In certain cases, the best path isn't always
the "best path". Mainly best path is determined by the routing
protocol depending on metric calculations which may be simple like in OSPF
and RIP or complex in case of EIGRP. The key here is that the routing protocols
affects all types of traffic since it all run under the same rule of the IGP
best path.
Sometimes we want to change the default
behavior for security reasons or “actual” best path reasons. This can be
achieved by policy-based routing or PBR.
There are two types of PBR.
1. Transient traffic PBR: which is the traffic passing by a router
along it path
2. Local traffic PBR: which is traffic sourced from the router
itself.
Transient traffic PBR
To understand how transient traffic is
processed in both incoming and outgoing directions, Let’s take a look Cisco routers process packets.
Incoming
Packet
|
Outgoing
Packet
|
. If IPSec then check input access list
|
. If IPSec then check input access list
|
. decryption - for CET (Cisco Encryption
Technology) or IPSec
|
. decryption - for CET or IPSec
|
. check input access list
|
. check input access list
|
. check input rate limits
|
. check input rate limits
|
. input accounting
|
. input accounting
|
. redirect to web cache
|
. redirect to web cache
|
. policy routing
|
. NAT outside to inside (globalto local
translation)
|
. routing
|
. policy routing
|
. NAT inside to outside (local to global
translation)
|
. routing
|
. crypto (check map and mark for
encryption)
|
. crypto (check map and mark for
encryption)
|
. check output access list
|
. check output access list
|
. inspect (Context-based Access Control
(CBAC))
|
. inspect CBAC
|
. TCP intercept
|
. TCP intercept
|
. encryption
|
. encryption
|
. Queueing
|
. Queueing
|
From the table above, PBR matches before
routing, thus it skips the normal routing.
From the topology shown below, let’s see a traceroute
from R4 loopback 4.4.4.4 to R1 loopback 1.1.1.1 nothing that all routers below
are using OSPF as their routing protocols without any special modifications.
R4#traceroute 1.1.1.1
source 4.4.4.4 numeric
Type escape sequence to
abort.
Tracing the route to
1.1.1.1
1 10.3.4.3 24 msec 28 msec 16 msec
2 10.2.3.2 52 msec 44 msec 16 msec
3 10.1.2.1 72 msec * 52 msec
The trace shows that for R4 to get to R1, R3
as a transient router will choose R2 to forward the packets to since the link
cost to R1 is 64 and to R2 is 1.
Now let’s enforce transient traffic with
source ip 4.4.4.4 and destination ip 1.1.1.1 to go to R1 directely instead of
R2.
First let’s create a named extended
access-list to match our traffic.
R3(config)#ip
access-list extended PBR
R3(config-ext-nacl)#permit
ip host 4.4.4.4 host 1.1.1.1
Now let’s
create a route-map to match the access-list traffic and set “next-hop or exit
interface” to R1 directly.
This is
how you set it for next-hop IP
route-map PBR permit 10
match ip address PBR
set ip next-hop 10.1.3.1
And this
is for exit interface
route-map PBR permit 10
match ip address PBR
set interface Serial0/0
Now let’s
apply the route-map under the incoming interface in R3, in our case its
interface F1/0
R3(config)#int f1/0
R3(config-if)#ip policy
route-map PBR
As a
final set, let’s check interface F1/0
R3#show ip int f1/0
FastEthernet1/0 is up, line protocol is up
Internet
address is 10.3.4.3/24
Broadcast
address is 255.255.255.255
Address
determined by setup command
MTU is 1500
bytes
Helper
address is not set
Directed
broadcast forwarding is disabled
Multicast
reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing
access list is not set
Inbound access list is not set
Proxy ARP is
enabled
Local Proxy
ARP is disabled
Security
level is default
Split
horizon is enabled
ICMP
redirects are always sent
ICMP
unreachables are always sent
ICMP mask
replies are never sent
IP fast
switching is enabled
IP fast
switching on the same interface is disabled
IP Flow
switching is disabled
IP CEF
switching is enabled
IP CEF
Feature Fast switching turbo vector
IP multicast
fast switching is enabled
IP multicast
distributed fast switching is disabled
IP
route-cache flags are Fast, CEF
Router
Discovery is disabled
IP output
packet accounting is disabled
IP access
violation accounting is disabled
TCP/IP
header compression is disabled
RTP/IP
header compression is disabled
Policy routing is enabled, using route map PBR
Network
address translation is disabled
BGP Policy
Mapping is disabled
WCCP
Redirect outbound is disabled
WCCP
Redirect inbound is disabled
WCCP
Redirect exclude is disabled
R3#show ip policy
Interface Route map
Fa1/0 PBR
Now for
the final test, let’s ping again from R4 loopback to R1 loopback
R4#traceroute 1.1.1.1
source 4.4.4.4 numeric
Type escape sequence to
abort.
Tracing the route to
1.1.1.1
1 10.3.4.3 24 msec 28 msec 16 msec
2 10.1.3.1 48 msec * 72 msec
The
traffic sourced from 4.4.4.4 and destined to 1.1.1.1 is redirected to the least
preferred path which is Serial0/0 on R3.
Now let’s
try to ping from another source, R4’s interface F0/0
R4#traceroute 1.1.1.1
source 10.3.4.4
Type escape sequence to
abort.
Tracing the route to
1.1.1.1
1 10.3.4.3 32 msec 24 msec 16 msec
2 10.2.3.2 48 msec 40 msec 20 msec
3 10.1.2.1 68 msec
Since
the source ip 10.3.4.4 isn’t matched in the access-list PBR, it will take the
normal routing path R3-R2-R1
A valid
question might arise at this point, what is the difference between exit
interface and next-hop? In the network world there are various devices that do
many functions other than routing and switching. Deep Packet Inspectors or “DPIs”
as an example doesn’t necessarily need IPs for transient traffic to be sniffed
or inspected. So when you need to redirect IP traffic to devices like DPIs
there is no next-hop IPs to forward traffic to, this is where you set an exit
interface instead of next-hop. Another important note is that then the
interface goes down, all matched traffic will be dropped in case of setting
exit interface.
Local traffic PBR
Local traffic is the traffic generated by the
router. As an example, Telnet, SSH, ICMP etc.
Since this is the sole difference between it
and transient traffic PBR, we don’t need to elaborate too much about it. Let’s
go directly for configuration.
Let’s say we want to telnet from
R3 to R1 using the serial interface. The steps are exactly the same as we did
earlier. What only matters is where we apply the route-map in our case now.
R3(config)#ip
access-list extended PBR-LOCAL
R3(config-ext-nacl)#permit
tcp any host 1.1.1.1 eq telnet
R3(config)#route-map
PBR-LOCAL permit 10
R3(config-route-map)#match
ip address PBR-LOCAL
R3(config-route-map)#set
ip next-hop 10.1.3.1
R3(config)#ip local
policy route-map PBR-LOCAL
To
verify our configuration
R3#show ip policy
Interface Route map
local PBR-LOCAL
R3#show ip local policy
Local policy routing is enabled,
using route map PBR-LOCAL
route-map PBR-LOCAL, permit,
sequence 10
Match clauses:
ip address (access-lists): PBR-LOCAL
Set clauses:
ip next-hop 10.1.3.1
Policy routing matches: 160 packets, 10240 bytes
you can also check the Conditional Policy-Based routing Tutorial