Policy Based Routing PBR

PBR enables you to route a packet based on other information, in addition to the destination IP address. In most cases, engineers are happy with the choices of routes made by the routing protocol, with routing occurring based on the destination IP address in each packet. For some specialized cases, however, an engineer may want some packets to take a different path. One path through the network may be more secure, for instance, so some packets could be directed through a longer, but more secure, path. Some packets that can tolerate high latency may be routed through a path that uses satellite links, saving bandwidth on the lower-latency terrestrial circuits for delay-sensitive traffic. Regardless of the reasons, PBR can classify packets and choose a different route. Figure 3-17 shows a simple example, where FTP traffic is directed over the longer path in the network.

Figure 3-17 PBR: FTP Traffic Routed over Longer Path

Routing Tables' route

Figure 3-17 PBR: FTP Traffic Routed over Longer Path

Routing Tables' route

FTP Sent This Way Using PBR

PBR supports packet marking and policy routing. As you learned in previous sections, CAR supports marking because CAR's main feature, policing, benefits from having the marking feature available as well. Similarly, PBR includes a marking feature, because in some cases, PBR is used to pick a different route for QoS reasons—for instance, to affect the latency of a packet. So, PBR's core function can benefit from marking a packet, so that the appropriate QoS action can be taken as the packet traverses the network. Just as with CAR, you can use PBR's marking feature without actually using its core feature. In other words, you can use PBR just for classification and marking, without choosing a different route. The examples in this chapter focus only on PBR as a marking tool.

Unlike CB marking and CAR, PBR only processes packets entering an interface; you cannot enable it for packets exiting an interface. The reason PBR only processes incoming packets relates to its core function: policy routing. PBR needs to process packets before a routing decision has been made. Therefore, PBR processes packets entering an interface, preempting the normal routing logic based on destination IP address.

Finally, one other difference between PBR and the other classification and marking tools covered so far (CB marking and CAR) is that PBR can classify based on routing information, instead of totally relying on information in the frame or packet header. PBR can look up the entry in the routing table that matches a packet's destination address, for instance, and then classify based on information about that route. For example, the metric associated with that route, the source of the routing information, or the next-hop interface associated with the route can be checked. In most cases, this routing information does not help you with differentiating between different types of traffic. An FTP server, an IP Phone, a video server, and some web servers may all be in the same subnet, for instance, but the routing information about that subnet could not help PBR distinguish between those different types of traffic. Therefore, typically the most useful classification feature of PBR, when used for marking, is just to refer to an IP ACL.

PBR configuration uses yet another totally different set of configuration commands as compared to CB marking and CAR. PBR does separate the classification, marking, and enabling features into different commands. Tables 3-14 and 3-15 list the pertinent PBR configuration and exec commands, respectively. Following the tables, two example PBR configurations are shown. The two examples use the same criteria as the two CAR samples.

Table 3-14 Configuration Command Reference for PBR

Command

Mode and Function

ip local policy route-map map-tag

Global; specifies that packets generated by this router should be candidates for policy routing

ip policy route-map map-tag

Interface subcommand; refers to a route map, which in turn classifies packets and specifies actions; actions include specifying a different route, and setting IP precedence

route-map map-tag [permit | deny] [sequence-

number]

Global command; creates a route map entry

match ip address {access-list-number | accesslist-name} [... access-list-number | ... access-listname]

Route-map subcommand; used to match IP packets based on parameters that can be matched with an IP ACL

match length minimum-length maximum-length

Route-map subcommand; used to match IP packets based on their length

Table 3-14 Configuration Command Reference for PBR (Continued)

Command

Mode and Function

set ip precedence number | name

Route-map subcommand; sets IP precedence value using the decimal number of name

set ip next-hop ip-address [...ip-address]

Route-map subcommand; defines the IP address(es) of the next-hop router(s) to be used for forwarding packets that match this route map entry

ip route-cache policy

Global command; enables fast switching of PBR-routed packets

Note: Not all PBR-related commands are shown in this table, but commands specifically related to marking are shown.

Note: Not all PBR-related commands are shown in this table, but commands specifically related to marking are shown.

Table 3-15 Exec Command Reference for PBR Marking

Command

Function

show ip policy

Lists configured PBR details, and statistics for numbers of packets matched by each clause.

show route-map

Lists statistical information about packets matched with a route map. PBR uses route maps to classify and mark traffic.

Example 3-7 shows the first PBR marking example, which uses the same criteria as Example 3-1 for CB marking and Example 3-5 for CAR. In this example, R3 is marking packets that flow right to left in Figure 3-18.

• All VoIP payload traffic is marked with IP precedence 5.

• All other traffic is marked with IP precedence 0.

