192.168.1.1 (Serial0/0/1), len 100,
policy routed
11:51:25: IP: Serial0/0/2 to Serial0/0/1 172.17.1.2
Alternative Solution IP SLAs Configuration Example Using PBR
This section presents an alternative solution to the configuration of the R3 router in Figure 5-10 given earlier in this chapter in the “Examples of Path Control Using Cisco IOS IP SLAs” section. A partial configuration is shown in Example 5-22, providing just the configuration for reachability to the R1 router. Explanatory comments are provided within the configuration. (Configuration for reachability to the R2 router would be similar.) Using PBR allows the configuration to be very granular, to support other options. In this example, PBR points to a next-hop address that is tracked via Cisco IOS IP SLAs.
Example 5-22: Partial Alternative Configuration for Router R3 in Figure 5-10
!Configure the object to be tracked; object 1 will be up if the router
!can ping 10.0.8.1
ip sla 99
icmp-echo 10.0.8.1
frequency 10
timeout 5000
ip sla schedule 99 start-time now life forever
!
track 1 rtr 99 reachability
!
!Enable policy routing using route map IP-SLA
interface FastEthernet 0/0
ip address 10.2.8.1 255.255.255.0
ip policy route-map IP-SLA
!
!Configure a route-map to set the next-hop to 192.168.2.1 (R1) if
! object 1 is up. If object 1 is down, then policy routing fails
! and unicast routing will route the packet.
route-map IP-SLA
set ip next-hop verify-availability 192.168.2.1 10 track 1
This configuration uses the set ip next-hop verify-availability [next-hop-address sequence track object] route-map configuration command to configure policy routing to verify the reachability of the next hop of a route map before the router performs policy routing to that next hop. Table 5-19 explains the parameters of this command.
Table 5-19: set ip next-hop verify-availability Command
Open table as spreadsheet | Parameter | Description |
| next-hop-address | (Optional) IP address of the next hop to which packets will be forwarded. |
| sequence | (Optional) Sequence of next hops. The acceptable range is from 1 to 65535. |
| track | (Optional) The tracking method is track. |
| object | (Optional) Object number that the tracking subsystem is tracking. The acceptable range is from 1 to 500. |
Because of the use of route maps, this type of configuration allows you more granularity to define, via access lists or prefix lists, which traffic classes will be subject to changes based on the results of the object tracking. For example routes for voice, mission-critical data, and other traffic types could be changed.
Advanced Path Control Tools
This section provides a brief overview of additional path control mechanisms that you might encounter in your enterprise networks.
Cisco IOS Optimized Edge Routing
Cisco IOS OER is intended for sites using multiple Internet or WAN service providers. Cisco IOS OER uses tools such as Cisco IOS IP SLAs to automatically detect network service degradation and to make dynamic routing decisions and adjustments based on criteria such as response time, packet loss, jitter, path availability, traffic load distribution, and so forth.
In contrast, normal routing, using routing protocols, focuses on detecting a routing path using static routing metrics, rather than the condition of the service over that path.
An example is illustrated in Figure 5-13. The Cisco IOS OER edge routers, called border routers, monitor information about route prefixes (using traditional routing protocols) and gather performance statistics over each external interface (in this example, using Cisco IOS IP SLAs).
This information is periodically reported to another router called the master controller. If the prefixes and exit links comply with a configured policy based on performance and service metrics, routing remains as is. If not, the master controller makes a policy-based decision and notifies the border routers, which change the path, by such mechanisms as adding static routes or changing routing protocol parameters.
Virtualization
Virtualization is another advanced technology being used in enterprise networks that includes benefits such as traffic segregation across a common physical network infrastructure.
An example of virtualization is the use of virtual routing and forwarding (VRF) tables, which are virtual routing tables used to separate the routing function by group, on one physical router, as illustrated in Figure 5-14.
