Forwarding Traffic with Route Maps

Route maps define criteria for matching packets and instructions for what to do with them, in the case of packet forwarding, the instructions define the next hop router to which the packet should be sent or the interface by which the packet should exit. This function is similar to static routing (see "Configuring a Static Route" in Appendix E), but with more control: You can control exactly which packets get forwarded and which do not by using the flexible syntax of access lists.

Route maps are built of one or more entry declarations that each contain so-called match and set statements. For example, the following commands configure a route map called TESTMAP:

route-map TESTMAP permit 20 match ip address 100 set ip next-hop 192.168.10.130

The command route-map TESTMAP permit 20 creates a route map entry with a sequence of 20. A route map might contain multiple entries to support multiple policy-routing instructions. The sequence number identifies each entry so you can edit or delete entries without disturbing the rest of the route map. The keyword permit tells the router that packets matching the entry, as specified by match commands in the entry, should be processed by the instructions (set commands) found in the entry—this is the default behavior. If the entry is marked deny instead of permit, the packets matching the entry are not policy routed: They are sent back through the normal forwarding channel.

NOTE Space out your route map sequence numbers so you have the flexibility to insert new sequences between the entries as needed. When policy-routing a packet, the router compares the packet to each entry in the route map in order of sequence. The entry with the lowest sequence number is examined first.

The command match ip address 100 defines the matching criteria of the entry. Here, access list 100—configured elsewhere in the router defines the subset of packets that are policy-routed by the entry. Access lists are covered in Chapter 6.

The command set ip next-hop 192.168.10.130 defines the action performed on packets that meet the criteria defined by the previous match statement. Here, the action is to send the matching packets to the next hop router, 192.168.10.130.

In the TESTMAP example, the first entry is given a sequence number of 20, enabling you to insert new entries before or after the initial entry. This is useful because packets are processed against a route map one entry at a time in order of sequence until a match is found. When a matching entry is found, the router processes the packet according to set commands in the entry and restarts the policy-routing procedure with the next packet.

NOTE A packet that does not match a route map entry is routed (forwarded) normally.

Policy Routing: An Example

To demonstrate the use and configuration of route maps, consider the scenario depicted in Figure 3-17.

Figure 3-17 An Example for Policy Routing (Route Maps)

Router A has two paths to subnet 10.1.1.0/24: one through Router B and another through Router C. Dynamic routing protocols such as OSPF. RIP. FJCiRP, and the like might dictate to Router A that the preferred path to 10.1.1.0/24 is through either Router B or Router C, or both—both being equal-cost load balancing. The client 10.2.2.2 represents a node that is used for validating the policy-routing configuration (see "Validating Policy Routing Configuration," later in this chapter).

192.168.10.0/30

Router B

Router A

Router C

Router A

192.168.10.0/30

Router B

Now, suppose you must support the following policy on Router A:

• All traffic from subnet 10.4.4.0/24 to subnet 10.1.1.0/24 should travel over the link between Router A and Router C.

• Telnet sessions from clients in 10.2.2.0/24 to servers in 10.1.1.0/24 should also travel over the link between Router A and Router C.

• All other traffic passing through Router A to 10.1.1.0/24 should use the link between Router A and Router B.

This policy overrides the forwarding decisions determined by routing protocols. In this example, the policy covers all conceivable traffic from Router A to 10.1.1.0/24, but that does not have to be the case. When packets do not match the policy defined by a route map, the packets are forwarded normally as if the route map never existed.

To assist configuration, the policy for Router A is summarized in Table 3-2. Table 3-1 Policies to be Implemented on Router A in Figure 3-17

Source

Destination

Next Hop Router

10.4.4.0/24

10.1.1.0/24

RTC

10.2.2.0/24

10.1.1.0/24 port 23 (Telnet)

RTC

All other traffic

10.1.1.0/24

RTB

Identifying the Traffic for Policy Routing

To begin the policy-routing configuration on Router A, define two access lists: one that defines the traffic that should go to Router C and another that defines the traffic that should go to Router B.

Here is the first access list:

access-list 101 permit ip 10.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit tcp 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 eq telnet

Access list 101 consists of two rules. The first rule matches all traffic from 10.4.4.0/24 destined to 10.1.1.0/24. The second rule matches all traffic from 10.2.2.0/24 to just the Telnet ports in 10.1.1.0/24. This access list will be used to direct traffic to Router C.

Now, here's the second access list:

access list 102 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 102 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Access list 102 consists of two rules, also. The first rule matches all traffic from 10.3.3.0/ 24 to 10.1.1.0/24. The second rule matches all traffic from 10.2.2.0/24 to 10.1.1.0/24. This access list will be used to direct traffic to Router B.