Example 3-7 PBR Marking, VoIP as DSCP EF, Everything Else as BE

ip route-cache policy

ip access-list extended VoIP-ACL permit udp any range 16384 32767 any range 16384 32767

int fastethernet 0/0 ip policy route-map voip-routemap

route-map voip-routemap permit 10 match ip address VoIP-ACL set ip precedence 5

route-map voip-routemap permit 20 set ip precedence 0

Figure 3-18 PBR Marking Sample 1: VoIP Marked with IP Precedence 5, Everything Else Marked IP Precedence 0

Figure 3-18 PBR Marking Sample 1: VoIP Marked with IP Precedence 5, Everything Else Marked IP Precedence 0

PBR uses route-map commands, along with match and set route-map subcommands, to classify and mark the packets. This configuration uses a route map named voip-routemap, which includes two clauses. The first clause, clause 10, uses a match command that refers to VoIP-ACL, which is a named IP ACL. VoIP-ACL matches UDP port numbers between 16,384 and 32,767, which matches all VoIP traffic. If the ACL permits a packet, the route map's first clause acts on the set command, which specifies that IP precedence should be set to 5.

The second route map clause, clause 20, matches the rest of the traffic. The route map could have referred to another IP ACL to match all packets; however, by not specifying a match statement in clause 20, all packets will match this clause by default. By not having to refer to another IP ACL to match all packets, less processing overhead is required. The set command then specifies to set precedence to zero.

The ip policy route-map voip-routemap command enables PBR on interface FA0/0 for incoming packets. Notice that the direction, input or output, is not specified, because PBR can only process incoming packets.

The last PBR-specific command is ip route-cache policy. IOS process-switches PBR traffic by default; to use fast switching on PBR traffic, use the ip route-cache policy command.

The second PBR configuration (Example 3-8) includes classification options identical to CAR example 2 (see Example 3-6). A major difference between PBR and CAR is that PBR cannot set the DSCP field, so it sets the IP Precedence field instead. The slightly modified criteria, as compared with CAR example 2, for PBR example 2 is as follows:

• VoIP payload is marked with precedence 5.

• NetMeeting voice and video from Serverl to Clientl is marked with precedence 4.

• Any HTTP traffic is marked with precedence 2.

• All other traffic is marked with precedence 0.

Figure 3-19 shows the network in which the configuration is applied, and Example 3-8 shows the configuration.

Figure 3-19 PBR Marking Sample 2 Network

Clientl

1001 1002

Mark

Mark VoIP as IP Precedence 5 Mark NetMeeting as IP Precedence 4 Mark HTTP as IP Precedence 2 Mark All Else as IP Precedence 0

3001 3002

Server1

Mark VoIP as IP Precedence 5 Mark NetMeeting as IP Precedence 4 Mark HTTP as IP Precedence 2 Mark All Else as IP Precedence 0

Server1

1001 1002

Example 3-8 PBR Marking Sample 2: VoIP, NetMeeting Audio/Video, HTTP URLs, and Everything Else

ip route-cache policy

!

ip access-list extended VoIP-ACL permit udp any range 16384 32768 any range 16384 32768

!

ip access-list extended NetMeet-ACL

permit udp host 192.168.1.100 range 16384 32768 192.168.3.0 0

!

0.0.255 range 16384 32768

ip access-list extended http-acl permit tcp any eq www any permit tcp any any eq www

!

interface fastethernet 0/0 ip policy route-map voip-routemap

!

route-map voip-routemap permit 10 match ip-address NetMeet-ACL set ip precedence 4

!

route-map voip-routemap permit 20 match ip-address VoIP-ACL set ip precedence 5

!

route-map voip-routemap permit 30 match ip-address http-acl set ip precedence 2

!

route-map voip-routemap permit 40

set ip precedence 0

!

R3#sh ip policy Interface Route map

Fastethernet0/0 voip-routemap

R3#show route-map route-map voip-routemap, permit, sequence 10 Match clauses:

ip address (access-lists): NetMeet-ACL Set clauses:

ip precedence flash-override

Policy routing matches: 3 packets, 222 bytes

route-map voip-routemap, permit, sequence 20 Match clauses:

ip address (access-lists): VoIP-ACL Set clauses:

ip precedence critical

Policy routing matches: 14501 packets, 1080266 bytes

Example 3-8 PBR Marking Sample 2: VoIP, NetMeeting Audio/Video, HTTP URLs, and Everything Else (Continued)

route-map voip-routemap, permit, sequence 30 Match clauses:

ip address (access-lists): http-acl Set clauses:

ip precedence immediate Policy routing matches: 834 packets, 1007171 bytes route-map voip-routemap, permit, sequence 40 Match clauses: Set clauses:

ip precedence routine Policy routing matches: 8132 packets, 11263313 bytes

The output of the show ip policy command lists only sparse information. The show route-map command enables you to view statistical information about what PBR has performed. This command lists statistics for any activities performed by a route map, including when one is used for PBR. Notice that the four sets of classification criteria seen in the configuration are listed in the highlighted portions of the show route-map output, as are packet and byte counters.

Advance SEO Techniques

Advance SEO Techniques

Turbocharge Your Traffic And Profits On Auto-Pilot. Would you like to watch visitors flood into your websites by the 1,000s, without expensive advertising or promotions? The fact is, there ARE people with websites doing exactly that right now. How is that possible, you ask? The answer is Advanced SEO Techniques.

Get My Free Ebook


Post a comment