Pages

Showing posts with label Policy Based Routing. Show all posts
Showing posts with label Policy Based Routing. Show all posts

Wednesday, 28 June 2023

Path Control Using Policy Based Routing (PBR)

Introduction and Overview

By default, routers make forwarding decisions based on the destination IP address of the packet. This is known as destination-based routing where the routing table is checked to determine next-hop IP address and the exit interface through which packets are forwarded towards the destination. In majority of network designs, destination-based routing meets designed network traffic flow. However, in some cases, some network traffic may require special treatment for instance traffic to remote corporate resources may be preferred to be routed through a specific ISP over another.

Policy-Based Routing(PBR) provides the capability to override the default destination-based routing behaviour of routing devices. PBR is implemented using a route-map to identify which unicast packets are to be policy-routed and how to route the traffic. A unicast packet arriving on a PBR-configured interface will be subject to PBR except when its destination IP address is the same as the IP address of the router's interface. Because PBR uses a route map, it provides solutions in cases where legal, contractual, or political constraints dictate that traffic is routed through specific paths.
Note: PBR is only applicable to unicast packets; it is not applicable to multicast packets.

PBR makes forwarding decisions independent of the routing table. These forwarding decisions may be based upon any one or combination of the following:

  • IP address i.e. destination IP address, source IP address or combination of the two.
  • Protocol type i.e. IP protocols such as ICMP, TCP, UDP or TCP and UDP applications such as HTTP, FTP, SSH etc.
  • Packet size: a range can be configured and packets whose sizes fall within this range can be policy routed.
  • Incoming interface
  • Manual assignment of different network paths to the same destination, based on tolerance for latency, link speed etc.

Some of the drawbacks of conditional routing include the following:

  • Administrative burden in scalability
  • Lack of network intelligence
  • Troubleshooting complexity

PBR Fast Switching

In earlier IOS versions, PBR was implemented at the control-plane rather than the data-plane. This made it highly CPU-intensive PBR was not able to utilize CEF and RSVP. It was therefore process-switched. In later IOS versions, PBR is fast-switched and is operationally compatible with CEF, distributed CEF. With process-switching, many platforms supported switching rates of 1000 to 10,000 packets per second. This may not be fast enough for some applications. Fast-switched policy routing supports all route-map match commands and most set commands except for the following:

  • set ip default
  • set interface
Fast-switched PBR is enabled by default. However, if disabled, to configure fast-switched policy routing, use the interface configuration command ip route-cache policy

PBR Application Scenarios

Possible applications of PBR include:

  • Routing based on interactive rather than batch traffic.
  • Routing of selected traffic based on dedicated links.
  • Protocol-sensitive routing.
  • Source-sensitive routing.

Policy Routing Variations

PBR can be configured to modify the next-hop for two types of traffic:

  1. Incoming Traffic: PBR is configured on the ingress interface of the traffic using the interface mode command: ip policy route-map route-map-name Application of PBR on an interface does not affect locally generated traffic.
  2. Locally-originated traffic: Locally-generated traffic includes consists of mainly routing protocol packets. Additionally, it may include pings, traceroutes from the local router. For locally-generated traffic, PBR is configured in global configuration mode using the command: ip local policy route-map route-map-name. Some IOS versions do not have control plane checks.

Configuration of Policy-Based Routing (PBR)

PBR is configured through a series of steps:

Step 1: Define Traffic an Access Control List or Prefix-List.

  • Standard Access Control List: To match against only the packet source IP address.
  • Extended Access Control List: To match against any IP protocols such as TCP, UDP, ICMP, source IP address, destination IP address or both, TCP or UDP applications by port numbers or name.

When configuring an ACL or prefix-list to identify traffic to be policy routed:

  • A permit statement in the access control list or prefix-list means to policy route the identified traffic.
  • A deny statement means to use destination-based forwarding where the routing table is consulted for the next-hop to the destination network. It does not mean that the traffic is to be blocked.
In the following configuration, ICMP traffic and UDP traffic from host 192.168.1.2 to host 172.31.0.1 has been identified for policy routing using an extended ACL.

R1(config)#ip access-list extended ACL_172.31.0.0/24
R1(config-ext-nacl)#10 permit icmp host 192.168.1.2 host 172.31.0.1
R1(config-ext-nacl)#20 permit udp host 192.168.1.2 host 172.31.0.1
R1(config-ext-nacl)#do show access-lists
Extended IP access list ACL_172.31.0.0/24
    10 permit icmp host 192.168.1.2 host 172.31.0.1
    20 permit udp host 192.168.1.2 host 172.31.0.1
R1(config-ext-nacl)#

Step 2: Configure a Route-map

Identification of Traffic

Traffic is identified in a route map using the match statement and referencing the ACL or prefix-list configured in Step 1. Depending on the hardware platform or IOS version, many characteristics of the traffic can be matched.