NOTE Chapter 6 covers access list fundamentals and configuration.

Access list 102 matches all traffic from 10.2.2.0/24 to 10.1.1.0/24, including Telnet packets that are also matched by access list 101. This means for the intended policy to work, the route map must be configured to process packets against access list 101 before access list 102.

Creating the Route Map Entries

Next, create Router A's route map. The first entry of the route map forwards traffic to Router C. This coincides with the desired policy. Here's the first entry:

route-map MYMAP permit 20 match ip address 101 set ip next-hop 192.168.10.130

The command route-map MYMAP permit 20 creates a route map called MYMAP with an initial entry whose sequence is 20.

The command match ip address 101 defines the matching criteria of the entry. Here, all packets that match access list 101 are subject to the set commands of the entry. Recall that access list 101 encompasses the packets that need to be sent to Router C according to the policy.

The command set ip next-hop 192.168-10.130 defines the action taken when packets meet the match criteria. The action is to forward the packets to neighboring Router C, whose address is 192.168.10.130 (refer to Figure 3-17).

Now. configure a second entry to MYMAP. This entry matches packets that need to be directed to Router B and sets the next hop to 192.168.10.2. Router B's address.

route map MYMAP permit 40 match ip address 102 set ip next hop 192.168.10.2

The command route-map MYMAP permit 40 creates a second entry in MYMAP with a sequence of 40. This entry has a higher sequence number than the previous entry, route-map MYMAP permit 20. This means packets are checked against sequence 40, only if they do not match sequence 20. As mentioned earlier, a packet that does not match any sequence is routed normally.

The command match ip address 102 configures the matching criteria of this entry to the rules in access list 102. Recall that access list 102 encompasses the packets that need to be sent to Router B.

The command set ip next-hop 192.168.10.2 defines the action taken when packets meet the criteria in the match statement. The action is to forward the packets to Router B whose address is 192.168.10.2 (refer to Figure 3-17).

Apply the Route Map to the Proper Interface

With the route map configuration complete, all that remains is to apply the route map to an interface. Route maps do not do anything until you apply them to an interface.

When you apply a route map to an interface, the interface you select is important. Route maps inspect and process packets as they enter the router; therefore, you must apply the route map to the interface that receives the traffic to be policy routed.

In the example depicted in Figure 3-17, the proper place to apply MYMAF is interface EthernetO because that is the interface on Router A that receives the traffic requiring policy routing.

The following commands apply MYMAP to EthernetO on Router A:

interface EthernetO ip address 10.3.3.1 255.255.255.0 ip policy route-map MYMAP ip route-cache policy

The command ip policy route-map MYMAP applies MYMAP to interface EthernetO. All traffic that enters Router A through this interface is subject to the policies defined in MYMAP.

The command ip route-cache policy enables a feature called fast-switched policy routing. This feature, available in IOS 11.3 and later, substantially increases the performance of policy routing by caching information so the CPU doesn't have to process every policy-routed packet.

Validating Policy-Routing Configuration

According to the policy, in the example in Figure 3-17, Telnet packets from 10.2.2.0/24 to 10.1.1.0/24 should go over the link between Router A and Router C, but all other traffic from 10.2.2.0/24 to 10.1.1.0/24 should go over the link between Router A and Router B. To test that the route map is indeed making this happen, you can initiate a Telnet session from a client on 10.2.2.0/24 to a server on 10.1.1.0/24. This client is depicted in Figure 3-17 with the address 10.2.2.2.

After you successfully establish the Telnet session, use the command show ip cachc policy to verify policy routing:

RTA#sh ip cac pol

Total adds 1, total deletes 0

Type Routemap/sequence Age Interface Next Hop

NH MYMAP/20 00:00:04 Serial© 192.168.10.130

The preceding output shows one entry in the policy-routing cache. The following list explains the data:

• NH stands for next hop. This means the route map is forwarding in response to the set ip next-hop command. The other possible keyword in the Type column is Int, which indicates forwarding by the set interface command (see "Other Policy-Routing Commands," later in this chapter).

• MYMAP/20 is the name of the route map and the sequence number of the route map entry.

• 00:00:04 is the age of the cache entry. Four seconds ago, a packet matched the policy defined by MYMAP's sequence number 20 and caused the router to create an entry in the policy-routing cache. Only the first packet creates the entry and starts the timer. Subsequent packets that match MYMAP sequence 20 are cache hits and do not restart the timer.

• SerialO is the output interface for the policy-routed packets.

• 192.168.10.130 is the address of the next hop router (Router C).