For example, employee routes could be kept separate from guest routes by using two different VRFs. These VRFs could also be associated with other virtualization and traffic segregation elements on the network, such as virtual LANs (VLANs), virtual private networks (VPNs), and generic routing encapsulation (GRE) tunnels, to provide an end-to-end, segregated path across the network. An example is illustrated in Figure 5-15, in which path control is based on a design decision to engineer different paths, end to end, with a variety of network virtualization technologies. In this figure, two business units are associated with two different VRFs on the end routers. These VRFs are associated with different VLANs and VPNs throughout the network, to provide an end-to-end segregated path across the network.
Cisco Wide Area Application Services
Cisco WAAS is a good example of the use of PBR to adjust the path of traffic based on advanced services for that traffic, to provide both scalability and high availability. Technologies such as Web Cache Communications Protocol (WCCP) perform a similar function, which is to have routers redirect normal traffic flows into Cisco WAAS devices, where a series of data reduction, flow optimization, and application acceleration services are implemented, and then have them route the flows back into their normal path across the WAN. This scenario is illustrated in the example in Figure 5-16. This use of path control is becoming common in networks with branch offices.
Summary
In this chapter, you learned about implementing path control. The chapter focused on the following topics:
-
Redundant network considerations including resiliency, availability, adaptability, performance, support for network and application services, predictability, and asymmetric traffic.
-
Path control tools including a good addressing design, redistribution and other routing protocol characteristics, passive interfaces, distribute lists, prefix lists, administrative distance, route maps, route tagging, offset lists, Cisco IOS IP SLAs, and PBR. (Advanced tools covered briefly include Cisco IOS OER, virtualization, and Cisco WAAS.)
-
Offset lists, a mechanism for increasing incoming and outgoing metrics to routes learned via EIGRP or RIP. Configuration of offset lists is performed with the offset-list {access-list-number | access-list-name} {in | out} offset [interface-type interface-number] router configuration command. Verification of offset lists can be performed with the traceroute command, the show ip route command, and the show ip eigrp topology command.
-
Cisco IOS IP SLAs, which use active traffic monitoring, generating traffic in a continuous, reliable, and predictable manner, to measure network performance. IOS IP SLAs can be used in conjunction with other tools, including the following:
-
Object tracking, to track the reachability of specified objects
-
Cisco IOS IP SLAs probes, to send different types of probes toward the desired objects
-
Route maps with PBR, to associate the results of the tracking to the routing process
-
Static routes with tracking options, as a simpler alternative to PBR
-
Cisco IOS IP SLAs terminology, including the following:
-
All the Cisco IOS IP SLAs measurement probe operations are configured on the IP SLAs source, either by the CLI or through an SNMP tool that supports IP SLAs operation. The source sends probe packets to the target.
-
There are two types of IP SLAs operations: those in which the target device is running the IP SLAs responder component, and those in which the target device is not running the IP SLAs responder component (such as a web server or IP host).
-
An IP SLAs operation is a measurement that includes protocol, frequency, traps, and thresholds.
-
Configuring IOS IP SLAs, including the use of the following commands:
-
The ip sla operation-number global configuration command (or the ip sla monitor operation-number global configuration command) to begin configuring a Cisco IOS IP SLAs operation and enter IP SLA configuration mode (or rtr configuration mode).
-
The icmp-echo {destination-ip-address | destination-hostname} [source-ip {ip-address | hostname} | source-interface interface-name] IP SLA configuration mode command (or the type echo protocol ipIcmpEcho {destination-ip-address | destination-hostname} [source-ipaddr {ip-address | hostname} | source-interface interface-name] rtr configuration mode command) to configure an IP SLAs ICMP echo operation.
-
The frequency seconds IP SLA configuration submode command (or rtr configuration submode command) to set the rate at which a specified IP SLAs operation repeats.
-
The timeout milliseconds IP SLA configuration submode command (or rtr configuration submode command) to set the amount of time a Cisco IOS IP SLAs operation waits for a response from its request packet.
-
The ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring] global configuration mode command (or the ip sla monitor schedule operation-number [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring] global configuration mode command) to configure the scheduling parameters for a single Cisco IOS IP SLAs operation.