Match condition considerations

What you can match on usually will depend on specifically how you are classifying the traffic; packets can be matched by:

  • IP address: an ACL or prefix list can be used to match traffic by IP address.
    • To match traffic using an ACL, use the command: match ip address acl_name or number . Match all or match any based on how the match statements are written in the clause. match ip address 10, 20 - 30, MY_ACL, match any.
      R1(config)#route-map RM_PBR_172.31.0.1 permit 10
      R1(config-route-map)#match ip address ACL_172.31.0.0/24
    • To match traffic using a prefix-list, use the command: match ip prefix-list prefix-list-name .
  • Packet length(in bytes)
  • Source routing protocol
  • Route-tag
  • Route metric

Matching against a prefix-list is commonly in BGP.

Defining an Action to Take on Identified Traffic

After the matching, the action to be taken to the matched traffic is configured using the route-map set command. The conditions that can be modified by the set command is highly dependent on the platform and the IOS version; for PBR the action is usually the next-hop keyword:

  • set next-hop ip_address: the next hop is unconditionally used; the configured next-hop will be used to forward traffic and the routing table will not be consulted.
    R1(config-route-map)#set ip next-hop 10.0.13.2
  • set default next-hop ip_address: IP routing table is first consulted for the next hop before the configured next hop is considered. If the specific destination network does not exist in the routing table, then the PBR defined next hop is considered. The matching of routes in the RIB holds true except the default route. The routing table default route is not considered. This can be considered as some sort of default route for matched traffic. The next hop has to be directly connected to the local router. The recursive keyword enables configuration of a next-hop that is not directly connected.
  • set interface exit-interface: The egress interface for the matched packets is defined. PBR does not verify if the configured egress interface is up or down. When configuring the exit interface, a warning message is issued recommending that a P2P interface be configured such as a serial interface. It is recommended that the egress interface be a serial interface. If an interface in a broadcast environment such as FastEthernet or GigabitEthernet is used, an ARP request is sent for each and every packet. If the configured egress interface is down, the router will route traffic using the RIB.
  • set default interface exit-interface: The RIB is consulted first to determine the egress-interface. If RIB does not have the destination network, then the configured egress interface is used.
  • set next hop verify-availability ip-address track track-number. Set the next hop if the IP SLA track is up.

In addition to modification of the routing path of packets, PBR supports the following modifications to the header of IP packets;

  • IP Precedence: Modification of precedence attribute of IP packets using the route-map command set ip precedence. The IP header precedence setting determines how packets are treated by routers during times of high traffic. When packets containing these headers arrive at another router, the packets are ordered for transmission according to the precedence set if queuing feature is enabled. Precedence bits are not honoured if queueing is not enabled; in which case packet queueing will be based on FIFO. The precedence value can be changed by using a name or number. Possible values include:
    • 0 (routine)
    • 1 (priority)
    • 2(immediate)
    • 3(flash)
    • 4 (flash-override)
    • 5(critical)
    • 6(internet)
    • 7(network)
  • DF bit: The IP header DF bit can be modified using the command set ip df df.
  • VRF: The VRF of a packet can be configured using the command set vrf vrf.

When PBR is configured, the PBR configured next hop takes precedence over the FIB table.

Step 3: Apply PBR

  • Inbound Traffic: The route-map is applied with the interface configuration command: ip policy route-map route-map-name

    R1(config)#interface f4/1
    R1(config-if)#ip policy route-map RM_PBR_172.31.0.1

  • Locally-generated Traffic: PBR for locally-generated traffic is applied using the global configuration command: ip local policy route-map route-map-name.

    R1(config)#ip access-list extended ACL_172.31.0.0/24
    R1(config-ext-nacl)#30 permit udp host 192.168.1.1 host 172.31.0.1
    R1(config-ext-nacl)#exit
    R1(config)#ip local policy route-map RM_PBR_172.31.0.1

Reliable and Dynamic Path Control using PBR

To monitor network performance and change specific traffic paths that are based on the health of the network, you can use Cisco IP Service Level Agreement (IP SLA) in combination with PBR.

IP SLA

Create the probe using the command

#ip sla 1
#icmp-echo ipaddress source-ip ipaddress
#frequency 10
#show ip sla summary
#ip sla schedule 1 life forever start-time now
#show ip sla summary
#show ip sla configuration
#show ip sla statistics

IP SLA probes need to be enabled as they are disabled by default.