NOTE The command show ip cache policy works only when you configure fast-switched policy routing with the ip route-cache policy interface command.

The preceding data is a good indication that policy routing is working as expected. An additional test is to have the client 10.2.2.2 send non-Telnet packets—for example, ping packets- to 10.1.1.0/24. According to the policy defined by MYMAP, such packets are forwarded to Router B (192.168.10.2).

After 10.2.2.2 issues the pings, check the policy-routing cache again:

RTA#sh ip cac pol

Total adds 2, total deletes 0

Type Routemap/sequence Age Interface Next Hop

NH MYMAP/20 00:18:32 Serial© 192.168.10.130

NH MYMAP/40 00:00:27 Seriall 192.168.10.2

The last line in the preceding output indicates that the other entry in MYMAP, sequence 40, is actively forwarding packets to Router B, whose address is 192.168.10.2.

Another way of verifying policy routing is to watch the flow of packets through the router with packet-level debugging. This proves to be a more definitive test than checking the policy-routing cache but requires that you disable fast-switched policy routing.

Before you enable packet-level debugging with the debug ip packet command, you should create a simple access list that filters the debugging down to the specific source you are interested in watching. Otherwise, you might overload the router with too many debugging messages.

To watch packets sourced by 10.2.2.2, create an access list on Router A that permits only source address 10.2.2.2 (refer to Figure 3-17):

RTAflconf t

RTA(config)#access-list 10 permit 10.2.2.2

Next, disable fast-switched policy routing on the interface. This forces the router's CPU to examine every packet during policy routing so that debug messages per packet are displayed.

RTA(config)#int e0

RTA(config-if)#no ip rojte-cache policy RTA(config-if)#end

Then, enable packet-level debugging with access list 10 as the filter:

RTA#deb ip packet detail 10

IP packet debugging is on (detailed) for access list 10

Have the client 10.2.2.2 initiate a Telnet connection to 10.1.1.1 and watch the router's debugging messages:

IP: s=10.2.2.2 (Ethernet©), d=10.1.1.1 (Serial©), 9=192.168.10.130, len 44, forward

TCP src=1025, dst=23, seq=3268019581, ack=0, win=512 SYN IP: s=10.2.2.2 (Ethernet©), d=10.1.1.1 (Serial©), g=192.168.10.130, len 40, forward

TCP sre 1025, dst=23, seq=3268019582, ack=2©48489389, win=32120 ACK IP: s=1©.2.2.2 (Ethernet©), d=l©.1.1.1 (Serial©), g=192.168.10.130, len 64, forward

TCP src=1025, dst=23, seq-3268019582, ack=2©48489389, win=32248 ACK PSH IP: s=1©.2.2.2 (Ethernet©), d=10.1.1.1 (Serial©), g=192.168.10.130, len 52, forward TCP src=1©25, dst=23, seq=3268©196©6, ack=2048489407, win=32248 ACK PSH

The preceding debugging output confirms that Router A is properly forwarding Telnet packets from 10.2.2.2 to 10.1.1.1. That is, policy routing is sending those packets to the next-hop router 192.168.10.130 (Router C). This agrees with the policy defined by entry 20 in MYMAP. The next-hop address is highlighted in boldface and has the output g=192.168.10.130. The output dst=23 confirms that the packets belong to Telnet.

When the same client does a ping to 10.1.1.1, the following debugging messages appear:

RTA#

IP:

s 10.2.2.2 (Ethernet©), ICMP type=8, code=0

d=10.1.1.1

(Seriall),

g=192.168.10.2,

len

CO

forward

IP:

s=10.2.2.2 (Ethernet©), ICMP type=8, code=0

d=10.1.1.1

(Seriall),

g=192.168.10.2,

len

84,

forward

IP:

s=1©.2.2.2 (Ethernet©),

d=l0.1.1.1

(Seriall),

g=192.168.10.2,

len

84,

forward

ICMP type=8, code=0

ICMP type=8, code=0

IP: s=10.2.2.2 (Ethernet®), d=i0.1.1.1 (Seriall), 0=192.168.If.2, len 84, forward ICMP type=8, code=0

IP: s=10.2.2.2 (Ethernet0), d-10.1.1.1 (Seriall), g=l92.168.10.2, len 84, forward ICMP type=8, code=0

The preceding output confirms that Router A is properly forwarding non-Telnet packets from 10.2.2.2 to 10.1.1.1. The output g= 192.168.10.2 (highlighted in boldface) indicates that the next-hop router is 192.168.10.2, Router R. This agrees with the policy defined by entry 40 in MYMAP. The output ICMP confirms that the packets are ping packets.

Was this article helpful?

0 0

Post a comment