-
The track object-number ip sla operation-number {state | reachability} global configuration command (or the track object-number rtr operation-number {state | reachability} global configuration command) to track the state of an IOS IP SLAs operation, and enter track configuration mode.
-
The delay {up seconds [down seconds] | [up seconds] down seconds} track configuration command to specify a period of time to delay communicating state changes of a tracked object.
-
The ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name next-hop-name] [permanent | track number] [tag tag] global configuration command to establish a static route that tracks an object.
-
Verifying Cisco IOS IP SLAs, including the use of the show ip sla configuration [operation] command (or the show ip sla monitor configuration [operation] command), and the show ip sla statistics [operation-number] [details] command (or the show ip sla monitor statistics [operation-number] [details] command).
-
Using PBR to control path selection, providing benefits including source-based transit provider selection, QoS, cost savings, and load sharing. PBR is applied to incoming packets; enabling PBR causes the router to evaluate all packets incoming on the interface using a route map configured for that purpose.
-
Configuring and verifying PBR, including the following steps:
-
Choose the path control tool to use; for PBR, route-map commands are used.
-
Implement the traffic-matching configuration, specifying which traffic will be manipulated; match commands are used within route maps.
-
Define the action for the matched traffic, using set commands within route maps.
-
Optionally, fast-switched PBR or CEF-switched PBR can be enabled. Fast-switched PBR must be enabled manually. CEF-switched PBR is automatically enabled when CEF switching is enabled and PBR is enabled.
-
Apply the route map to incoming traffic or to traffic locally generated on the router.
-
Verify path control results, using show commands.
-
PBR match commands, including the following:
-
PBR set commands, including the following four which are evaluated in this order (as soon as a destination address or interface has been chosen, other set commands for changing the destination address or interface are ignored):
-
The set ip next-hop ip-address [...ip-address] route map configuration command, which affects all packet types and is always used if configured.
-
The set interface type number [...type number] route map configuration command. If there is no explicit route for the destination address of the packet in the routing table (for example, if the packet is a broadcast or is destined for an unknown address), the set interface command has no effect and is ignored. A default route in the routing table is not considered an explicit route for an unknown destination address.
-
The set ip default next-hop ip-address [...ip-address] route map configuration command. A packet is routed to the next hop specified by the set ip default next-hop command only if there is no explicit route for the packet’s destination address in the routing table. A default route in the routing table is not considered an explicit route for an unknown destination address.
-
The set default interface type number [...type number] route map configuration command. A packet is routed to the next hop specified by the set default interface command only if there is no explicit route for the packet’s destination address in the routing table. A default route in the routing table is not considered an explicit route for an unknown destination address.
-
Other PBR set commands, including the following:
-
The set ip tos [number | name] route map configuration command, used to set the 5 CoS bits. Values 0 through 15 are used; one of the bits is reserved.
-
The set ip precedence [number | name] route map configuration command, used to set the 3 IP precedence bits in the IP packet header.
-
The set ip next-hop verify-availability [next-hop-address sequence track object] route-map configuration command to configure policy routing to verify the reachability of the next hop of a route map before the router performs policy routing to that next hop.
-
Commands to configure PBR on an interface, including the following:
-
The ip policy route-map map-tag interface configuration command, configured on the interface that receives the packets, not on the interface from which the packets are sent
-
The ip local policy route-map map-tag global configuration command, to apply a route map to packets originating on the router
-
Commands to verify PBR, including the show ip policy command, the show route-map [map-name] command, the debug ip policy command, the traceroute command, and ping command.
-
Advanced path control tools, including the following:
-
Cisco IOS OER, which uses tools such as Cisco IOS IP SLAs to automatically detect network service degradation and to make dynamic routing decisions and adjustments based on criteria such as response time, packet loss, jitter, path availability, traffic load distribution, and so forth
-
Virtualization, such as the use of VRF tables, VLANs, VPNs, and GRE tunnels
-
Cisco WAAS, including the use of WCCP to redirect normal traffic flows into Cisco WAAS devices
0 comments
Post a Comment