Create a Tracking Object

Tracking objects are used to monitor probes. #track 1 ip sla 1 reach #delay down 10 up 3 #show track

To apply the track in a route-map set command: #set ip next-hop verify-availability 10.1.13.2 13.1.14.2 1 track 1

Verification

show track. In the output, look out for section tracked by:

Verification of PBR

PBR can be verified by the following list of commands:

ping remote-ip-address

Tests PBR by generating traffic. Pings are usually sent using ICMP packets and these are matched in an extended ACL.

user3@box:~$ ping 172.31.0.1
PING 172.31.0.1 (172.31.0.1): 56 data bytes
64 bytes from 172.31.0.1: seq=0 ttl=253 time=59.776 ms
64 bytes from 172.31.0.1: seq=1 ttl=253 time=41.286 ms
64 bytes from 172.31.0.1: seq=2 ttl=253 time=37.056 ms
64 bytes from 172.31.0.1: seq=3 ttl=253 time=27.850 ms
64 bytes from 172.31.0.1: seq=4 ttl=253 time=44.989 ms
64 bytes from 172.31.0.1: seq=5 ttl=253 time=54.390 ms
64 bytes from 172.31.0.1: seq=6 ttl=253 time=38.526 ms
64 bytes from 172.31.0.1: seq=7 ttl=253 time=35.621 ms
64 bytes from 172.31.0.1: seq=8 ttl=253 time=46.208 ms
64 bytes from 172.31.0.1: seq=9 ttl=253 time=37.415 ms
64 bytes from 172.31.0.1: seq=10 ttl=253 time=50.793 ms
64 bytes from 172.31.0.1: seq=11 ttl=253 time=46.631 ms
64 bytes from 172.31.0.1: seq=12 ttl=253 time=46.996 ms
64 bytes from 172.31.0.1: seq=13 ttl=253 time=39.410 ms
64 bytes from 172.31.0.1: seq=14 ttl=253 time=39.599 ms
64 bytes from 172.31.0.1: seq=15 ttl=253 time=41.211 ms
64 bytes from 172.31.0.1: seq=16 ttl=253 time=46.288 ms
64 bytes from 172.31.0.1: seq=17 ttl=253 time=52.170 ms
64 bytes from 172.31.0.1: seq=18 ttl=253 time=50.405 ms
64 bytes from 172.31.0.1: seq=19 ttl=253 time=58.710 ms
64 bytes from 172.31.0.1: seq=20 ttl=253 time=31.387 ms
64 bytes from 172.31.0.1: seq=21 ttl=253 time=55.167 ms
^C
--- 172.31.0.1 ping statistics ---
22 packets transmitted, 22 packets received, 0% packet loss
round-trip min/avg/max = 27.850/44.631/59.776 ms
user3@box:~$

traceroute remote-ip-address

Linux and IOS use UDP packets for traceroutes so these have to be configured in the extended ACL.

user3@box:~$ traceroute 172.31.0.1
traceroute to 172.31.0.1 (172.31.0.1), 30 hops max, 38 byte packets
1  192.168.1.1 (192.168.1.1)  20.034 ms  10.405 ms  7.962 ms
2  10.0.13.2 (10.0.13.2)  37.697 ms  37.986 ms  50.232 ms
3  10.0.34.2 (10.0.34.2)  47.604 ms  48.801 ms  52.973 ms
user3@box:~$

show route-map

Displays the number of policy matches in terms of number of packets and number of bytes.

R1#show route-map
route-map RM_PBR_172.31.0.1, permit, sequence 10
  Match clauses:
    ip address (access-lists): ACL_172.31.0.0/24
  Set clauses:
    ip next-hop 10.0.13.2
  Policy routing matches: 70 packets, 5046 bytes
R1#

show ip policy

To view which route-map is applied to which interface.

R1#show ip policy
Interface      Route map
local          RM_PBR_172.31.0.1
Fa4/1          RM_PBR_172.31.0.1
R1#

The interface name "local" indicates that the route-map applies to PBR for locally- generated traffic. Any other interface name listed implies that PBR is configured for incoming traffic

debug ip policy

After enabling debugging using debug ip policy, a traceroute command is run on the local router and a downstream device to the host 172.31.0.1.

R1#debug ip policy
Policy routing debugging is on
R1#
R1#traceroute 172.31.0.1
Type escape sequence to abort.
Tracing the route to 172.31.0.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.0.12.2 24 msec 16 msec 4 msec
  2 10.0.24.2 12 msec 12 msec 48 msec
R1#
*Mar 5 02:51:08.579: IP: s=10.0.12.1 (local), d=172.31.0.1, len 28, policy rejected -- normal forwarding
*Mar 5 02:51:08.607: IP: s=10.0.12.1 (local), d=172.31.0.1, len 28, policy rejected -- normal forwarding
*Mar 5 02:51:08.627: IP: s=10.0.12.1 (local), d=172.31.0.1, len 28, policy rejected -- normal forwarding
*Mar 5 02:51:08.635: IP: s=10.0.12.1 (local), d=172.31.0.1, len 28, policy rejected -- normal forwarding
*Mar 5 02:51:08.655: IP: s=10.0.12.1 (local), d=172.31.0.1, len 28, policy rejected -- normal forwarding
*Mar 5 02:51:08.671: IP: s=10.0.12.1 (local), d=172.31.0.1, len 28, policy rejected -- normal forwarding
R1#
*Mar 5 02:51:30.747: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, policy match
*Mar 5 02:51:30.751: IP: route map RM_PBR_172.31.0.1, item 10, permit
*Mar 5 02:51:30.751: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1 (POS5/0), len 38, policy routed
*Mar 5 02:51:30.755: IP: FastEthernet4/1 to POS5/0 10.0.13.2
*Mar 5 02:51:30.759: IP: s=192.168.1.1 (local), d=192.168.1.2, len 56, policy rejected -- normal forwarding
*Mar 5 02:51:30.775: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, policy match
*Mar 5 02:51:30.779: IP: route map RM_PBR_172.31.0.1, item 10, permit
*Mar 5 02:51:30.779: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1 (POS5/0), len 38, policy routed
*Mar 5 02:51:30.783: IP: FastEthernet4/1 to POS5/0 10.0.13.2
*Mar 5 02:51:30.787: IP: s=192.168.1.1 (local), d=192.168.1.2, len 56, policy rejected -- normal forwarding
*Mar 5 02:51:30.807: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, policy match
*Mar 5 02:5
R1#1:30.807: IP: route map RM_PBR_172.31.0.1, item 10, permit
*Mar 5 02:51:30.807: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1 (POS5/0), len 38, policy routed
*Mar 5 02:51:30.807: IP: FastEthernet4/1 to POS5/0 10.0.13.2
*Mar 5 02:51:30.807: IP: s=192.168.1.1 (local), d=192.168.1.2, len 56, policy rejected -- normal forwarding
*Mar 5 02:51:30.819: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, FIB policy match
*Mar 5 02:51:30.819: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, PBR Counted
*Mar 5 02:51:30.823: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, g=10.0.13.2, len 38, FIB policy routed
*Mar 5 02:51:30.863: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, FIB policy match
*Mar 5 02:51:30.863: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, PBR Counted
*Mar 5 02:51:30.863: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, g=10.0.13.2, len 38, FIB policy routed
*Mar 5 02:51:30.899: IP: s=192.168.1.2 (FastEthe
R1#rnet4/1), d=172.31.0.1, len 38, FIB policy match
*Mar 5 02:51:30.899: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, PBR Counted
*Mar 5 02:51:30.903: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, g=10.0.13.2, len 38, FIB policy routed
*Mar 5 02:51:30.959: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, FIB policy match
*Mar 5 02:51:30.959: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, PBR Counted
*Mar 5 02:51:30.959: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, g=10.0.13.2, len 38, FIB policy routed
*Mar 5 02:51:31.007: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, FIB policy match
*Mar 5 02:51:31.011: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, PBR Counted
*Mar 5 02:51:31.011: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, g=10.0.13.2, len 38, FIB policy routed
*Mar 5 02:51:31.063: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, FIB policy match
*Mar 5 02:51:31.063: IP: s=192
R1#.168.1.2 (FastEthernet4/1), d=172.31.0.1, len 38, PBR Counted
*Mar 5 02:51:31.067: IP: s=192.168.1.2 (FastEthernet4/1), d=172.31.0.1, g=10.0.13.2, len 38, FIB policy routed

show cef interface interface-name

CEF interface settings for PBR.

R1#show cef interface fa4/1
FastEthernet4/1 is up (if_number 9)
  Corresponding hwidb fast_if_number 9
  Corresponding hwidb firstsw->if_number 9
  Internet address is 192.168.1.1/24
  ICMP redirects are always sent
  Per packet load-sharing is disabled
  IP unicast RPF check is disabled
  Input features: Policy Routing
  IP policy routing is enabled
  IP policy route map is RM_PBR_172.31.0.1
  BGP based policy accounting on input is disabled
  BGP based policy accounting on output is disabled
  Hardware idb is FastEthernet4/1
  Fast switching type 1, interface type 18
  IP CEF switching enabled
  IP CEF switching turbo vector
  IP CEF turbo switching turbo vector
  IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
  Input fast flags 0x2, Output fast flags 0x0
  ifindex 9(9)
  Slot Slot unit 1 VC -1
  IP MTU 1500
R1#

show ip interface interface-name

Displays route-map configured for PBR.

R1#show ip interface fa4/1
FastEthernet4/1 is up, line protocol is up
  Internet address is 192.168.1.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.5 224.0.0.6
  Outgoing access list is not set
  Inbound access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP CEF turbo switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is enabled, using route map RM_PBR_172.31.0.1
  Network address translation is disabled
  BGP Policy Mapping is disabled
  Input features: Policy Routing, MCI Check
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled
R1#
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)